Table of comparison between MONARC and different risk management methods

	MONARC	ISO 31000:2009	ISO 27005:2013	MAGERIT	OCTAVE	EBIOS	IT-Grundschutz
Original Long Name	Méthode Optimisée d’analyse des risques CASES	N/A	N/A	Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información	Operationally Critical Threat, Asset, and Vulnerability Evaluation	Expression des Besoins et Identification des Objectifs de Sécurité	English name: IT Baseline Protection Manual
First version	2013	2009	2008	1997	1999	1995	1994
Last version	v2 2017	2009	2013	v3 2014	Octave Allegro (2007) OCTAVE-S (2005)	2010	2013
Language	French English German Dutch	International	International	Spanish English Italian (partially)	English	French English	German English
Sponsor	SecurityMadeIn.lu (Ministry of the Economy of Luxembourg)	International	International	Ministerio de Administraciones Publicas SPAIN (Spanish Ministry for Public Administrations)	Carnegie Mellon University (USA)	DCSSI France (Direction Centrale de la Sécurité des Systémes d’Information, Premier Ministre)	Federal Office for Information Security Germany (BSI)
Sponsor type	Government	International	International	Government	University	Government	Government
Method	Method	Guideline	Standard, guideline	Method	Method	Method	Method, Standard
Price of the method	Free	Paying	Paying	Free	Free	Free	Free
Qualitative method	Yes	N/A	N/A	Yes	Yes	Yes	Yes
Quantitative method	No	N/A	N/A	Yes	No, for Octave and Octave-S Yes, for Octave Allegro	No	No
Information risk management	Yes. The tool can also manage Operational Risks on ROLFP Criteria (Reputation, Operation, Legal, Financial, Person)	Yes	Yes	Yes	Yes	Yes	Yes
Associated tool	MONARC : Free	No tool	No tool	Pilar : Paying	No tool needed (use of pre-defined worksheets)	Ebios : Free	BSI - GSTOOL HiSolutions AG HiScout SME INFODAS GmbH - SAVe inovationtec - IGSDoku Kronsoft e.K. - Secu-Max Swiss Infosec AG - Baseline-Tool WCK - PC-Checkheft Note: all are paying tools
Scope	All types	All types	All types	All types	SME	All types	All types
Target users	Management, Operational	Management, Operational	Management, Operational	Management, Operational, Technical	Management, Operational	Management, Operational	Management, Operational, Technical
License scheme	No	No	No	No	No	Yes	Yes
Certification scheme	No	No	Yes	No	No	No	Yes
Users skills	To introduce: Standard To use: Standard To maintain: Standard	To introduce: Standard To use: Standard To maintain: Standard	To introduce: Standard To use: Standard To maintain: Standard	To introduce: Standard To use: ITC Professionals To maintain: Management skills	To introduce: Standard To use: Standard To maintain: Standard	To introduce: Standard To use: Standard To maintain: Standard	To introduce: Standard To use: Standard To maintain: Standard
Measure the I.S.S. maturity level	No	N/A	N/A	No	No	Yes, with compliance to ISO/IEC 21827	Yes (three levels)
Integration with other tools	Yes, JSON/CSV output functions	N/A	N/A	Yes, XML/CSV input/output functions	No	No	No
Flexible knowledge databases	Yes, everything is modifiable and facilitated by import / export functions	N/A	N/A	Yes: the method and the tools	No	Yes, domain specific vulnerability databases	Yes
Regulatory compliance	Can be achieved indirectly	N/A	N/A	Can be achieved indirectly	No	No	KonTraG (German Act on Control and Transparency in Businesses) Basel II TKG (German Telecommunications Act) BDSG (German Federal Data Protection Act)
Compliance to IT standards	Risk assessment and SOA	N/A	Risk assessment	ISO/IEC 15408 ISO/IEC 13335	No	ISO/IEC 15408 ISO/IEC 13335 ISO/IEC 21827	N/A
Compliance with ISO 27005 Processes	Yes	N/A	Yes	Yes	Yes	Yes	Yes
Compliance with ISO 31000 framework	Yes	N/A	Yes	Yes	Yes	Yes	Yes
Method/tool gives information sources for assets	The tool provides assets from the EBIOS method and many assets created by the publisher himself	N/A	Annex B1, B2	MAGERITv2 : Vol II - Catalogue of Elements (types of assets)	OCTAVE SM: Method Implementation Volume 7 Identify Key Components	EBIOS v2: Bases de connaissances 2010 Types de biens supports	Catalogues of Modules - Modelling model and layers
Method/tool gives information sources for threats	The tool provides a compilation of assets from the EBIOS and ISO 27005	N/A	Annex C	MAGERITv2 : Vol II - Catalogue of Elements (threats)	White Paper “OCTAVE Threat Profiles”	EBIOS v2: Bases de connaissances 2010 Type de sources de menaces Menaces et vulnérabilités génériques	Catalogues of Modules - Threat catalogue
Method/tool gives information sources for vulnerabilities	The tool provides vulnerabilities from the EBIOS method and many assets created by the publisher himself. Sets of assets,threats ands vulnerabilities are already defined for helping risk identification	N/A	Annex D	N/A	N/A	EBIOS v2 Bases de connaissances 2010 Menaces et vulnérabilités génériques	N/A
Method/tool gives information sources for impacts	Impact criteria CIA in relationship with Reputation, Operation, Legal, Financial, Person …	N/A	Impact criteria (7.2.3) and annex B3	MAGERITv3 : Methodology - Determination of the potential impact	Impact criteria - Worksheets 1 - 7 Identify Areas of Concern : Worksheet 10	EBIOS v2 Bases de connaissances 2010 Types d’impact	Standard 100-2 Impact criteria - Protection requirements categories
Method/tool gives information sources for controls	Refer to ISO 27002 by default or any other standard	N/A	Refer to ISO 27002	MAGERITv2 : Vol II - Catalogue of Elements (Safeguards) The tool also refer to ISO 27002	OCTAVE - Catalog of Practices V2.0	EBIOS Méthode - Etude des mesures de sécurité Refer to ISO 27002	Catalogues of Safeguards (Infrastructure, Organisation, Personnel, Hardware, Software, Communication, Contingency planning)