EBIOS Risk Manager — ANSSI 2026 Method, Instrumented and Auditable
The 5 EBIOS RM workshops in one platform: scoping, risk sources, strategic and operational scenarios, treatment. Automatic scoring, report export, integration NIS2 / DORA / ISO 27001.
The 5 EBIOS RM workshops
Each workshop delivers a signed report feeding the next.
Scoping and security baseline
Study scope, missions, business values, supporting assets, feared events. Identification of existing security baseline (frameworks, protection measures in place). Deliverable: scoping note + business values / supporting assets matrix.
Risk sources and objectives
Mapping of risk sources (states, hacktivists, criminals, competition, insiders…) and their objectives (espionage, sabotage, financial gain…). Qualified relevance of source/objective pairs. Deliverable: pair registry.
Strategic scenarios
High-level attack schemes: who attacks, which business value impacted, through which path, with what collateral damage on the ecosystem. Severity × likelihood scoring. Deliverable: ecosystem map + strategic scenarios.
Operational scenarios
Technical detail of attack paths (MITRE ATT&CK kill chain), through supporting assets. Per-segment scoring. Deliverable: operational scenarios with detailed scoring.
Risk treatment
Security measures to implement, prioritization, action plan, follow-up. Residual strategy (accept, transfer, avoid, reduce). Deliverable: treatment plan + residual risk acknowledged by management.
Risk scoring (ANSSI scale)
| Likelihood | Description |
|---|---|
| Very high (V4) | The attacker has means and motivation, documented real cases. |
| High (V3) | Means available, probable motivation, few obstacles. |
| Significant (V2) | Attacker could acquire means and motivation. |
| Minimal (V1) | Exceptional case, unlikely attacker or strong controls. |
Severity (G1 negligible → G4 catastrophic) follows a parallel scale. Residual risk is positioned on the 4×4 S × L matrix and qualified.
Frameworks covered
EBIOS RM frequently asked questions
How to write a workshop 1 EBIOS RM report?
The workshop 1 report (scoping and baseline) must contain: validated study scope, list of missions and business values, supporting asset inventory, existing security baseline (frameworks, controls), prioritized feared events. Business management signature validates the scoping before workshop 2. Report template downloadable in ResiPlan.
What are attack schemes in EBIOS RM?
Attack schemes (workshop 3) are high-level graphical representations: who (risk source) attacks what (business value), through which ecosystem path, with what collateral damage. They are then refined into detailed operational scenarios (workshop 4) with MITRE ATT&CK. See ResiPlan for visual modeling.
How to score risks per ANSSI?
ANSSI proposes a Severity × Likelihood scoring on 4 levels each (G1–G4 / L1–L4). Severity reflects business impact (legal, financial, reputational, operational); likelihood reflects attacker capability and motivation against existing controls. Risk is positioned in a 4×4 matrix and qualified as negligible, moderate, high, critical.
What are collateral damage and risk sources in EBIOS RM?
Risk sources (RS) are actors likely to attack (nation-states, organized criminals, hacktivists, competitors, disgruntled insiders…). Collateral damage refers to indirect impacts on the business ecosystem (suppliers, customers, partners) that must be considered to assess the real severity of a scenario.
Is there an ANSSI EBIOS RM toolbox?
ANSSI provides the official PDF guide + method sheets, but no integrated software. Market tools (ResiPlan, EgeRiS, others) instrument the method with guided input, automatic scoring and ANSSI export. ResiPlan natively delivers the 5 workshops + scoring + scenarios + report export.
Is EBIOS RM aligned with ISO 27005?
Yes. EBIOS RM v1.5 (2018) is explicitly aligned with ISO/IEC 27005:2022. The method adds 2 distinctive angles: targeted risk source consideration (intentional) and ecosystem analysis (collateral damage). For ISO 27001 certification, EBIOS RM is an accepted approach.
How do successive workshops chain in EBIOS RM?
The 5 workshops are sequential and iterative. Each workshop report feeds the next: scoping → RS/OV → strategic scenarios → operational scenarios → treatment. Each workshop lasts 0.5 to 2 days depending on scope. A full EBIOS study on a target scope represents 4 to 8 days of work spread over 1 to 3 months.
Does EBIOS RM replace MEHARI?
EBIOS RM and MEHARI coexist. MEHARI (CLUSIF) is more focused on existing control assessment; EBIOS RM is more focused on attacker modeling and scenarios. ResiPlan supports both methods (plus FAIR, ISO 27005, Kinney, Bow-Tie and 31 others) to fit your organization's maturity.
Launch your first EBIOS RM study in 2 days
Free 14-day trial. Pre-wired ANSSI templates, automatic scoring, AI to draft strategic scenarios. Sign-ready report.