EBIOS

EBIOS (French: Expression des besoins et identification des objectifs de sécurité) allows evaluation and action on risks relative to information systems security, and proposes a security policy adapted to the needs of an organization. This risk analysis method has been created by the DCSSI (Direction Centrale de la Sécurité des Systèmes d'Information), a department of the French Ministry of Defense. The 5 steps of the EBIOS method are: circumstantial study, security requirements, risk study, identification of security goals, and determination of security requirements.

This method is primarily intended for administrations and industries working with the Defense Ministry that treat confidential or secret defense classified information. It enables well informed “security actions to be undertaken”. The general target is to create a balance of actual or future situations (in the case of a newly created information system). Afterwards, deficiencies of the system must be revealed and so on, in order to permit reflection about solutions to be implemented.

In its first version, EBIOS was focused on “security objectives redaction”. Since 2000, DCSSI became aware of international standards (ISO in particular) increases and “engaged EBIOS adaptation to this criteria”. We can also perceive it as a way to avoid France’s confinement in information security, and incurred risks with the use of French methods that are not recognized abroad and unsuited to international standards.