to have the necessary knowledge to establish a risk analysis with the EBIOS 2010 and EBIOS RM methods
Day 1 morning
❏ Section 1 – fundamentals of risk management
❏ information system and risk management
❏ fundamentals of risk management
(probability, impact, calculation, risk vision)
❏ governance, risk, ISO 27005
❏ Practical Work 1 / benefits of risk management
❏ developing a risk management programme ❏ good practice to get started
❏ Practical Work 2 / resources needed
Jour 1 afternoon
❏ Section 2 – the context phase by ISO 27005
❏ presentation of ISO 27005 (committees, standards)
❏ ISO 27005 terminology
❏ PDCA
❏ internal/external context
❏ objectives, values, missions, strategy
❏ establish a SWOT
❏ understanding the internal environment
❏ identification of requirements
❏ Identify objectives
❏ Basic, acceptance, evaluation criteria,
impact and probability of risk management
❏ Practical Work 3 / on a case study, establish the context
Day 2 morning
❏ Section 3 – risk identification phase
❏ description of the risk assessment phase with identification, estimation and evaluation)
❏ collecting information
❏ types of assets
❏ Practical Work 4 / on a case study, identify assets
❏ identify assets, threats, vulnerabilities, impacts ❏ identify vulnerabilities and impact
❏ value and links between assets
❏ knowledge bases for risk management
❏ Practical Work 5 / on a case study, identify threats
❏ Section 4 – risk assessment and evaluation phase
❏ qualitative vs quantitative approach
❏ different methods of calculating risks
❏ risk calculation
❏ Practical Work 6 / on a case study, make a quantitative risk analysis
Day 2 afternoon
❏ Section 5 – Risk treatment and acceptance
❏ establish a risk treatment plan
❏ Practical Work 7 / on a case study, establish a plan for
treatment plan
❏ assess the residual risk
❏ accept the treatment plan
❏ send residual risk to BCP and incident response
❏ communication and monitoring
❏ establish a communication plan
❏ set up indicators for a optimal monitoring in a PDCA model
Jour 3 matin
❏ Section 6 -the EBIOS 2010 method and the context phase
❏ EBIOS background (Expression of needs
and identification of security objectives)
❏ alignment of EBIOS 2010 and ISO 27005
❏ defining the risk management framework
❏ prepare the metrics
❏ Identify the assets
❏ dimensioning elements of a study
❏ examples and application
❏ Section 7 – the feared events
❏ assess the feared events
❏ Section 8 – threat scenarios
❏ mechanics of threat selection
❏ the different threat scenarios
❏ Section 9 – risk assessment
❏ assessing risks
❏ choice of risk treatment
❏ Section 10 -security measures
❏ formalise the safety measures to be implemented
implemented
❏ implement the safety measures
Day 3 afternoon
❏ Practical Work – setting up a case study
Day 4 morning
❏ Section 11 – introduction to the EBIOS Risk Manager method
❏ the fundamentals of risk management
❏ presentation of EBIOS
❏ zoom on Cybersecurity (priority threats)
❏ main EBIOS RM definitions ❏ Practical Work 1 / Understanding the terminology
❏ Key concept and workshop of the RM EBIOS method
❏ Summary
❏ Section 12 -workshop 1 “Framing and security foundation”
❏ presentation of the workshop
❏ definition of the framework of the study and the project
❏ identification of the business and technical scope
❏ identification of the feared events and assessment of their severity levels
❏ determining the security base <
❏ Practical Work 2 / Identify the feared events
❏ summary of the workshop
❏ the fundamentals of risk management
❏ presentation of EBIOS
❏ zoom on Cybersecurity (priority threats)
❏ main EBIOS RM definitions
❏ Practical Work 1 / Understanding the terminology
❏ Key concept and workshop of the RM EBIOS method
❏ Summary
❏ Section 12 -Workshop 1 “Framing and security base”.
❏ presentation of the workshop
❏ definition of the framework of the study and the project
identification of the business and technical scope
❏ identification of the feared events and
assessment of their severity levels
❏ determining the security base
❏ Practical Work 2 / Identify the feared events
❏ summary of the workshop
Jour 4 après-midi
❏ Section 13 – Workshop 2 “Sources of risk”
❏ presentation of the workshop
❏ identifying sources of risk (SR) and their
Target Objectives (TOs)
❏ assess the relevance of the pairs
❏ evaluate the SR/OV pairs and select those
deemed to be a priority for analysis
❏ assess the severity of strategic scenarios
❏ Practical Work 3 / evaluate the SR/OV pairs
❏ workshop summary
Day 5
❏ Section 14 -Workshop 3 “Strategic scenarios”.
❏ presentation of the workshop
❏ assessing the level of threat associated with the stakeholders
❏ building a digital threat map of the
of the ecosystem and critical stakeholders
stakeholders
❏ Practical Work 4 / assessing the level of threat associated with
stakeholders
❏ development of strategic scenarios
❏ Practical Work 5 / development of strategic scenarios
❏ definition of security measures on the ecosystem
❏ summary of the workshop
❏ Section 15 – Workshop 4 “Operational scenarios
❏ presentation of the workshop
❏ development of operational scenarios
❏ likelihood assessment
❏ going further (Threat modeling, ATT&CK,
CAPEC)
❏ Practical Work 6 / operational scenario
❏ workshop summary
❏ Section 16 – Workshop 5 “Risk Management”.
❏ presentation of the workshop
❏ making a summary of the risk scenarios
❏ defining the treatment strategy
define the safety measures in a continuous safety improvement
Continuous safety improvement plan (CSIP)
❏ assessment and documentation of residual risks
❏ setting up the risk monitoring framework
❏ Practical Work 7 / PACS (Continuous Safety Improvement Plan)
❏ conclusion
General knowledge of information systems security
Student, information security consultant, risk manager