Why is it not possible to repeat your analysis as is and what solutions are suitable?
First of all, it is important to emphasize that the risk identification step in Tenacy is based on an asset-centric approach, while incorporating some elements of an event-based approach. In Tenacy, you will identify the business value, behind which there are DICP criteria, defined arbitrarily (they will be adjustable in the parameters if necessary).
However, the risk analysis in Tenacy does not entirely follow the EBIOS methodology. We simplified the latter by combining the principles of EBIOS and those of the ISO 27005 standard, following several customer feedback which highlighted the length of the EBIOS method.
In fact, we chose not to carry out the 5 typical EBIOS workshops, which results in the absence of strategic and operational scenarios as well as stakeholders in Tenacy.
➡️ It will therefore be impossible to directly copy and paste your EBIOS risk analysis into Tenacy, because the risk identification process differs.
Tenacy creates risks by combining business value, its DICP criteria and detected threats. If certain DICP criteria are present in the threats, a risk will be generated, but it will not necessarily correspond to those identified with EBIOS.
That said, two solutions are available to you:
“Recover” the EBIOS risk analysis in Tenacy: This will allow the creation of risks, but these will never be exactly identical to the risks identified as part of the EBIOS analysis, due to the absence of the scenarios and stakeholders in Tenacy.
The most convincing in our opinion:
Directly integrate risks into the “Treatment” part of Tenacy. So you can start from these risks, add your treatment plans and manage them from the platform.
If you choose this option, you can subsequently redo a risk analysis directly in Tenacy, using the methodology adapted to the tool.