I've just received a link pointing to a Risk Management methodology used by the French government called "EBIOS": Expression of Needs and Identification of Security Objectives.There isn't anything revolutionary on this, being a good work of putting together things like ISO27002 and the Common Criteria / ISO15408. However, the site also has an open source applications developed to help those that are using the methodology on their risk management initiatives.The tool is basically designed to aid on a risk assessment process. It uses the structure of the methodology to indicate the information that needs to be gathered about the system and/or organization being assessed. Very interesting and, most important, it's free.