EBIOS Risk Manager (EBIOS RM) is the French reference method for digital risk analysis and management. Published and maintained by ANSSI (the French national cybersecurity agency), it is now widely used by public administrations and companies to identify, prioritize and treat their cyber risks.
What is EBIOS Risk Manager?
EBIOS RM is a digital risk assessment and treatment method developed by ANSSI, in collaboration with the EBIOS Club. It uses a scenario-based approach that starts from real threats and attackers' objectives, rather than a mere list of vulnerabilities. The goal: focus security efforts where the risk to the organization is highest.
Why ANSSI designed EBIOS RM
Faced with increasingly targeted cyber threats, ANSSI evolved the historic EBIOS method towards an approach centered on attack scenarios and threat knowledge. EBIOS RM thus combines a compliance view (the security baseline) and a scenario view (realistic attack paths) to produce a risk analysis that is actionable and understandable by management.
The 5 workshops of EBIOS Risk Manager
The ANSSI method is built around five complementary workshops:
- ✓Workshop 1: Scope and security baseline, to define the perimeter, business values, supporting assets and the gap to the expected security baseline.
- ✓Workshop 2: Risk origins, to identify potential attackers and their targeted objectives.
- ✓Workshop 3: Strategic scenarios, to map high-level attack paths through the ecosystem and stakeholders.
- ✓Workshop 4: Operational scenarios, to detail attackers' technical modes of operation.
- ✓Workshop 5: Risk treatment, to decide on security measures, residual risk and the continuous improvement plan.
An iterative method: the EBIOS RM cycle
EBIOS RM is not a one-off exercise but an iterative cycle. The analysis is regularly revised to reflect changes in the threat landscape, projects and information system. This cyclical nature keeps an up-to-date view of risk and continuously feeds security steering, consistently with the information security management system.
EBIOS RM, ISO 27001 and ISO 27005
The ANSSI method is fully compatible with international standards. EBIOS RM can serve as the risk assessment method within an ISO 27001 ISMS and aligns with the risk management principles of ISO 27005. This is an asset for organizations seeking certification while relying on a framework recognized by ANSSI.
When to use EBIOS RM?
- ✓For the security accreditation of a system (often required in the public sector).
- ✓To feed the risk analysis of an ISO 27001 ISMS or a NIS2 program.
- ✓To assess the risk of a sensitive project, a critical application or a new service.
- ✓To prioritize security investments based on realistic scenarios.
Cyber-SSI supports you on EBIOS RM
Our experts facilitate your EBIOS Risk Manager workshops, formalize the risk analysis according to the ANSSI method and translate it into a concrete, prioritized treatment plan.
EBIOS Risk Manager delivers a credible, shareable risk analysis aligned with ANSSI expectations. Done well, it becomes a real cybersecurity steering tool, not a document gathering dust in a drawer.
Go further
Compliance →