Published under Risk Management

Product identity card

General information
Basic information to identify the product

Method or tool name : MAGERIT
Vendor name : Ministerio de Administraciones Publicas (Spanish Ministry for Public Administrations)
Country of origin : SPAIN

Level of reference of the product
Details about the type of initiator of the product

Government organisation : Ministerio de Administraciones Publicas (Spanish Ministry for Public Administrations)

Specify the phases this method supports and a short description

R.A. Method phases supported

  • Risk identification : Assets: identification, classification, dependencies between assets, and value.
    Threats: identification relationship with assets and evaluation of vulnerability.
    Safeguards: identification and evaluation. Tool support.
  • Risk analysis : SAccumulated impact and risk. Deflected impact and risk. Tool support.
  • Risk evaluation : From technical risks into business risks.

R.M. Method phases supported

  • Risk assessment: (See above)
  • Risk treatment : Support of scenarios: phases, what if, security projects, long-term objectives.
  • Risk acceptance : Security indicators
  • Risk communication : Definition of reports containing the findings and conclusions from a risk analysis and management project: value model, risk map, safeguard evaluation, risk status, deficiencies report and security plan. Related software (EAR/ PILAR) produces a wide variety of deliverables in standardized and customizable formats, textual and graphical.

Brief description of the product

  • Magerit is an open methodology for Risk Analysis and Management, developed by the Spanish Ministry of Public Administrations, offered as a framework and guide to the Public Administration. Given its open nature it is also used outside the Administration.

    Magerit v1 was published in 1997. Magerit v2 was published in 2005. It is openly available in Spanish and English in

    Magerit seeks to achieve the following objectives:

    1. To make those responsible for information systems aware of the existence of risks and of the need to treat them in time.
    2. To offer a systematic method for analyzing these risks.
    3. To help in describing and planning the appropriate measures for keeping the risks under control.
    4. Indirectly, to prepare the organization for evaluation, audit, certification or accreditation processes, as relevant in each case.

    Magerit v2 has been structured into three books:

    Book I: Methodology. It describes the core steps and basic tasks to carry out a project for risk analysis and management; the formal description of the project; the application to the development of information systems and it provides a large number of practical clues, as well as the theoretical foundations, together with some other complementary information.
    Book II: Catalogue of elements. It provides standard elements and criteria for information systems and risk modeling: asset classes, valuation dimensions, valuation criteria, typical threats, and safeguards to be considered; it also describes the reports containing the findings and conclusions (value model, risk map, safeguard evaluation, risk status, deficiencies report and security plan), thus contributing to achieve uniformity.
    Book III: Practical techniques. It describes techniques frequently used to carry out risk analysis and management projects such as: tabular and algorithmic analysis; threat trees, cost-benefit analysis, dataflow diagrams, process charts, graphical techniques, project planning, working sessions (interviews, meetings, presentations), and Delphi analysis. The application of the methodology can be supported by the software PILAR / EAR, which exploits and increases its potentialities and effectiveness (PILAR is limited to the Spanish Public Administration. EAR is a commercial product).

Date of the first edition, date and number of actual version

Date of first release : Magerit v1 1997
Date and identification of the last version : Magerit v2 2005

Useful links
Link for further information

Official web site :
User group web site : N/A
Relevant web site : -

List the available languages that the tool supports

Availability in European languages : Spanish, English, Italian (partially)

Specify the price for the method

  • Free

Page top


Target organisations
Defines the most appropriate type of organisations the product aims at

  • Government, agencies
  • Large companies
  • SME
  • Commercial CIEs
  • Non commercial CIEs

Specific sector : Information and Communications

Geographical spread
Information concerning the spread of this tool

Used in EU member states : Many
Used in non-EU member states : Many

Level of detail
Specify the target kind of users

  • Management
  • Operational
  • Technical : (See tool)

License and certification scheme
Specify the licensing and certification schemes available for this method

Recognized licensing scheme : No
Existing certification scheme : No

Page top

Users viewpoint

Skills needed
Specify the level of skills needed to use and maintain the solution

  • To introduce : Standard
  • To use : ITC Professionals
  • To maintain : Management skills

Consultancy support
Specify the kind of support available

Consultancy : If support is needed, a wide variety of private consultants is available (Open market)

Regulatory compliance
There is a given compliance of the product with international regulations

  • Can be achieved indirectly

Compliance to IT standards
There is a compliance with a national or international standard

Trial before purchase
Details regarding the evaluation period (if any) before purchase of the product.

Availability : Free web download :

Maturity level of the Information system
The product gives a means of measurement for the maturity of the information system security

It is possible to measure the I.S.S. maturity level : No

Tools supporting the method
List of tools that support the product

Non commercial tools

Commercial tools

Technical integration of available tools
Particular supporting tools (see C-7) can be integrated with other tools

Tools can be integrated with other tools : Yes, due to the XML/CSV input/output functions

Organisation processes integration
The method provides interfaces to existing processes within the organisation

Method provides interfaces to other organisational processes : No

Flexible knowledge databases
It is possible to adapt a knowledge database specific to the activity domain of the company.

Method allows use of sector adapted databases : Yes: the method and the tools

Browse the Topics

This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies