AuditXYZ

Compliance Framework

MEthode Harmonisée d'Analyse de RIsques (MEHARI)

MEHARI is a comprehensive risk analysis method widely used in French healthcare. This guide covers the methodology, risk assessment approach, healthcare applications, and integration with ISO 27001.

$15,000–$100,0002–6 months2023
Request a ConsultationSee process
Issuing BodyCLUSIF (Club de la Sécurité de l'Information Français)
First Published1996-01-01
Latest Version2023
Typical Cost$15,000–$100,000
Typical Timeline2–6 months
Audit RequiredNo
Audit FrequencyNo mandatory audit. MEHARI is a risk analysis methodology that supports compliance with frameworks that do require audits.
Geographyfrance, european-union, africa

MEHARI: French Risk Analysis Method for Healthcare

MEHARI (MEthode Harmonisée d'Analyse de RIsques) is a comprehensive information security risk analysis methodology developed by CLUSIF, the French information security association. While applicable across industries, MEHARI is particularly widely adopted in French healthcare organizations and francophone countries as the preferred approach to assessing and managing health information security risks.

What MEHARI Covers

MEHARI provides a structured approach to risk analysis through three complementary modules. The risk analysis module identifies risk scenarios based on business assets, threats, and vulnerabilities. The security service evaluation module assesses the quality and maturity of existing security controls across multiple domains. The risk assessment module combines these inputs to calculate risk levels and guide treatment decisions.

The methodology includes a comprehensive knowledge base of security services organized into domains including organizational security, physical security, network security, system security, application security, and business continuity. For healthcare applications, this extends to patient data protection, medical device security, and clinical system integrity.

Who Uses MEHARI

MEHARI is widely adopted in France, francophone Africa, and parts of the European Union. French hospitals, health data hosting providers (Hébergeurs de Données de Santé), and health tech companies use MEHARI to comply with French health data regulations and support ISO 27001 certification. The methodology is freely available and supported by CLUSIF with regular updates and training resources.

Implementation Approach

Begin with asset classification, identifying critical health information assets and their value. Define risk scenarios relevant to your healthcare context. Evaluate existing security services using MEHARI's maturity scale. Calculate risk levels by combining asset values, threat scenarios, and control effectiveness. Develop a risk treatment plan addressing unacceptable residual risks. MEHARI can be conducted using spreadsheet tools or dedicated GRC platforms that support the methodology.

Cost Considerations

MEHARI itself is free and open. Implementation costs range from $15,000 for a focused risk assessment using trained internal staff to $100,000 for comprehensive enterprise-wide analysis with external consultants. Many French healthcare organizations use MEHARI alongside EBIOS RM (the French government's risk assessment method) to satisfy both healthcare and government compliance requirements.

Get the MEHARI starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

iso-27001iso-27005gdpr-health

Get matched with a MEHARI auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

GDPR Health
Framework
GDPR imposes heightened requirements on health data as a special category. This guide covers lawful bases for health data processing, DPIAs, patient rights, cross-border transfers, and healthcare-specific compliance.
View
ISO 27001
Framework
ISO 27001 is the international gold standard for information security management. This guide covers everything from scoping to certification, with real costs, timelines, and practical implementation advice.
View

Recommended Tools

6clicks Review 2026: Pricing, Features, and Verdict
Tool
Review of 6clicks, the AI-powered GRC platform with hub-and-spoke architecture. Covers Hailey AI, multi-entity support, pricing, and ideal use cases.
View
Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Anecdotes Trust Center Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes Trust Center, the compliance-as-code trust portal. Covers live compliance sync, developer-friendly approach, pricing, and positioning.
View