Version 2.8.0 of MONARC has been released with important changes and new features.

The notable changes are described below.


Management of multiple security referentials

We are thrilled to announce that MONARC now supports multiple security referentials per analysis. Without limit of number.


After the update to MONARC 2.8 your existing analysis with legacy measures from MONARC will by default use the controls from ISO/IEC 27002. Nothing will change automatically. Of course you will be able to import new referentials via the knowledge base. It’s the goal.

Mapping between security referentials

Since it is now possible to use several security referentials, having the possibility to match security controls seems natural and should be straightforward. And as you can see below, it is.

Mapping between security referentials

A mapping can be created manually via the knowledge base of MONARC, as you can see above. Or simply by uploading a mapping shared by the community (with a CSV or a JSON file).

It is even possible to export your own mapping in a CSV file.

When exporting a whole risk analysis you have the opportunity to export the statement of applicability which includes the referentials and the mapping you have created.

Improvements to the statement of applicability

  • It is now possible to filter on a security referential in the statement of applicability;
  • The code of the page has been refactored and loads faster.

Statement of applicability

Batch import of objects

You can import new objects in the knowledge base of your analysis with a CSV, XLXS or JSON file. This concerns the following objects:

  • asset types;
  • threats;
  • vulnerabilities;
  • referentials;
  • tags;
  • operational risks.

Import center

New chart for the dashboard

A new compliance chart has been added.

Compliance chart

MONARC Objects Sharing Platform

Last but not least, we want to take this opportunity to introduce MOSP (MONARC Objects Sharing Platform).

Basically MOSP is a platform to create, edit and share valid JSON objects.
MOSP supports any kind of JSON objects, you just have to specify a JSON schema. The instance, operated by CASES, is dedicated to gather security related objects in the first place aimed to be used with MONARC. And our instance is open.

Have a look at the available objects provided by the MONARC project:

You can import these objects in MONARC.

Identifying objects

And now something a little under the hood but really important. The release 2.8 of MONARC introduces the usage of UUIDs for the referential and measure objects (we will generalize the use of UUIDs for other relevant objects).

UUIDs are crucial in order to empower the sharing of objects.

  • A unique identifier enable to designate an object (asset, threat, referential, etc.), for example independently from its language;
  • Using a common format enable to compare objects of the same kind (same schema).

Our new platform addresses the two points above and promotes the sharing of information.
MOSP also provides an API in order to query it programmatically. This means that MONARC will soon be able to retrieve data from MOSP.

You will find more information about MOSP in the documentation.


  • the code of the page which displays the dashboard has been refactored and loads faster.


  • Fixed an issue when deleting threat theme #143;
  • Improved the go back on risk sheet #95;
  • some minor bugs concerning the dashboard have been resolved.


To update, check out our update instructions. This is an important release with database migrations. Backup your database first.

You can also download the new virtual machine here.

We want to thank all contributors and reporters. Especially ANSSI-LU for their help with the German translations.


Do not forget our next training in March (which will be given in French).

More participants thanks to online event management solutions from XING Events.