EBIOS RM Explained: its history, methodology, strengths and limits

What is EBIOS RM?

EBIOS is the French acronym for “Expression of Needs and Identification of Security Objectives”. It is a risk management method related to information systems security (also known as INFOSEC). It was created in 1995 by the Central Service for the Security of Information Systems (SCSSI), the former name of the ANSSI (National Agency for the Security of Information Systems), which now maintains it.

Historic development of EBIOS

According to ANSSI, EBIOS has established itself as a reliable risk management method over the past 20 years. The Agency updates the methodology on a regular basis, so much so that it now complies with three ISO standards: ISO 27000, ISO 27005, and ISO 31000. EBIOS Risk Manager has several advantages:

• Analyzing cyber risks within a cybersecurity strategy
• Treating risks relative to information security (InfoSec)
• Communicating to internal and external stakeholders about cyber risks

In 2010, the EBIOS method was revised in collaboration with the EBIOS Club. EBIOS Club an independent non-profit association that brings together approximately 60 member companies, including consulting and training companies and four software publishers, with more than 200 individual members. This revision considered the changes in regulation and to the feedback from users over the years. It offered:

• a simplified approach
• a framework for InfoSec action plans
• use cases that help build credible scenarios
• software to facilitate implementation

‍

In 2018, EBIOS Risk Manager was released. EBIOS RM 1.0 addressed the issue of the entry points cybercriminals use to penetrate a system. It focused on cyber threats of intentional origin. While cyber incidents of accidental origin (human error, natural disaster, or structural failure) constitute a constantly growing category of cyber incidents according to the annual Verizon DBIR report, unintentional risks are, surprisingly, outside the scope of the EBIOS risk analysis. Indeed, it is considered that this type of risk can be dealt with through compliance and security baseline good practices.

‍

In March 2024, EBIOS Risk Manager version 1.5 was released. It brings significant improvements to previous iterations of EBIOS that strengthen risk anticipation and support better decision-making in evolving environments. The updated method integrated extensive practitioner feedback and aligns with the updated ISO 27005:2022 standards.

‍

What is the purpose of EBIOS, and who is it designed for?

EBIOS is designed as a toolbox that provides a framework for cyber risk management on several levels:

• Installation of a data and information security management system
• Implementation of an InfoSec strategy
• Integration of information security in various projects
• Repository of requirements applicable to InfoSec audit service providers

‍

This method is mainly used by French public companies and ministries. In the private sector, due to its complexity and low outreach, only a few large companies use it, and this is often to complement more established and widespread international frameworks and standards such as NIST CSF or ISO 27005, and increasingly the FAIR standard. For the same reasons, the NIST CSF, ISO 31000, and ISO 27005 are also preferred worldwide.