MAGERIT risk analysis for the ENS: practical guide.

Risk analysis is the heart of the ENS (Spanish National Security Framework). Without a rigorous risk analysis it is not possible to determine which controls your organisation needs, at what level of demand, or where to concentrate security resources. MAGERIT (the Spanish information system risk analysis and management methodology) is the reference in Spain for this process, and this guide explains how to apply it in practice in your ENS adequacy project.

What is MAGERIT and why does it matter?

MAGERIT is the methodology developed by the Spanish High Council for Electronic Administration, currently in version 3. It is made up of three books. Book I describes the method, the phases of the analysis and the fundamental concepts. Book II is the catalogue of elements: types of asset, valuation dimensions, valuation criteria, threat catalogue and safeguard catalogue. Book III is the techniques guide, covering the quantitative and qualitative methods applicable.

Although the ENS does not impose MAGERIT as the only methodology, in practice it is the standard reference that ENS auditors expect to find. Using another methodology is possible, but you must justify that it meets the requirements of Annex II of the ENS, which adds unnecessary complexity.

The CCN PILAR tool

PILAR is the software tool developed by CCN-CERT that implements MAGERIT in an automated way. It exists in several versions: the full PILAR for advanced risk analysis, µPILAR (micro-PILAR) as a simplified version for small organisations, and PILAR Cloud as a cloud-based version.

PILAR includes the full MAGERIT catalogues, automatically calculates impact and risk from the valuations entered, provides standard reports accepted by ENS auditors, and is updated periodically with new threats and safeguards.

To access PILAR you must register on the CCN portal. The tool is free for the Spanish public sector and its suppliers.

The risk analysis process, step by step

Step 1: asset inventory

The first step is to identify all information assets within the scope of the ENS. MAGERIT classifies assets in layers: information and data (what you want to protect), services (what you offer), applications and software, hardware equipment and infrastructure, communications and networks, information media (physical and electronic), facilities, and personnel.

For each asset, document its name, type from the MAGERIT catalogue, owner or responsible party, location, and dependency relations with other assets (a service depends on an application, which depends on a server, which depends on a server room).

Step 2: asset valuation across the DICAT dimensions

Every asset is valued against the five security dimensions: Availability, Integrity, Confidentiality, Authenticity and Traceability. The valuation can be qualitative (LOW, MEDIUM, HIGH) or quantitative (a numerical scale), although for the ENS the qualitative approach is sufficient.

Valuation must be done for each information asset and service. Support assets (hardware, software, communications) inherit the valuation of the higher-level assets on which they depend through the dependency tree.

Step 3: threat identification

For each asset, identify the threats that could materialise and cause negative impact. The MAGERIT threat catalogue (Book II) provides an exhaustive list organised by categories: natural disasters, industrial origin, unintentional errors and faults, and intentional attacks.

You do not need to consider every threat in the catalogue for each asset. Select those that are relevant given the type of asset and the organisational context.

Step 4: estimating impact and probability

For each asset-threat pair, estimate the probability of the threat materialising (the expected frequency at which it could occur) and the impact it would produce on each security dimension (the degradation of the asset value).

PILAR makes this enormously easier by providing default estimates based on statistics and accumulated experience, which the analyst can adjust to the specific context of the organisation.

Step 5: calculating the risk

Risk is calculated as the combination of impact and probability. PILAR performs this calculation automatically and presents the results in risk matrices that let you quickly see which assets carry unacceptable risk.

Risk can be expressed in three zones: acceptable risk (green), tolerable risk with mitigation (amber) and unacceptable risk requiring immediate action (red).

Step 6: selecting safeguards

Safeguards are the security measures implemented to reduce risk to an acceptable level. The MAGERIT safeguard catalogue provides an extensive list that maps directly to the ENS controls.

For each unacceptable risk, select the appropriate safeguards and estimate their effectiveness (the percentage of risk they reduce). PILAR automatically recalculates the residual risk with safeguards applied.

Step 7: determining residual risk

Residual risk is what remains after applying all selected safeguards. This risk must be formally accepted by the security officer or the organisation's management. If residual risk is still unacceptable, the safeguards must be strengthened or alternatives sought.

Frequent mistakes in ENS risk analysis

The first common mistake is an incomplete asset inventory: forgetting critical assets such as databases, backup systems or connections with third parties. The second is lack of consistency in valuations: assigning values without a coherent criterion across similar assets. The third is obsolescence: doing the analysis once and never reviewing it. The fourth is the lack of involvement of business owners: a risk analysis cannot be done by the IT department alone, it needs the business view.

How to present the risk analysis to management

Management does not need to see the PILAR tables. They need to understand three things: which risks are the most serious for the organisation (the top five, with understandable scenarios), what measures are proposed and what they cost in €, and what residual risk is accepted and why it is acceptable.

Prepare an executive report of two or three pages that answers these three questions, supported by the full PILAR technical report as an annex.

📩 Need to run the risk analysis of your organisation in line with MAGERIT? Get in touch. We accompany you through the whole process with PILAR and deliver an analysis that passes the ENS audit.

Need help with this? Get in touch — first 45-minute session at no cost, with a clear action plan and transparent costs in €.

---

Author: Ángel Ortega Castro — independent consultant in strategy, quality and digitalisation for Spanish SMEs and public administrations.