What Is Magerit: Risk Analysis Methodology and PILAR

Magerit is the official ICT risk analysis and management methodology of the Spanish public administration, published in 2012 and still current in 2026. The acronym stands for Metodología de Análisis y Gestión de Riesgos de los sistemas de Información de las Administraciones públicas. The current version is Magerit v3 (October 2012), structured in three books: method, catalogue of elements and technical guide. It remains a mandatory reference in any organisation implementing Spain's National Security Framework (ENS) and shows up naturally when addressing risk management in NIS2, DORA or ISO 27001:2022 projects in Spain.

This guide explains what Magerit actually is, the six model elements (assets, threats, vulnerabilities, safeguards, impact, risk), the step-by-step process of the analysis, the CCN's PILAR tool to automate calculation, fit with ENS, ISO 27001, NIS2 and DORA, comparison with other methodologies (ISO 27005, NIST RMF, OCTAVE, FAIR) and common mistakes in real projects in Spain.

What Magerit is

Magerit is a systematic methodology to identify an organisation's information assets, the risks they face and the safeguards needed to reduce that risk to an acceptable level. The first version dates from 1997 (Magerit v1), the second from 2005 and the current v3 was published in October 2012. It's published by the Spanish Ministry for Digital Transformation and Civil Service (heir of the former MAP and later MINHAP) through the e-Government Portal (PAe); the official tool implementing it (PILAR) is maintained by the CCN (Centro Criptológico Nacional, part of CNI).

What it delivers operationally:

• Common framework to talk about ICT risk in public administrations and providers.
• Extensive pre-built catalogue of threats, vulnerabilities and safeguards that saves months of initial work.
• Native ENS compatibility: Royal Decree 311/2022 cites Magerit as the reference methodology.
• Quantitative and qualitative approach. Supports both, depending on maturity and available data.
• Free supporting tool (PILAR) from CCN that automates calculation and keeps the model alive.

What it has against it:

• Steep learning curve for teams without prior risk experience.
• Voluminous documentation (the three books total over 400 pages).
• Administrative approach. Designed for the public sector, requires adaptation for small private companies.
• Doesn't incorporate modern threats at the speed of sector frameworks (cloud-native, AI, supply chain).

The six model elements

Magerit models risk by combining six elements. Understanding these six is understanding the methodology.

1. Assets

Resources of the organisation with value the analysis must protect. Magerit classifies them into categories with official codes from book 2:

• [D] data and information (databases, files, records).
• [S] services (services provided externally or internally).
• [SW] software and applications.
• [HW] computer equipment.
• [COM] communications networks.
• [Media] information media (disks, tapes, paper).
• [AUX] auxiliary equipment (air conditioning, power, furniture).
• [L] facilities (datacenters, buildings).
• [P] personnel.
• [K] cryptographic keys.

Each asset receives a valuation across five dimensions: confidentiality, integrity, availability, authenticity and traceability. The valuation is expressed on a scale (typically 0-10 or "low/medium/high") depending on the chosen method.

2. Threats

Potential events that may affect an asset. Magerit classifies them into four categories:

• [N] natural disasters (fire, flood, earthquake).
• [I] of industrial origin (power failure, contamination, noise).
• [E] unintentional errors and failures.
• [A] intentional attacks.

Each threat has a catalogue of potential impacts on the asset's dimensions.

3. Vulnerabilities

The probability that a threat effectively materialises. Magerit quantifies it as expected frequency of occurrence (annual or normalised on a scale).

4. Impact

The damage a threat produces if it materialises. It's calculated by multiplying the degradation each asset dimension suffers by the asset's value in that dimension.

5. Risk

A function of impact and probability. Magerit offers several formulas; the most-used is:

Risk = Impact × Frequency

Risk gets calculated as intrinsic risk (without safeguards) and residual risk (after applying safeguards). The goal of the analysis is to keep the residual below the acceptable threshold defined by management.

6. Safeguards

Technical, organisational or physical measures that reduce probability, impact or both. Magerit classifies them as preventive, deterrent, corrective, recovery. The book 2 catalogue lists over 200 typical safeguards with identifier codes (H.AC.acc-control, H.IR.detection, etc.).

The step-by-step process

A serious Magerit analysis always follows these seven phases.

1. Asset inventory and classification. Identify everything with value, assign dependencies between assets and value across the five dimensions.
2. Threat identification. Per asset, which threats apply according to the book 2 catalogue.
3. Degradation estimation. For each (threat, asset) pair, how much each dimension would degrade.
4. Frequency estimation. How many times per year that threat is expected to materialise against that asset.
5. Intrinsic risk calculation. For each pair, risk = impact × frequency.
6. Identification and valuation of existing and proposed safeguards.
7. Residual risk calculation and acceptance. Management formally accepts the residual risk or requests additional safeguards.

The usual deliverable is a report with a risk matrix, asset-level heatmap, prioritised treatment plan and formal residual risk acceptance declaration signed by management.

PILAR: the CCN tool

PILAR (Procedimiento Informático Lógico para el Análisis de Riesgos) is the free CCN application that automates Magerit. Several variants exist depending on licence and scope:

• PILAR. Full tool for risk analysis in medium and large organisations.
• µPILAR. Reduced version for local administrations and small companies.
• RMAT. CCN web tool for bodies integrated into the CCN-STIC suite.

PILAR automatically loads catalogues of typical assets, threats and safeguards, maintains the dependency matrix and calculates intrinsic and residual risk as values change. The learning curve is several weeks and the interface has a classic administrative pattern (not pretty, but it works).

CCN distributes PILAR at no cost for Spanish public administrations. Private companies can obtain it under specific conditions depending on their relationship with the public sector.

Regulatory framework fit

Magerit isn't legally mandatory for Spanish private companies, but appears naturally in serious compliance projects.

ENS (Royal Decree 311/2022)

Spain's National Security Framework cites Magerit as the reference methodology for the risk analysis required in its article 12. Any organisation within ENS scope (public administrations and providers serving them with ICT) performs a Magerit-compatible analysis. Detail in ENS Spain certification guide.

ISO 27001:2022

ISO 27001 requires risk analysis (clause 6.1.2) but is agnostic about methodology. Magerit, ISO 27005, NIST RMF or OCTAVE are all acceptable. For companies already running ENS, keeping Magerit in ISO 27001 reduces duplication. Detail in ISO 27001 explained.

NIS2 (EU Directive 2022/2555)

NIS2 (article 21) requires risk management measures but doesn't impose methodology. Magerit is a reasonable option for Spanish essential or important entities, especially if also within ENS scope. Detail in NIS2 in Spain.

DORA (EU Regulation 2022/2554)

DORA (articles 6 and 8) requires an ICT risk management framework in financial entities. ISO 27005 or sector-specific frameworks are more common in banking and insurance, but Magerit applies if the entity already uses it because of its relationship with the public sector. Detail in DORA compliance.

Other fits

• PCI DSS v4.0 (req. 12.3.1) demands documented formal risk analysis. Magerit covers it.
• GDPR (articles 32 and 35) demand data protection impact assessment (DPIA). Magerit complements the general risk analysis the DPIA needs.

Magerit vs other methodologies

Four frequent alternatives and when to choose each.

ISO 27005

International standard for risk management in information security. More flexible than Magerit (doesn't impose rigid classifications), globally recognised, aligned with ISO 27001. Better for international organisations or those without ENS obligation.

NIST SP 800-30 and RMF

US standards. NIST RMF is the complete framework, NIST 800-30 the analysis guide. Dominant in the US and in sectors with ties to US federal administration. More quantitative by default.

OCTAVE / OCTAVE Allegro

Designed by CERT/SEI (Carnegie Mellon). More qualitative approach oriented to stakeholder workshops. Useful in organisations where quantitative data is scarce.

FAIR (Factor Analysis of Information Risk)

Purely quantitative model expressing risk in economic terms (probability of loss and monetary magnitude). Gaining traction in banking, energy and large corporations that want CFO-ready risk reporting. Many serious analyses combine Magerit (structure) with FAIR (monetary quantification).

Common mistakes in real projects

What we see in consulting with clients implementing or running Magerit.

Outdated or incomplete asset inventory. The analysis gets done once and nobody maintains it. After 18 months, there are new uninventoried assets, modified dependencies and the analysis no longer reflects reality. ISO 27001 continuous improvement and ENS update clauses fail.

Subjective valuations without documented criteria. Every consultant who passes through values differently and the model becomes inconsistent. Documenting valuation criteria and maintaining them in security committee consensus avoids this.

Threat catalogue taken as-is. The Magerit v3 catalogue is exhaustive but generic. If not filtered and prioritised by business context, the analysis becomes unmanageable and nobody reads it. Curating the catalogue to the truly relevant 30-50 threats makes the difference.

Poorly valued safeguards. Assuming a control is 100% implemented without evidence. A quick audit on 5-10 critical safeguards usually discovers that real implementation is significantly lower than declared.

Risk acceptance without management signature. Magerit (and ENS and ISO 27001) require management to formally approve the accepted residual risk. Without documented signature, there's no valid acceptance in an audit.

Analysis disconnected from the treatment plan. The analysis identifies the risk, but the improvement plan isn't built on it. Without that connection, the analysis is a dead document.

PILAR without prior training. The tool is powerful but opaque. Without specific CCN training, projects get stuck or produce incorrect results.

Practical application in private companies

For an organisation not bound by ENS but wanting to align with Spanish best practice:

• Small company (50-200 employees): reduced Magerit, without PILAR, with an Excel template based on book 2 catalogues.
• Mid-sized company (200-1000 employees): full Magerit with µPILAR or a commercial tool (eMASS, RSA Archer, ServiceNow GRC).
• Large company: Magerit as an ENS compliance layer where applicable, ISO 27005 or FAIR as an internal risk management layer. Integrated GRC platform.

The team operating Magerit usually combines technical profile (CISO or equivalent) with compliance profile (compliance, internal audit, legal). Without that combination, the analysis falls into one of the two extremes: very technical and disconnected from business, or very administrative without real technical base.

Frequently asked questions

Is Magerit mandatory?

Not by law strictly. ENS cites it as a reference and it's practically the standard in Spanish public administration. In private companies there's no obligation, but if you participate in public tenders or have public administration clients, its use facilitates acceptance of your risk analyses.

Can Magerit be combined with ISO 27005?

Yes. Most large organisations within ENS and ISO 27001 scope maintain a single analysis structured in Magerit (because ENS requires it) and take advantage of the fact that ISO 27001 accepts any equivalent methodology. The effort is done once.

Which Magerit version is current?

Magerit v3 (October 2012). The CCN hasn't published v4 as of 2026. The three books (method, catalogue, techniques) remain available on the CCN website. Operational updates arrive via PILAR and additional CCN-STIC guides.

How long does a complete Magerit analysis take?

For a mid-sized organisation on its first analysis: 4-8 months with partial dedication from a team of 3-5 people. For later annual revisions: 1-2 months if the model is kept alive. The first analysis is always the most costly because the inventory has to be built from scratch.

Does Magerit cover cloud and SaaS threats?

The v3 catalogue (2012) doesn't explicitly name cloud, SaaS, containers, AI or supply chain with current precision. The risks are covered in general terms (unauthorised access, information leakage, provider dependency) but require reinterpretation. The most recent CCN-STIC guides (especially CCN-STIC 823 ENS in the cloud) cover cloud specifics.

Is PILAR the only tool?

It's the official CCN tool and the only free one specifically oriented to Magerit. There are commercial tools that support Magerit as one of their methodologies: GlobalSuite, Riskonnect, ServiceNow GRC, RSA Archer, eRamba, custom tools on Excel/SharePoint.

Does Magerit consider cyber insurance as a safeguard?

Yes, as a corrective or recovery-type safeguard. Reduces residual economic impact but doesn't eliminate probability. In 2026 cyber insurance is part of the standard defensive package in medium and large companies, with increasingly demanding security prerequisites (MFA, EDR, backups, training).

Related resources

• ENS Spain certification guide: the framework that most drives Magerit adoption in Spain.
• ISO 27001 explained: international standard whose risk management can be implemented with Magerit.
• NIS2 in Spain: regulatory framework that requires formal risk management.
• DORA compliance: EU financial regulation requiring an ICT risk framework.
• What is a CISO: the role typically leading Magerit implementation.
• What is a CVE: the vulnerability unit Magerit incorporates into its catalogue.

Magerit risk analysis at Secra

At Secra we accompany Magerit analyses in two typical situations: new organisations addressing ENS or ISO 27001 for the first time and needing the model built from scratch, and organisations that already have Magerit but the model is outdated or disconnected from the real security plan. The usual scope includes asset inventory and valuation, threat modeling with curated catalogue, honest safeguard evaluation with technical verification, intrinsic and residual risk calculation, prioritised treatment plan and delivery of the model in PILAR or the client's GRC tool. If you need to start or audit a Magerit analysis for ENS, NIS2 or ISO 27001, get in touch via contact or check our GRC consulting services.