Magerit IT Risk Analysis Methodology

Magerit, sometimes written as MAGERIT, is a methodology to manage information technology (IT) risk that it is issued and managed by institutions related to the Goverment of Spain. Because of this, this IT risk analysis methodology is recommended to be used on public institutions of Spain and organizations working for these public institutions.

Magerit risk management methodology

What is Magerit methodology?

It was originally developed by the National Council of Electronic Administration of Spain (in Spanish, Consejo Superior de Administración Electrónica), and it is currently maintained by the Department of Digital Administration of Spain (in Spanish, Secretaría General de Adminstración Digital) with the collaboration of the National Cryptologic Center of Spain (CNN, acronym from the Spanish Centro Criptológico Nacional). All of these institutions are dependant of the Goverment of Spain.

Magerit may be implemented in the context of the appliance of the Esquema Nacional de Seguridad (ENS) framework, that is mandatory to public institutions of Spain and companies working for them. To know more about ENS, you can check this post.

Magerit is an acronym from the Spanish Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información, that means “analysis and risk management information systems”. Magerit is also the ancient name of the city of Madrid.

Magerit is an open methodology that is free for use.

Magerit publication history

There are different versions of Magerit. As of March 2022, latest version is 3, issued in October 2012. It has been published by the Ministery that holds the competencies of Public Administration.

Version history:

  • Version 3, issued in October 2012 by the Ministry of Treasury and Public Administration of Spain (in Spanish, Ministerio de Hacienda y Administraciones Públicas)
  • Version 2, issued in June 2006 by the Ministry of Public Administration of Spain (in Spanish, Ministerio de Administraciones Públicas)

Magerit methodology components

Magerit framework (in its version 3) is described on three books:

  1. Book I: Method
  2. Book II: Elements Catalogue
  3. Book III: Techniques Guide

These books are available in Spanish and English, and can be download for free on this link.

Some important parts of Magerit are:

  • Asset Types
  • Threat Catalog

Book 1: Method

It consists of 8 chapters and 6 appendix.

Book 2: Elements Catalog

It contains, among other information, the list of asset types.

Book 3: Techinques Guide

It provides guidance on techniques used during risk analysis.

Are there tools compatible with Majerit?

Risk Analysis Environment (EAR, from the Spanish Entorno de Análisis de Riesgos) is a family of tools compatbile to apply risk management based on Magerit. It is developed and partially funded by CCN.

Tools that belong to the EAR family:

  • PILAR: full version of the tool. You can find more about PILAR on this link.
  • PILAR Basic: simple version for SMEs and local administrations
  • μPILAR: reduced version of PILAR, aimed to quick risk analysis
  • RMAT (Risk Management Additional Tools): tool customization

They are free for public institutions, while private organizations can use it at a cost.

How to perform a risk analysis process based on Magerit?

Steps to perform a risk analysis based on Magerit methodology:

  1. Determine scope
  2. Identify assets under the scope
  3. Classify assets by its type
  4. Identify threats related to assets
  5. Determine impact of a negative event related to a threat affects an asset
  6. Determine probablity that a negative related to a threat affects an asset
  7. Calculate inherent ciber risk
  8. Identify mitigations applied to that asset
  9. Determine the effectivity of this mitigation
  10. Calculate residual ciber risk
  11. Determine the risk threshold for the organization
  12. Ascertain whether each residual ciber risk is acceptable
  13. Develop an action plan
  14. Review risk periodically

What are the alternatives to Magerit?

NIST 800-30 would be the USA counterpart of Majerit. Mehari is developed by an independent group.

Among the private methodologies, there is Microsoft’s Security Management Guide.

You can find a list of IT risk management frameworks on this post.

You might be also interested in…

External references

  • Magerit” (Spanish); Portal de Administración Electrónica del Gobierno de España
  • Magerit“;  Enisa (European Union Agency for Cybersecurity)
  • Magerit“; Wikipedia

Leave a Reply

Your email address will not be published. Required fields are marked *