EBIOS Risk Manager (EBIOS RM) is a structured methodology developed by ANSSI (the French National Cybersecurity Agency) in collaboration with the Club EBIOS.
It provides a robust, iterative framework for digital risk assessment and treatment, enabling organizations to define appropriate security measures and maintain an acceptable level of residual risk through continuous improvement.
- Standards: Fully compatible with ISO 31000:2018 (risk management) and the ISO/IEC 27000 series (cybersecurity).
- Objectives:
- Establish or enhance a digital risk management process.
- Support security accreditation and certification processes.
- Define target security levels for products or services.
- Applicability: Adaptable to organizations of any size and sector.
EBIOS RM follows an iterative five-workshop approach (WS1–WS5) that structures the entire risk analysis lifecycle.
| Workshop | Main Objective | Description |
|---|---|---|
| WS1 | Scope & Security Baseline | Defines goals, roles, and scope (missions, business and supporting assets). Identifies Feared Events (FE) and establishes the applicable security baseline, mapping existing gaps. |
| WS2 | Risk Origins (RO) | Answers the question: who or what could harm the organization’s missions or assets, and why? Identifies Risk Origins (RO) and Target Objectives (TO), evaluating relevance based on motivation, capability, and activity. |
| WS3 | Strategic Scenarios | Provides a high-level ecosystem view. Maps critical stakeholders and threat vectors, constructs strategic attack scenarios, and defines ecosystem-level mitigations. |
| WS4 | Operational Scenarios | Details concrete attack paths for each strategic scenario, focusing on critical supporting assets. Evaluates likelihood by combining success probability and technical difficulty. |
| WS5 | Risk Treatment | Consolidates results, defines risk acceptance thresholds, and formulates security measures within a Continuous Security Improvement Plan (SCIP). Evaluates Residual Risks (RR) and establishes continuous monitoring. |
- Strategic Cycle: Covers the full study, from scoping to treatment.
- Operational Cycle: Revisits operational scenarios in response to new threats, incidents, or vulnerabilities.
- Clearly identifies key risk elements and their interdependencies.
- Highlights actors and interactions contributing to digital risk.
- Flexible and scalable across organizational contexts.
- Relatively quick to implement compared to other methodologies.
- Excludes accidental risks.
- Probability models do not reflect real-world threat intelligence.
- Considers only the likelihood of attack success, not the likelihood of being targeted.
- Scenario-based structure complicates interoperability with catalog-driven frameworks.
- Lacks standardized catalogs for assets, threats, and vulnerabilities.
EBIOS RM is widely adopted in France, particularly in the public sector:
- Mandated for Operators of Vital Importance (OIV) reporting to ANSSI.
- Extensively used by public agencies and ministries.
- In the private sector, adoption is limited to large enterprises, often as a complement to NIST CSF or ISO 27005.
ANSSI-certified commercial tools implementing EBIOS RM principles include:
- Fence – Airbus Protect
- Agile Risk Manager – ALL4TEC
- Arimes – ADACIS
If you are interested in accessing the full PDF version of the interoperability study, please open an issue in this repository specifying your request. The complete report will be shared upon review.
- ANSSI, EBIOS Risk Manager Methodology Guide
- ENISA (2022), Mapping and Interoperability of EU Risk Management Frameworks
- ISO 31000:2018, Risk Management — Guidelines
- ISO/IEC 27005:2022, Information Security Risk Management