MEHARI method

Home/MEHARI method
MEHARI method 2017-05-17T11:09:55+00:00

MEHARI is an integrated and achieved methodology for the assessment and management of risks associated to information and its treatment.

MEHARI is developed and updated since 1996 by CLUSIF and CLUSIQ.

MEHARI is compliant to the guidelines set by ISO 27005:2011 standard, itself aligned on ISO 31000, and allows the seamless integration of risk into an ISO 27001 ISMS process, thanks to management involvement and awareness of the users, actors and operation managers.

Following the risk assessment, MEHARI proposes additional management directions and security measures and plans, thus creating the basis for coherent information security policies

The knowledge base of the method currently available in English and Farsi is:


The knowledge base provides a high level of user interface built on Excel or similar. It may be used for any size and type of organization, either completely or on well selected subsets of its activities and allows to ‘’score’’ the compliance of the organization regarding ISO 27001 and 27002:2013 standards.

The knowledge base has been downloaded towards more than 175 countries, the current revision integrates the controls of ISO 27001/27002:2013 standards and introduces some improvements allowing the organizations to take over their usage of the method within a continuous and controlled process of security management.

[button href=”” style=”emboss” size=”medium” color=”#dd3333″ hovercolor=”#dd3e3e” textcolor=”#ffffff” icon=”arrow-circle-down”]Download MEHARI 2010[/button]


MEHARI Manager permits a first level of identification and analysis of the main information security requirements for the activities supervised by a business manager either before running a risk assessment or in addition to an existing one.

It is completed through a direct interview with the manager for identification and seriousness assessment for one or several risk scenarios.

MEHARI Manager is particularly useful for new projects and architecture or functional changes.
MEHARI Manager provides a frame for this study in a spreadsheet, currently available in French.


MEHARI Pro follows the same principles and logic than MEHARI Expert but in a more compact knowledge base for small or medium entities allowing completing faster risk management.

MEHARI Pro knowledge base is currently available only in French.

MEHARI knowledge bases are distributed free and under a CreativeCommons license.

For more information

For more information, visit forum

Also send messages to

This exchange forum, in French and English, is open to all readers and requires a simple registration for posting messages.

MEHARI est une marque déposée du CLUSIF