EBIOS Risk Manager is the official method of ANSSI (the French cybersecurity authority) for managing cybersecurity risks. Its current version, EBIOS RM, is the essential reference across much of the regulated sector in France and, increasingly, a highly valued certification in European organisations that work with the French administration or that adopt frameworks compatible with NIS2 and DORA. In this article I explain what EBIOS RM is, how its five workshops work, how it differs from ISO/IEC 27005, and why the PECB EBIOS Risk Manager certification is a strategic asset for the French-speaking market.
What EBIOS is and what ANSSI does
EBIOS is the French acronym for "Expression des Besoins et Identification des Objectifs de Sécurité" (Expression of Needs and Identification of Security Objectives), a method created by ANSSI (the French National Cybersecurity Agency) in the 1990s and thoroughly overhauled with the EBIOS Risk Manager (EBIOS RM) version in 2018. ANSSI is the French national cybersecurity authority and, across much of Europe, the de facto regulatory reference in critical sectors.
EBIOS RM is the method used by authorities, operators of essential services and many regulated sectors in France. It is also recognised by ENISA and compatible with ISO/IEC 27005, which makes it especially useful in European organisations.
The EBIOS philosophy: from asset to scenario
Most classic risk management methods start from the asset (what I own) and work down to the vulnerability and the threat. EBIOS RM reverses the logic: it starts from the risk source (who might attack me and why) and builds complete attack scenarios, from the outside in.
This logic fits the modern threat landscape very well. When we talk about ransomware, industrial espionage or sabotage, what matters is not only the technical vulnerability, but the attacker's motive, their capability and the path they take to reach their target. EBIOS RM models all of this.
The five workshops, one by one
EBIOS RM is structured around five workshops. They are the backbone of the method and also the structure of the course :
Workshop 1: Scope and security baseline. You define the scope of the study, identify the business values (what you are protecting) and the feared events (what you do not want to happen). You establish the security baseline as a starting point.
Workshop 2: Risk sources and target objectives. You identify the risk sources (potential attackers: cybercriminals, states, hacktivists, insiders) and exactly what they are after. This is the most distinctive part of the method.
Workshop 3: Strategic scenarios. You build high-level scenarios that describe how a risk source could reach its objective, which paths it might take and what impact would result.
Workshop 4: Operational scenarios. You drill down into the technical detail of each strategic scenario, modelling the sequence of elementary events that make up the attack.
Workshop 5: Risk treatment. You prioritise the scenarios according to their level of risk, choose the treatment (acceptance, mitigation, transfer, avoidance) and build an action plan.
EBIOS RM vs ISO/IEC 27005 : which one, and when
Both methods are valid, but they have different profiles.
ISO/IEC 27005 is more general and more compatible. It integrates perfectly with any ISMS compliant with ISO 27001 and is the international reference. Ideal if you are working on an ISO 27001, NIS2 or DORA certification project and need a globally recognised method.
EBIOS RM is more specific and focused on advanced threats. Ideal if you work with public sector, defence, energy or finance organisations in France, or with any European organisation dealing with the French administration or facing targeted threats.
In practice, many professionals end up mastering both. ISO/IEC 27005 gives you the general framework; EBIOS RM gives you the depth of the scenarios. They are complementary.
Why EBIOS is key in France and with NIS2
If you work with French organisations, EBIOS RM is virtually unavoidable. ANSSI requires it in the assessments of operators of essential services (OES) and digital service providers, and most French public tenders mention it as the preferred method.
With NIS2 in full transposition, ANSSI has confirmed that EBIOS RM will remain the recommended method in France for meeting Article 21 of the directive. And, thanks to ANSSI's influence at European level, the method is also being adopted by organisations in other countries subject to European regulation.
What the PECB EBIOS Risk Manager course covers
The PECB Certified EBIOS Risk Manager course is an intensive three-day training that covers the five workshops with real hands-on cases. The programme :
- Day 1: Fundamentals of the method, workshop 1 (scoping) and workshop 2 (risk sources).
- Day 2: Workshops 3 and 4 (strategic and operational scenarios).
- Day 3: Workshop 5 (treatment), review and the official PECB exam.
The course is available as official PECB Self-Study, which lets you progress at your own pace. And, since it is the official French method, the material is also available in French, an advantage for bilingual professionals or those working with a French-speaking clientele.
EBIOS RM does not compete with ISO 27005, it complements it. Anyone who masters both has a unique profile in the European market: the international rigour of 27005 and the depth on advanced threats of the ANSSI method.
Training and getting certified
If you want to take the step towards the official PECB certification, the EBIOS Risk Manager course is the direct route: official PECB Self-Study so you can progress at your own pace and prepare for the certification exam.