I've just received a link pointing to a Risk Management methodology used by the French government called "EBIOS": Expression of Needs and Identification of Security Objectives.There isn't anything revolutionary on this, being a good work of putting together things like ISO27002 and the Common Criteria / ISO15408.