ORSYS le mag 2025 logo

The training and skills medium

Home > Cybersecurity glossary > EBIOS 🟦 Method

EBIOS 🟦 Method

EBIOS (Expression des Besoins et Identification des Objectifs de Sécurité) is a method for analysing and managing IT and digital risks. developed and maintained by the Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI). It enables the risks associated with information systems to be identified, assessed and dealt with in order to guarantee their security.

The latest version, EBIOS Risk Manager v1.5, was published by ANSSI in March 2024.

EBIOS Risk Manager illustration

🎯 What is the purpose of EBIOS?

EBIOS is used to :

  • Identifying risks : determine the feared events likely to affect the organisation's information system and critical assets.
  • Risk assessment : estimate the probability of occurrence of these events and their potential impact on the organisation.
  • Dealing with risks: define and implement appropriate safety measures to reduce or control the risks identified.
  • Communicating risks: provide a clear, shared view of the risks to the various stakeholders.
  • Justify safety choices : explaining and documenting safety decisions.
  • Comply with regulations: meet the requirements of certain standards and regulations (e.g. RGPD, LPM).

Google - Noto Color Emoji 15.0 (Animated) How it works

How EBIOS Risk Manager works (the current version) :

RM EBIOS is structured around 5 main stages, divided into 5 sections:

  1. Background : definition of the scope of the study, identification of the stakeholders and their expectations, description of the safety objectives.
  2. Areas of activity : analysis of the businesses and processes supported by the information system, identification of the assets that are important to the organisation.
  3. Threats : identification of potential threats (computer attacks, human error, natural disasters, etc.) and their likelihood.
  4. Vulnerabilities : analysis of weaknesses in the information system that could be exploited by threats.
  5. Risks and safety measures : cross-referencing threats and vulnerabilities to identify risk scenarios, assessing their severity and defining the security measures to be implemented.

 

A concrete example

Let's take the example of a company using an e-commerce website.

  • Major asset : the customer database.
  • Threat: an attack by SQL injection.
  • Vulnerability : poor design of the website's contact form.
  • Risk scenario : an attacker exploits the vulnerability to inject SQL code and access the customer database.
  • Potential impact : theft of customers' personal data, damage to the company's reputation, financial losses.
  • Safety measure : implement input controls on the contact form to prevent SQL injections.

Competitors to EBIOS

Although EBIOS is widely used in France, other risk analysis methods also exist:

  • ISO 27005 : international standard for information security risk management. EBIOS RM is now aligned with this standard.
  • NIST Cybersecurity Framework : cyber security framework developed by the National Institute of Standards and Technology (NIST) in the United States.
  • OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) : method developed by CERT (Computer Emergency Response Team) in the United States.
  • MEHARI (Harmonised Method for Analysing IT Risks) : method developed by CLUSIF (Club de la Sécurité des Systèmes d'Information Français).

 

To find out more, read the article :

EBIOS, ISO 27001 or ISO 27005: which method to use to manage cybersecurity risks?

Back to Glossary

field of training

Cybersecurity

associated training

Systems and network security, level 1

Hacking and security, level 1

Information systems security, summary

BEST

Towards the ORSYS Cyber Academy: a free space dedicated to cybersecurity