MEHARI method

Home/MEHARI method
MEHARI method 2021-02-03T20:48:33+00:00

MEHARI is an integrated and achieved methodology for the assessment and management of risks associated to information and its treatment.

MEHARI is distributed free under Creative Commons license.

MEHARI is developed and updated since 1996 by CLUSIF and CLUSIQ.

MEHARI is compliant to the guidelines set by ISO 27005:2011 standard, itself aligned on ISO 31000, and allows the seamless integration of risk into an ISO 27001 ISMS process, thanks to management involvement and awareness of the users, actors and operation managers.

Following the risk assessment, MEHARI proposes additional management directions and security measures and plans, thus creating the basis for coherent information security policies.

Please take time to fill the contact form used exclusively for future notifications to you, like notice of revision or new information or knowledge base.
We will respect your anonymity, if you let the form empty.


This knowledge base is currently available in English, French and Farsi.

It provides a high level of graphical user interface built e.g. on Excel for the completion of a full risk analysis and management of your organization.

It may be used for any size and type of organization, either completely (recommended) or on well selected subsets (scope and perimeter) of its activities and allows to ‘’score’’ the compliance of the organization regarding ISO 27001 and 27002:2013 standards.

The knowledge base has been downloaded towards more than 175 countries, the current revision integrates links with the controls of ISO 27001/27002:2013 standards and introduces several improvements allowing the organizations to take over their usage of the method within a continuous and controlled process of security management.


MEHARI Standard knowledge base is currently available only in French.


MEHARI Manager permits a first level of identification and analysis of the main information security requirements for the activities supervised by a business manager either before running a risk assessment or in addition to an existing one.

It is completed through a direct interview with the manager for identification and seriousness assessment for one or several risk scenarios.

MEHARI Manager is particularly useful for new projects and architecture or functional changes.
MEHARI Manager provides a frame for this study in a spreadsheet, currently available in French.


MEHARI Pro follows the same principles and logic than MEHARI Expert but in a more compact knowledge base for small or medium entities allowing completing faster risk management.

MEHARI Pro knowledge base is currently available only in French.

MEHARI knowledge bases are distributed free and under a CreativeCommons license.

For more information

* forum

This exchange forum, in French and English, is open to all readers and requires a simple registration for posting messages.

* Please fill the contact form below if you have a question or proposition on the method.
We will answer as soon as possible.

* Or send messages to