Risk Analysis

What is Risk Analysis?

Risk analyses aim to give a global view of relevant risks, and define recommendations that can then be used both in a security policy and in security requirements.

They constitute the first step of the ISO/IEC 27001 and ISO 15408 (Common Criteria) certification schemes.

Our Offer

Trusted Labs uses the established EBIOS risk analysis methodology, which is promoted by ANSSI, the French information systems certification authority.

As a member of the Club EBIOS, we help you apply this scalable methodology according to your needs and security approach.

We analyze both

• technical components - hardware, software, network, systems, and
• non-technical components - personnel, physical security, organization.

The EBIOS Methodology

EBIOS stands for "Expression des Besoins et Identification des Objectifs de Sécurité" (Expression of Needs and Identification of Security Objectives).

This methodology for risk analysis is widely used in both administrations and private companies in Europe, and will soon be fully compliant with ISO/IEC 27005 requirements for risk management approaches. It is:

• promoted by ANSSI - the French information system certification authority, and
• maintained by the Club EBIOS - the dedicated user group.

The EBIOS Approach

• Context Analysis: We identify the context of your system and the related security stakes: IT infrastructure, legal, marketing, etc.

• Identification of Assets: We identify resources, data, and functions which are valuable for your system’s goals. We evaluate the sensitivity of assets against several security criteria.

• Risk Assessment: We identify the system’s risks, and assess the level of risk by taking into account both the feasibility and the potential impact of successful attacks.

• Countermeasures: We propose both technical and organizational countermeasures to mitigate the identified risks. To do this, we draw from our own security expertise, as well as knowledge databases - EBIOS, ISO/IEC 27001, German IT Baseline for security, and Common Criteria. Once you have chosen countermeasures, we reassess the system to identify residual risks.

You may choose each step as a stand-alone service, or the whole risk analysis service.

We can also incrementally update our risk analyses to take into account evolutions of the state of the art, as well as new internal or external constraints or evolutions.