Magerit, sometimes written as MAGERIT, is a methodology to manage information technology (IT) risk that it is issued and managed by institutions related to the Goverment of Spain. Because of this, this IT risk analysis methodology is recommended to be used on public institutions of Spain and organizations working for these public institutions.
Magerit risk management methodology
What is Magerit methodology?
It was originally developed by the National Council of Electronic Administration of Spain (in Spanish, Consejo Superior de Administración Electrónica), and it is currently maintained by the Department of Digital Administration of Spain (in Spanish, Secretaría General de Adminstración Digital) with the collaboration of the National Cryptologic Center of Spain (CNN, acronym from the Spanish Centro Criptológico Nacional). All of these institutions are dependant of the Goverment of Spain.
Magerit may be implemented in the context of the appliance of the Esquema Nacional de Seguridad (ENS) framework, that is mandatory to public institutions of Spain and companies working for them. To know more about ENS, you can check this post.
Magerit is an acronym from the Spanish Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información, that means “analysis and risk management information systems”. Magerit is also the ancient name of the city of Madrid.
Magerit is an open methodology that is free for use.
Magerit publication history
There are different versions of Magerit. As of March 2022, latest version is 3, issued in October 2012. It has been published by the Ministery that holds the competencies of Public Administration.
- Version 3, issued in October 2012 by the Ministry of Treasury and Public Administration of Spain (in Spanish, Ministerio de Hacienda y Administraciones Públicas)
- Version 2, issued in June 2006 by the Ministry of Public Administration of Spain (in Spanish, Ministerio de Administraciones Públicas)
Magerit methodology components
Magerit framework (in its version 3) is described on three books:
- Book I: Method
- Book II: Elements Catalogue
- Book III: Techniques Guide
These books are available in Spanish and English, and can be download for free on this link.
Some important parts of Magerit are:
- Asset Types
- Threat Catalog
Book 1: Method
It consists of 8 chapters and 6 appendix.
Book 2: Elements Catalog
It contains, among other information, the list of asset types.
Book 3: Techinques Guide
It provides guidance on techniques used during risk analysis.
Are there tools compatible with Majerit?
Risk Analysis Environment (EAR, from the Spanish Entorno de Análisis de Riesgos) is a family of tools compatbile to apply risk management based on Magerit. It is developed and partially funded by CCN.
Tools that belong to the EAR family:
- PILAR: full version of the tool. You can find more about PILAR on this link.
- PILAR Basic: simple version for SMEs and local administrations
- μPILAR: reduced version of PILAR, aimed to quick risk analysis
- RMAT (Risk Management Additional Tools): tool customization
They are free for public institutions, while private organizations can use it at a cost.
How to perform a risk analysis process based on Magerit?
Steps to perform a risk analysis based on Magerit methodology:
- Determine scope
- Identify assets under the scope
- Classify assets by its type
- Identify threats related to assets
- Determine impact of a negative event related to a threat affects an asset
- Determine probablity that a negative related to a threat affects an asset
- Calculate inherent ciber risk
- Identify mitigations applied to that asset
- Determine the effectivity of this mitigation
- Calculate residual ciber risk
- Determine the risk threshold for the organization
- Ascertain whether each residual ciber risk is acceptable
- Develop an action plan
- Review risk periodically
What are the alternatives to Majerit?
NIST 800-30 would be the USA counterpart of Majerit. Mehari is developed by an independent group of
Among the private methodologies, there is Microsoft’s Security Management Guide.