Table of comparison between MONARC and different risk management methods

MONARC ISO 31000:2009 ISO 27005:2013 MAGERIT OCTAVE EBIOS IT-Grundschutz
Original Long Name Méthode Optimisée d’analyse des risques CASES N/A N/A Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información Operationally Critical Threat, Asset, and Vulnerability Evaluation Expression des Besoins et Identification des Objectifs de Sécurité English name: IT Baseline Protection Manual
First version 2013 2009 2008 1997 1999 1995 1994
Last version v2 2017 2009 2013 v3 2014 Octave Allegro (2007)
OCTAVE-S (2005)
2010 2013
Language
  • French
  • English
  • German
  • Dutch
  • International International
  • Spanish
  • English
  • Italian (partially)
  • English
  • French
  • English
  • German
  • English
  • Sponsor SecurityMadeIn.lu (Ministry of the Economy of Luxembourg) International International Ministerio de Administraciones Publicas SPAIN (Spanish Ministry for Public Administrations) Carnegie Mellon University (USA) DCSSI France (Direction Centrale de la Sécurité des Systémes d’Information, Premier Ministre) Federal Office for Information Security Germany (BSI)
    Sponsor type Government International International Government University Government Government
    Method Method Guideline Standard, guideline Method Method Method Method, Standard
    Price of the method Free Paying Paying Free Free Free Free
    Qualitative method Yes N/A N/A Yes Yes Yes Yes
    Quantitative method No N/A N/A Yes No, for Octave and Octave-S
    Yes, for Octave Allegro
    No No
    Information risk management Yes. The tool can also manage Operational Risks on ROLFP Criteria (Reputation, Operation, Legal, Financial, Person) Yes Yes Yes Yes Yes Yes
    Associated tool MONARC : Free No tool No tool Pilar : Paying No tool needed (use of pre-defined worksheets) Ebios : Free
  • BSI - GSTOOL HiSolutions
  • AG HiScout SME
  • INFODAS GmbH - SAVe
  • inovationtec - IGSDoku
  • Kronsoft e.K. - Secu-Max Swiss
  • Infosec AG - Baseline-Tool
  • WCK - PC-Checkheft

  • Note: all are paying tools
    Scope All types All types All types All types SME All types All types
    Target users Management, Operational Management, Operational Management, Operational Management, Operational, Technical Management, Operational Management, Operational Management, Operational, Technical
    License scheme No No No No No Yes Yes
    Certification scheme No No Yes No No No Yes
    Users skills To introduce: Standard
    To use: Standard
    To maintain: Standard
    To introduce: Standard
    To use: Standard
    To maintain: Standard
    To introduce: Standard
    To use: Standard
    To maintain: Standard
    To introduce: Standard
    To use: ITC Professionals
    To maintain: Management skills
    To introduce: Standard
    To use: Standard
    To maintain: Standard
    To introduce: Standard
    To use: Standard
    To maintain: Standard
    To introduce: Standard
    To use: Standard
    To maintain: Standard
    Measure the I.S.S. maturity level No N/A N/A No No Yes, with compliance to ISO/IEC 21827 Yes (three levels)
    Integration with other tools Yes, JSON/CSV output functions N/A N/A Yes, XML/CSV input/output functions No No No
    Flexible knowledge databases Yes, everything is modifiable and facilitated by import / export functions N/A N/A Yes: the method and the tools No Yes, domain specific vulnerability databases Yes
    Regulatory compliance Can be achieved indirectly N/A N/A Can be achieved indirectly No No
  • KonTraG (German Act on Control and Transparency in Businesses)
  • Basel II
  • TKG (German Telecommunications Act)
  • BDSG (German Federal Data Protection Act)
  • Compliance to IT standards Risk assessment and SOA N/A Risk assessment
  • ISO/IEC 15408
  • ISO/IEC 13335
  • No
  • ISO/IEC 15408
  • ISO/IEC 13335
  • ISO/IEC 21827
  • N/A
    Compliance with ISO 27005 Processes Yes N/A Yes Yes Yes Yes Yes
    Compliance with ISO 31000 framework Yes N/A Yes Yes Yes Yes Yes
    Method/tool gives information sources for assets The tool provides assets from the EBIOS method and many assets created by the publisher himself N/A Annex B1, B2 MAGERITv2 : Vol II - Catalogue of Elements (types of assets) OCTAVE SM: Method Implementation
    Volume 7 Identify Key Components
    EBIOS v2: Bases de connaissances 2010
  • Types de biens supports
  • Catalogues of Modules - Modelling model and layers
    Method/tool gives information sources for threats The tool provides a compilation of assets from the EBIOS and ISO 27005 N/A Annex C MAGERITv2 : Vol II - Catalogue of Elements (threats) White Paper “OCTAVE Threat Profiles” EBIOS v2: Bases de connaissances 2010
  • Type de sources de menaces
  • Menaces et vulnérabilités génériques
  • Catalogues of Modules - Threat catalogue
    Method/tool gives information sources for vulnerabilities The tool provides vulnerabilities from the EBIOS method and many assets created by the publisher himself. Sets of assets,threats ands vulnerabilities are already defined for helping risk identification N/A Annex D N/A N/A EBIOS v2 Bases de connaissances 2010
  • Menaces et vulnérabilités génériques
  • N/A
    Method/tool gives information sources for impacts Impact criteria CIA in relationship with Reputation, Operation, Legal, Financial, Person … N/A Impact criteria (7.2.3) and annex B3 MAGERITv3 : Methodology - Determination of the potential impact Impact criteria - Worksheets 1 - 7
    Identify Areas of Concern : Worksheet 10
    EBIOS v2 Bases de connaissances 2010
  • Types d’impact
  • Standard 100-2 Impact criteria - Protection requirements categories
    Method/tool gives information sources for controls Refer to ISO 27002 by default or any other standard N/A Refer to ISO 27002 MAGERITv2 : Vol II - Catalogue of Elements (Safeguards)
    The tool also refer to ISO 27002
    OCTAVE - Catalog of Practices V2.0 EBIOS Méthode - Etude des mesures de sécurité
    Refer to ISO 27002
    Catalogues of Safeguards (Infrastructure, Organisation, Personnel, Hardware, Software, Communication, Contingency planning)

    References

    ** ISO 31000:2009 **

    ** ISO 27005:2011 **

    ** MAGERIT **

    ** OCTAVE **

    ** EBIOS 2010 **

    ** IT-Grundschutz **

    ** ENISA **