PIA & EBIOS RM

Method sheet

A tool-based approach

The PIA and EBIOS Risk Manager guides are very similar in theme, vocabulary and method. Operationally, the two professions driving these analyses, respectively the DPO and the CISO, are very often carried or assumed by the same person or the same team. The need to homogenize the analyses carried out and to reuse both knowledge bases and methodologies as much as possible is important. To make this possible, we propose to equip both the realization of your PIA and your EBIOS Risk Manager analyses with our Agile Risk Manager software.

Using EBIOS RM to make a PIA

The RGPD came into force nearly two years ago now, and the CNIL has made a considerable educational effort to support companies and institutions in its implementation. At the heart of the RGPD, when a processing of personal data is likely to generate a high risk for the rights and freedoms of individuals, the PIA is a real cornerstone. It must allow for a detailed analysis of the risks involved, their likelihood, and the associated seriousness. At the same time, ANSSI has updated its EBIOS reference method to propose a new iteration, more agile, concentrated, and more easily scalable: EBIOS Risk Manager. This method has been created to be used by any type of organization, and allow them to clearly identify the digital risks to which they are exposed. When analyzing the documentation proposed by these two organizations, we immediately see that if the two topics are not identical, their two spaces are intertwined. There is a proximity of theme, vocabulary, methodology, which is significant. Operationally, the two professions piloting these analyses (the DPO for the PIA, the CISO for the EBIOS RM analysis), are very often carried out or at least assumed by the same person or within the same team. Once this proximity has been identified, the need to homogenize the analyses carried out, and to reuse both knowledge bases and methodologies as much as possible, becomes apparent. Concretely, the question is: can we use the EBIOS Risk Manager method to perform a PIA?

From a legal perspective

There is no difficulty from a legal point of view. While the application of the DPGR requires (according to specific rules) the completion of an AIP, it does not specify a specific method for doing so. Details are available on the EU website (article 35.7). One can read that it is obligatory to find there :

A systematic description of the processing operations envisaged and the purposes of the processing, including where appropriate the legitimate interest pursued by the controller;
An assessment of the necessity and proportionality of the processing operations in relation to the purposes;
An assessment of the risks to the rights and freedoms of data subjects in accordance with paragraph 1;
The measures envisaged to address the risks, including safeguards and security mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of the data subjects and other persons affected.

From a methodologic perspective

The parallel with between the two methods is quite direct, even if we must remain attentive to the difference in semantics between the vocabularies used. The same word does not always have exactly the same meaning in both contexts.

Description of a PIA by the CNIL

The conduct of an AIP consists of 4 major steps:

Delineate and describe the context of the treatment(s) under consideration;
Analyse the measures ensuring compliance with the fundamental principles: proportionality and necessity of the processing, and protection of the rights of the data subjects;
Assess the privacy risks related to data security and verify that they are adequately addressed;
Formalize the validation of the AIP in the light of the above elements or decide to revise the previous steps.

Description of EBIOS Risk Manager byt the ANSSI

The method is built around 5 workshops:

Cadrage et socle de sécurité
Sources de risque
Scénarios stratégiques
Scénarios opérationnels
Traitement du risque

Diagram coming from the CNIL’s PIA guide

Diagram coming from the ANSSI’s EBIOS RM guide

To go further

Realize your PIA with EBIOS RM

Step by step realization

The context definition step (PIA Step 1) can be carried out very directly in Workshop 1 Ebios RM. Personal data, the heart of the AIP, are treated as business values. It should be noted that the scope of the AIP is broader than that initially proposed by Ebios RM, as it includes for example physical elements (paper media, etc.). Data carriers (PIA) can be directly treated as support assets (EBIOS RM).

The second stage of the PIA (fundamental principles) aims to assess the measures already in place and the need for the treatment carried out. This stage is covered in an EBIOS RM cycle by the definition of the safety base (workshop 1), even if there is necessarily some gymnastics to match the voluntarily generic notions of EBIOS RM and the more specific ones of the IAP.

The third stage of the PIA covers the study of data security risks. It is a subset on which the approach proposed by EBIOS RM becomes particularly value-creating. The business values/supporting assets have already been identified during the first step. The sources of risks are a notion explicitly present in both methodologies, even if, once again, the scope of PIA is much broader: it includes both intentional and unintentional sources of risk and stakeholders in the sense of EBIOS RM. This difference in vocabulary will require a specific approach: some sources of risk do not have an intended purpose. To compensate for this absence, neutral objectives will be defined, i.e. objectives without any particular semantics. Workshops 3 & 4 (strategic and operational scenarios) can then be completed in the classic way. The treatment of the threat assessment associated with the stakeholders is here optional and to be carried out on a case-by-case basis.

The final stage of the PIA is a general remediation and validation stage. The first sub-step is the identification of the security measures necessary to ensure compliance with the fundamental principles and data security. This is an activity covered by Workshop 5 in EBIOS RM, as is the identification of residual risks and the creation of the action plan. The second part of this step in the AIP corresponds to a formal validation, via a specific form. It is a purely documentary activity, compatible with the EBIOS RM approach.

Agile Risk Manager & PIA

Once the method has been defined, the next step is to accelerate and industrialize the process using ALL4TEC’s Agile Risk Manager tool. To facilitate the realization of the PIA within our application, all the knowledge bases proposed by the CNIL are pre-integrated: sources of risks, security base, impacts, various scales (severity, cost, complexity…).

Thanks to these bases, collaborative work, and document generation, it becomes possible to build a PIA based on EBIOS RM, while guaranteeing the consistency of the final result.

Try

Agile Risk Manager!

Evaluation version available!

Ask for demonstration

Agile Risk Manager

To quickly discover our Agile Risk Manager tool, labeled by ANSSI for EBIOS Risk Manager, do not hesitate to book directly a one-hour slot online with our expert!

Agile Risk Manager - Atelier 4 - Scénarios opérationnels

Agile Risk Manager - Atelier 4 - Cartographie du risque

Agile Risk Manager - Atelier 1 - Identification des évènements redoutés

Agile Risk Manager - Atelier 2 - Evaluation des couples de source de risque par objectif visé

Agile Risk Manager - Atelier 3 - Cartographie des parties prenantes

EBIOS Risk Manager

The EBIOS Risk Manager method, promoted by the ANSSI, aims to support you in carrying out and monitoring your risk analyses. Find out how the method is built, which workshops are part of it and their objectives.