Is EBIOS Risk Manager free?

Yes. The official EBIOS Risk Manager guide is published by ANSSI under an open licence (Etalab) and can be downloaded free of charge from cyber.gouv.fr. The method itself is therefore freely accessible and usable by any organisation. What is paid for is structured training, mentoring by a practitioner, and PECB certification, not the method itself.

What is the difference between EBIOS 2010 and EBIOS Risk Manager 2018?

EBIOS 2010 followed an exhaustive risk inventory logic on assets. EBIOS Risk Manager 2018 changed approach: it aims for representativeness rather than exhaustiveness, integrates the organisation's ecosystem (suppliers, partners, interconnections) from Workshop 3 onwards, and refocuses the analysis on real intentional threats. It was also updated in 2024 to be fully aligned with ISO/IEC 27005:2022.

Do you need to know ISO 27001 before training in EBIOS RM?

It is not mandatory, but it is a real advantage. EBIOS RM fits into an ISO 27001 approach and shares part of its vocabulary. A professional who already knows ISO 27001 will more quickly understand how the five workshops articulate with the management system requirements. For complete beginners, an introduction to information security risk management is recommended as a prerequisite.

Can EBIOS RM be used in an SME?

Yes. ANSSI specifies that EBIOS RM applies to public and private organisations of any size. For an SME, the key is to calibrate the level of detail of the study from Workshop 1 onwards and not to chase exhaustiveness. The Club EBIOS recommends having at minimum a business/management representative and an IS manager involved, and often suggests engaging a service provider for the first study.

How do I scope an EBIOS Risk Manager workshop for my organisation?

Scoping is atelier 1 of EBIOS Risk Manager and the most structuring of the five workshops, because every downstream risk analysis depends on its output. Three deliverables close the workshop. First, the perimeter of the study: list the business activities, processes, information systems, and locations included; explicitly name what is excluded and why. For a group, this means deciding whether to assess subsidiaries individually or treat the group as a single perimeter. For a regulated entity (FINMA, ANSSI, ENISA), the perimeter must cover all systems within the regulator's purview. Second, the business values (valeurs métier): the missions, services, or assets whose protection justifies the engagement. These are not technical assets; they are the reasons the organisation exists. A bank's client trust, a manufacturer's operational continuity of the line, a hospital's patient care availability. Third, the security baseline (socle de sécurité): the measures already in place, including ISO 27001 certification status, regulatory obligations, and contractual constraints. This baseline frames what the analysis can recommend and what is non-negotiable. Output of atelier 1: a documented scope statement signed by the executive sponsor, a map of business values, and a baseline inventory. Without these three artefacts, ateliers 2 through 5 will drift, regardless of how rigorous the downstream analysis is. To run these workshops with the recognised PECB credential, see the EBIOS Risk Manager certification: https://www.abileneacademy.ch/en/training/ebios-risk-manager

How do I identify strategic risk scenarios under EBIOS Risk Manager?

Strategic risk scenarios are the unique contribution of EBIOS RM compared to checklist-based methods like quantitative ISO 27005 scoring. They model how a risk source (the attacker, the malicious insider, the careless contractor) could realistically harm a business value, following the trajectory of a real operation rather than a generic threat matrix. Building a defensible strategic scenario follows four moves. Identify the risk source by archetype: cybercrime gang, state-aligned APT, hacktivist, opportunistic insider, supply chain compromise. For each archetype, note the motivation and the realistic capability level; a state actor and a script kiddie do not deserve the same depth of analysis. Pair each source with a target business value. Not every source attacks every value; mapping the credible pairs is the filter that keeps the analysis tractable. A ransomware gang targeting client trust at a Swiss private bank is realistic; the same gang targeting regulatory reporting accuracy is less direct. Describe the operational mode: the high-level path the source would follow (initial access, lateral movement, objective). Stay at the strategic level here; the operational detail lives in atelier 4. Rate severity and likelihood on the EBIOS scale (1 to 4), justified by sector evidence and the security baseline established in atelier 1. Output: the strategic risk map, the primary deliverable presented to the executive sponsor. The EBIOS Risk Manager certification covers each of these moves in working sessions: https://www.abileneacademy.ch/en/training/ebios-risk-manager

How do I build the risk treatment plan from the EBIOS Risk Manager output?

The risk treatment plan (atelier 5) is the operational closing of the EBIOS cycle and the document presented to the audit team, the regulator, or the board. Building one that survives scrutiny requires three discipline points. Map every retained risk to a treatment decision: avoid, mitigate, transfer, or accept. EBIOS RM enforces this discipline by requiring an explicit decision per residual risk after the operational scenarios in atelier 4. Acceptance is a valid choice, but only with a documented justification signed at the appropriate level of authority. For each mitigation, define the measure, the owner, the deadline, the budget envelope, and the residual risk target. EBIOS does not prescribe specific controls; it integrates with ISO 27002, the NIST CSF, ANSSI's Référentiel général de sécurité, or the CIS Controls, depending on the organisation. The discipline is in the traceability: every control maps to a scenario, every scenario maps to a business value. Plan a review cadence. EBIOS RM is iterative; the treatment plan is reviewed annually at minimum, or whenever the business value list, the risk source landscape, or the security baseline changes materially. For organisations under DORA, NIS 2, or ISO 27001 certification, this cadence is regulatory, not optional. Output: a versioned treatment plan with traceable decisions, used as evidence in ISO 27001 audits and as the working document for the CISO team. Certified practitioners run these closings every cycle; the credential is the EBIOS Risk Manager certification: https://www.abileneacademy.ch/en/training/ebios-risk-manager

EBIOS Risk Manager: Everything You Need to Know About the Method and PECB Certification (2026)

Q: Is EBIOS RM recognised outside France?

It is recognised and used in Belgium, Luxembourg and French-speaking Switzerland, particularly in French-speaking contexts or in organisations exposed to French requirements. It is referenced by ENISA in its inventory of risk management methods. Outside the French-speaking area, ISO 27005 and NIST SP 800-30 are more widespread. The Club EBIOS itself acknowledges that “it does not enjoy the same aura beyond our borders”.

EBIOS Risk Manager is the digital risk analysis method published by ANSSI, France's national cybersecurity agency. It is the latest in a generation of information security risk analysis methods (the EBIOS family) whose first version dates back to 1995. Unlike its predecessors, EBIOS RM is resolutely oriented towards deliberate cyber threats, focused on attackers and on strategic and operational attack scenarios.

It structures the analysis into five progressive workshops, from scoping to treatment, and integrates naturally into an ISO 27001 approach. It does not replace ISO 27005, which is a normative, global and strategic framework: EBIOS RM offers a concrete, operational, prescriptive and ready-to-use implementation.

PECB EBIOS Risk Manager certification validates real mastery of the method, beyond simply reading the ANSSI guide, which remains free and openly accessible. For a CISO, consultant or risk manager active in France, Switzerland or Belgium, it represents a solid investment. It is also available in English. For an SME without an established risk culture, training without certification is often more useful as a first step.

That said, the EBIOS Risk Manager method is divisive. Some find it too complex, too French, too oriented towards large organisations. Others have made it their central tool for years. The reality is more nuanced and deserves to be stated clearly.

Rest assured, this article is not a sales pitch for training. It answers a simple question: what is EBIOS RM, when is it useful, and is the PECB certification worth the investment you might consider for it?

What exactly is EBIOS Risk Manager?

The official ANSSI definition

EBIOS Risk Manager is the French national method for digital risk assessment and treatment. It was published by ANSSI (the French National Cybersecurity Agency) in October 2018, with the support of the Club EBIOS. A major update was published in March 2024 to align the method with ISO/IEC 27005:2022.

ANSSI describes it as an “adaptable toolbox” applicable to public and private organisations of any size and sector. It is distributed under an open licence: the guide is free, downloadable directly from cyber.gouv.fr.

For the record, EBIOS stands for Expression des Besoins et Identification des Objectifs de Sécurité (“Expression of Needs and Identification of Security Objectives”), a legacy from the first version created in 1995 by SCSSI, the predecessor of ANSSI.

EBIOS Risk Manager

EBIOS Risk Manager is the French national method for digital risk analysis and treatment, published by ANSSI in 2018 under an open licence. It structures the analysis into five progressive workshops and applies to any organisation, public or private, regardless of size.

EBIOS 2010 vs EBIOS RM 2018: what fundamentally changed

The 2010 version was centred on “essential assets” and followed a relatively exhaustive inventory logic: identify every possible risk on every asset. Useful, but heavy as soon as the environment becomes even slightly complex.

EBIOS Risk Manager 2018 changed approach. Rather than seeking exhaustiveness, it aims for representativeness: identifying the most significant risks by starting from real intentional threats and from the organisation's ecosystem. The result is a more agile method, better suited to today's interconnected systems and sophisticated threats.

Another important difference: EBIOS RM explicitly integrates the notion of ecosystem. Partners, subcontractors, cloud providers, service vendors, everything that interacts with the system under study without being part of it, is taken into account from Workshop 3 onwards. This is precisely what makes the method relevant in the context of supply chain attacks and third-party risk.

EBIOS 2010 vs EBIOS RM 2018

	EBIOS 2010	EBIOS Risk Manager 2018
Approach	Exhaustiveness (all assets)	Representativeness (significant risks)
Starting point	Essential assets	Real intentional threats
Ecosystem	Not integrated	Dedicated Workshop 3 (suppliers, partners)
ISO alignment	ISO 27005:2011 (indirect)	Fully aligned with ISO 27005:2022 (March 2024 update)
Agility	Heavy for complex systems	Modular by maturity and objective

Item: Approach

EBIOS 2010Exhaustiveness (all assets)

EBIOS Risk Manager 2018Representativeness (significant risks)

Item: Starting point

EBIOS 2010Essential assets

EBIOS Risk Manager 2018Real intentional threats

Item: Ecosystem

EBIOS 2010Not integrated

EBIOS Risk Manager 2018Dedicated Workshop 3 (suppliers, partners)

Item: ISO alignment

EBIOS 2010ISO 27005:2011 (indirect)

EBIOS Risk Manager 2018Fully aligned with ISO 27005:2022 (March 2024 update)

Item: Agility

EBIOS 2010Heavy for complex systems

EBIOS Risk Manager 2018Modular by maturity and objective

What are the five EBIOS RM workshops, concretely?

The method is structured into five progressive workshops. Each workshop answers a precise question.

How to read this section

Each workshop is designed to feed the next. A sloppy Workshop 1 weakens the whole chain. Do not skip steps, even if your perimeter seems simple.

Workshop 1, Scope and security baseline: what are we protecting, and why?

This is the starting workshop. It defines the scope of the study, the organisation's missions, the business values, the supporting assets and the feared events. It also builds the security baseline: the state of application of legal, regulatory or normative requirements (ISO 27001, NIS 2, DORA, GDPR, FADP, etc.) on the perimeter under study.

In practice: at the end of Workshop 1, you know precisely what you want to protect, what you fear, and what compliance gaps already exist. This is also where accidental and environmental risks are treated, via the baseline rather than via attack scenarios.

Workshop 2, Risk sources: who could attack us, and why?

Workshop 2 identifies and characterises the relevant risk sources, in plain language, the potential attackers. It evaluates their resources, motivations, and what they concretely seek to obtain on your system.

This workshop is often the one that surprises participants. Seriously asking “who would actually want to attack us and to do what?” forces you to leave the generic frame and anchor the analysis in the reality of the organisation.

Workshop 3, Strategic scenarios: where can they get in?

This is the ecosystem workshop. It maps everything that interacts with the perimeter under study (partners, suppliers, providers, technical interconnections) and identifies the plausible strategic attack paths through that ecosystem.

This is where EBIOS RM most clearly stands apart from classical approaches. By forcing the analysis of external dependencies, it surfaces risk vectors that are often ignored in a purely internal view of security.

Workshop 4, Operational scenarios: how will they act concretely?

Workshop 4 goes down to tactical and technical level. It details the attack operating modes and assesses their likelihood. It is the most technical workshop of the method, the one that demands the most operational cybersecurity expertise.

Workshop 5, Risk treatment: what do we do now?

This is the decision workshop. Now that risks have been identified and assessed, it is time to decide how to treat them: reduce them through additional security measures, transfer them (insurance, contracts), accept them in full awareness, or refuse them by modifying the perimeter.

Workshop 5 turns the study into actionable deliverables: treatment plan, documented trade-offs, governance decisions. It is what justifies the investment in the first four workshops.

Diagram

The five EBIOS RM workshops, progression logic

Flow diagram of the five EBIOS Risk Manager workshops, showing how each workshop feeds the next, from initial scoping through to the final treatment plan.

The Workshop 4 pitfall

Without rigorous scoping in Workshop 1, Workshop 4 can produce an unmanageable combinatorial explosion. The Club EBIOS acknowledges this explicitly. The solution: discipline the granularity from the start, not afterwards.

Is EBIOS RM compatible with ISO 27001 and ISO 27005?

This is the question that comes up most often, and the answer deserves to be stated clearly.

Why EBIOS RM does not replace ISO 27001

ISO 27001 is a management system: it describes how to organise, document, audit and continuously improve an organisation's information security. It is not a risk analysis method, but a governance model.

EBIOS RM is a method: it describes how to concretely carry out the risk analysis that ISO 27001 requires. The two are complementary, not competing. Within an ISO 27001 certification approach, EBIOS RM directly but partially answers the requirements of Clause 6.1.2 (information security risk assessment).

Why ISO 27005 and EBIOS RM do not oppose each other

ISO 27005 describes the general process of information security risk management: context definition, identification, analysis, evaluation, treatment. It is a normative framework. It does not tell you how to do it; it tells you what to do.

EBIOS RM is a concrete implementation of that process. As the Club EBIOS puts it: EBIOS RM “describes practical techniques to enable its users to apply the model described in ISO 27005”. ANSSI explicitly updated the method in 2024 to make it fully aligned with ISO/IEC 27005:2022.

The most accurate framing: EBIOS RM replaces neither ISO 27001 nor ISO 27005. It complements ISO 27001 as an operational risk analysis method, and it concretely implements the logic described by ISO 27005.

ISO 27001 vs ISO 27005 vs EBIOS RM

	ISO 27001	ISO 27005	EBIOS RM
Nature	Certifiable management system	Normative risk management framework	Operational analysis method
What it describes	How to govern, organise and audit security	What to do to manage risks	How to do it concretely
Certifiable?	Yes (organisations and individuals)	No	Yes (individuals via PECB)
Mutual link	Requires a risk analysis (Clause 6.1.2)	Defines the general process	Implements ISO 27005, answers ISO 27001
Who uses it?	Any organisation seeking ISMS certification	Reference for structuring an approach	CISOs, consultants, risk managers

Item: Nature

ISO 27001Certifiable management system

ISO 27005Normative risk management framework

EBIOS RMOperational analysis method

Item: What it describes

ISO 27001How to govern, organise and audit security

ISO 27005What to do to manage risks

EBIOS RMHow to do it concretely

Item: Certifiable?

ISO 27001Yes (organisations and individuals)

ISO 27005No

EBIOS RMYes (individuals via PECB)

Item: Mutual link

ISO 27001Requires a risk analysis (Clause 6.1.2)

ISO 27005Defines the general process

EBIOS RMImplements ISO 27005, answers ISO 27001

Item: Who uses it?

ISO 27001Any organisation seeking ISMS certification

ISO 27005Reference for structuring an approach

EBIOS RMCISOs, consultants, risk managers

When EBIOS RM is more operational

For organisations that need to demonstrate their risk control to an auditor, a regulator or their management, EBIOS RM produces structured, traceable and defensible deliverables. That is its main advantage over more informal approaches. It is also referenced by ENISA in its inventory of risk management methods, which gives it international legitimacy beyond the purely French context.

Who uses EBIOS RM today?

The professional profiles involved

The method is not driven by a single actor.

Club EBIOS makes this clear: EBIOS RM is “carried out through workshops that bring together the perspectives of multiple actors”. In practice, around the table you find: the CISO who steers the approach, business representatives who know the values to protect, technical leads who know the supporting assets, and often a management representative for the Workshop 5 arbitrations.

The profiles with the strongest interest in mastering the method in depth: CISOs, security consultants, risk managers, security architects, project leads on critical IS, and internal auditors.

Who leads the workshops?

A frequent Club EBIOS question: “Concretely, who runs the method, the CISO or the risk manager?” The answer: no one runs it alone. One lead, several contributors. Defining these roles before starting is a condition of success, not a detail.

The sectors where the method is most useful

EBIOS RM is essential in regulated sectors and in the French Operators of Vital Importance (OIVs). But ANSSI specifies that it applies “equally to public and private organisations, regardless of size”. Use cases published by Club EBIOS cover contexts as varied as healthcare (medical imaging centre), digital projects, or product and service security.

For Swiss and Belgian organisations exposed to French requirements or to partners that use EBIOS RM, the method is increasingly present, even if it remains less systematic than in France. It is also used by EU suppliers whose clients are French government or military entities.

France, Switzerland, Belgium, Luxembourg: how recognised really?

The Club EBIOS itself states it plainly: EBIOS RM “is widely known in France and its use is by far the majority as a risk analysis method. However, it does not enjoy the same aura beyond our borders.”

In French-speaking Switzerland, Belgium and Luxembourg, the method is known and used (training exists, providers apply it) but it coexists with other risk management approaches. For a Switzerland-based professional, EBIOS RM certification is a real asset if their activity involves working with French organisations, subsidiaries of French groups, or French-European regulatory requirements. It is less decisive if the context is purely Swiss or international English-speaking.

International presence

EBIOS RM is referenced by ENISA in its official inventory of cyber risk management methods, one of the rare French-speaking methods to receive that recognition at the European level.

Why the method seems complicated at first

The fear of getting lost

“EBIOS Risk Manager to analyse an IS: how to avoid getting lost?” is one of the most viewed questions on Club EBIOS. This fear is legitimate. The method is rich, the concepts precise, and the five workshops can seem imposing before you have done one.

What helps: the method is designed to be modular. ANSSI explicitly states that the importance of each workshop varies according to the objective set and the maturity of the perimeter. A first study does not need to be exhaustive to be useful.

The combinatorial explosion risk

This is the most frequent criticism from experienced practitioners. Club EBIOS acknowledges it: “Conducting a study is sometimes criticised because of the combinatorial explosion of elements to be studied.” In the absence of rigorous scoping, Workshop 4 can become unmanageable.

The solution: calibrate the granularity of the study from Workshop 1. The wider the perimeter and the more numerous the supporting assets, the more you need to discipline the level of detail of the subsequent workshops. This is a skill acquired with practice, and it is precisely what a good training course covers.

The PECB EBIOS Risk Manager certification: what does it really validate?

Exact name, levels, prerequisites

The certification is called PECB Certified EBIOS Risk Manager. The PECB scheme distinguishes two levels: Provisional Risk Manager (no experience required) and Confirmed Risk Manager (with documented experience).

To reach the Confirmed level, candidates must either complete an accredited EBIOS RM training or justify at least 2 years of relevant professional experience and have applied a significant part of the method at least once in the 3 years preceding the application. The baseline prerequisite is a fundamental level in risk management.

Provisional Risk Manager vs Confirmed Risk Manager

	Provisional Risk Manager	Confirmed Risk Manager
Experience required	None	Minimum 2 years in risk management
Field application	Not required	At least 1 EBIOS study in the past 3 years
Obtained via	Exam only	Accredited training OR documented experience + exam
For whom	Profiles at the start of their career	CISOs, consultants, risk managers in practice

Item: Experience required

Provisional Risk ManagerNone

Confirmed Risk ManagerMinimum 2 years in risk management

Item: Field application

Provisional Risk ManagerNot required

Confirmed Risk ManagerAt least 1 EBIOS study in the past 3 years

Item: Obtained via

Provisional Risk ManagerExam only

Confirmed Risk ManagerAccredited training OR documented experience + exam

Item: For whom

Provisional Risk ManagerProfiles at the start of their career

Confirmed Risk ManagerCISOs, consultants, risk managers in practice

Exam format, duration, passing score

The exam is open book, lasting 3 hours. It contains 60 questions: 57 multiple-choice questions and 3 essay-type questions. The passing score is 70 %.

“Open book” does not mean easy. The essay questions require real mastery of the method, not just the ability to find a definition in the guide. Someone who has only read the ANSSI guide without having applied it or structured it mentally will struggle with the three hours.

PECB EBIOS RM exam format

3 hours, open book, 57 MCQ + 3 essay questions, passing score: 70 %.

Validity, renewal and maintenance

PECB certifications are valid for 3 years. To maintain them, you must satisfy the CPD (Continuing Professional Development) requirements and pay the annual maintenance fees. In case of default, the certification can be suspended for 12 months, then revoked.

Certify or just read the ANSSI guide?

What training actually brings

The ANSSI guide is excellent and free. But training does two things the guide cannot: it forces you to apply the method on practical cases, and it lets you ask questions to a practitioner who has run real EBIOS RM studies. The gap between “understanding the method” and “knowing how to run it” is often 3 days of training.

What certification actually brings

The PECB certification adds formal, internationally recognised proof of your mastery. You can make it visible on LinkedIn, verifiable by employers and clients, and at the Confirmed level it attests to documented real-world experience. For a consultant or CISO selling their skills on the market, that is a clear signal.

When certification is not a priority

If you are an in-house professional using EBIOS RM internally without needing to demonstrate it externally, training without certification may be enough. If you are in an SME discovering the method and looking to do a first solid study, the return on investment of training is immediate; the return on certification is less obvious in the short term.

Checklist: is the PECB certification worth it for you?

If you tick 3 or more boxes: certification is a relevant investment. If you tick 1 or 2: start with training and reassess afterwards.

You work or wish to work as a security consultant or risk manager
You need to demonstrate your skills to external clients or employers
Your activity exposes you to French organisations, OIVs, or subsidiaries of French groups
You are a CISO and must legitimise a risk management approach with your management
You already have a foundation in ISO 27001 or in risk management
You want to enhance your LinkedIn profile in the French-speaking GRC space

Who finds the certification most useful?

CISOs, consultants, risk managers, security architects

These are the profiles for which the certification carries the strongest signal value. A PECB-certified EBIOS Risk Manager security consultant can mention the certification in their proposals. A CISO can use it to legitimise a risk analysis approach with their management.

Beginners vs experienced profiles

For a beginner with little experience in risk management, starting with an ISO 27001 Foundation training or an introduction to cyber risks can be more useful than tackling EBIOS RM directly. The method assumes a basic understanding of the risk management context.

For an experienced profile (a CISO with a few years of practice, a consultant, an auditor), EBIOS RM is directly accessible and the value is immediate.

SME and mid-cap cases

For an SME or mid-cap, the method is applicable; ANSSI says so explicitly, and Club EBIOS has published a specific FAQ for SMBs. The main recommendation in this context: have at minimum a business/management representative and an IS lead around the table, and ideally engage a provider for the first study.

What we see in the field

At Abilene Academy, we have been training professionals in EBIOS Risk Manager for several years across the EU, French-speaking Switzerland and France. A few observations that are not in the guides:

The exam is honestly challenging for someone who has not practised. The essay questions demand structure, not recall. Candidates who pass on the first attempt are those who have worked on practical cases, not those who have spent the most time re-reading the guide.

The recognition in Switzerland varies by sector. In firms exposed to ANSSI requirements or in groups with French subsidiaries, the certification is directly valued. In purely Swiss contexts, ISO 27001 remains the primary reference and EBIOS RM comes as a complement.

The link with NIS 2 and DORA is real but indirect. These texts impose risk management approaches but do not name EBIOS RM. The method remains compatible and applicable in those contexts, but not mandatory.

For a Swiss-Romand SME discovering cyber risk management, we often recommend starting with training without an immediate certification requirement: run a first solid study, understand the method under real conditions, then decide whether certification is required based on the professional context.

NIS 2, DORA, FADP

None of these texts name EBIOS RM explicitly. They require a structured risk management approach (which EBIOS RM answers perfectly), but its use remains a choice, not an obligation.

Sources

ANSSI, EBIOS RM update, March 2024: https://cyber.gouv.fr/actualites/lanssi-met-a-jour-la-methode-ebios-risk-manager/
ANSSI, The EBIOS Risk Manager method: https://cyber.gouv.fr/securisation/analyse-des-risques/methode-ebios-rm/
Club EBIOS, EBIOS RM & ISO 27005 link: https://club-ebios.org/site/lien-ebiosrm-iso27005/
Club EBIOS, Who runs the method?: https://club-ebios.org/site/concretement-qui-deroule-la-methode-rssi-ou-risk-manager/
Club EBIOS, How to avoid combinatorial explosion: https://club-ebios.org/site/comment-eviter-lexplosion-combinatoire-dune-etude/
PECB, EBIOS Risk Manager certification: https://pecb.com/en/education-and-certification-for-individuals/risk-assessment-methods-training/ebios
PECB Help Center, List of PECB Exams: https://help.pecb.com/index.php/list-of-pecb-exams/
ENISA, Risk Management Inventory: https://tools.enisa.europa.eu/topics/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_ebios.html