MONARC | ISO 31000:2009 | ISO 27005:2013 | MAGERIT | OCTAVE | EBIOS | IT-Grundschutz | |
---|---|---|---|---|---|---|---|
Original Long Name | Méthode Optimisée d’analyse des risques CASES | N/A | N/A | Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información | Operationally Critical Threat, Asset, and Vulnerability Evaluation | Expression des Besoins et Identification des Objectifs de Sécurité | English name: IT Baseline Protection Manual |
First version | 2013 | 2009 | 2008 | 1997 | 1999 | 1995 | 1994 |
Last version | v2 2017 | 2009 | 2013 | v3 2014 | Octave Allegro (2007) OCTAVE-S (2005) |
2010 | 2013 |
Language | International | International | English | ||||
Sponsor | SecurityMadeIn.lu (Ministry of the Economy of Luxembourg) | International | International | Ministerio de Administraciones Publicas SPAIN (Spanish Ministry for Public Administrations) | Carnegie Mellon University (USA) | DCSSI France (Direction Centrale de la Sécurité des Systémes d’Information, Premier Ministre) | Federal Office for Information Security Germany (BSI) |
Sponsor type | Government | International | International | Government | University | Government | Government |
Method | Method | Guideline | Standard, guideline | Method | Method | Method | Method, Standard |
Price of the method | Free | Paying | Paying | Free | Free | Free | Free |
Qualitative method | Yes | N/A | N/A | Yes | Yes | Yes | Yes |
Quantitative method | No | N/A | N/A | Yes | No, for Octave and Octave-S Yes, for Octave Allegro |
No | No |
Information risk management | Yes. The tool can also manage Operational Risks on ROLFP Criteria (Reputation, Operation, Legal, Financial, Person) | Yes | Yes | Yes | Yes | Yes | Yes |
Associated tool | MONARC : Free | No tool | No tool | Pilar : Paying | No tool needed (use of pre-defined worksheets) | Ebios : Free | Note: all are paying tools |
Scope | All types | All types | All types | All types | SME | All types | All types |
Target users | Management, Operational | Management, Operational | Management, Operational | Management, Operational, Technical | Management, Operational | Management, Operational | Management, Operational, Technical |
License scheme | No | No | No | No | No | Yes | Yes |
Certification scheme | No | No | Yes | No | No | No | Yes |
Users skills | To introduce: Standard To use: Standard To maintain: Standard |
To introduce: Standard To use: Standard To maintain: Standard |
To introduce: Standard To use: Standard To maintain: Standard |
To introduce: Standard To use: ITC Professionals To maintain: Management skills |
To introduce: Standard To use: Standard To maintain: Standard |
To introduce: Standard To use: Standard To maintain: Standard |
To introduce: Standard To use: Standard To maintain: Standard |
Measure the I.S.S. maturity level | No | N/A | N/A | No | No | Yes, with compliance to ISO/IEC 21827 | Yes (three levels) |
Integration with other tools | Yes, JSON/CSV output functions | N/A | N/A | Yes, XML/CSV input/output functions | No | No | No |
Flexible knowledge databases | Yes, everything is modifiable and facilitated by import / export functions | N/A | N/A | Yes: the method and the tools | No | Yes, domain specific vulnerability databases | Yes |
Regulatory compliance | Can be achieved indirectly | N/A | N/A | Can be achieved indirectly | No | No | |
Compliance to IT standards | Risk assessment and SOA | N/A | Risk assessment | No | N/A | ||
Compliance with ISO 27005 Processes | Yes | N/A | Yes | Yes | Yes | Yes | Yes |
Compliance with ISO 31000 framework | Yes | N/A | Yes | Yes | Yes | Yes | Yes |
Method/tool gives information sources for assets | The tool provides assets from the EBIOS method and many assets created by the publisher himself | N/A | Annex B1, B2 | MAGERITv2 : Vol II - Catalogue of Elements (types of assets) | OCTAVE SM: Method Implementation Volume 7 Identify Key Components |
EBIOS v2: Bases de connaissances 2010 |
Catalogues of Modules - Modelling model and layers |
Method/tool gives information sources for threats | The tool provides a compilation of assets from the EBIOS and ISO 27005 | N/A | Annex C | MAGERITv2 : Vol II - Catalogue of Elements (threats) | White Paper “OCTAVE Threat Profiles” | EBIOS v2: Bases de connaissances 2010 |
Catalogues of Modules - Threat catalogue |
Method/tool gives information sources for vulnerabilities | The tool provides vulnerabilities from the EBIOS method and many assets created by the publisher himself. Sets of assets,threats ands vulnerabilities are already defined for helping risk identification | N/A | Annex D | N/A | N/A | EBIOS v2 Bases de connaissances 2010 |
N/A |
Method/tool gives information sources for impacts | Impact criteria CIA in relationship with Reputation, Operation, Legal, Financial, Person … | N/A | Impact criteria (7.2.3) and annex B3 | MAGERITv3 : Methodology - Determination of the potential impact | Impact criteria - Worksheets 1 - 7 Identify Areas of Concern : Worksheet 10 |
EBIOS v2 Bases de connaissances 2010 |
Standard 100-2 Impact criteria - Protection requirements categories |
Method/tool gives information sources for controls | Refer to ISO 27002 by default or any other standard | N/A | Refer to ISO 27002 | MAGERITv2 : Vol II - Catalogue of Elements (Safeguards) The tool also refer to ISO 27002 |
OCTAVE - Catalog of Practices V2.0 | EBIOS Méthode - Etude des mesures de sécurité Refer to ISO 27002 |
Catalogues of Safeguards (Infrastructure, Organisation, Personnel, Hardware, Software, Communication, Contingency planning) |
References
** ISO 31000:2009 **
** ISO 27005:2011 **
** MAGERIT **
- Methodology for Information Systems Risk Analysis and Management Book
- Methodology for Information Systems Risk Analysis and Management Book I – The Method
- Methodology for Information Systems Risk Analysis and Management II - Catalogue of Elements
- Methodology for Information Systems Risk Analysis and Management III – Techniques
** OCTAVE **
- Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process
- Method Implementation Guide Version 2.0 Volume 2: Preliminary Activities
- Implementation Guide, Version 1.0 Volume 1
- Implementation Guide, Version 1.0 Volume 2
- Implementation Guide, Version 1.0 Volume 3
- Implementation Guide, Version 1.0 Volume 4
- Implementation Guide, Version 1.0 Volume 9
** EBIOS 2010 **
** IT-Grundschutz **
- Information Security Management Systems (ISMS)
- IT-Grundschutz Methodology
- Risk analysis based on IT-Grundschutz
- IT-Grundschutz-Catalogues
** ENISA **