the accesskey _ mod _ content


  • MAGERIT version 3 (English version): methodology of analysis and risk management information systems. - Edits: © Ministry of finance and public administrations, October 2012.- NIPO 630-12-171-8:

Book I: method (PDF-1,47 MB) (Opens in new window)

Book II: Catalogue of elements (PDF-3,37 MB) (Opens in new window)

Book III: Technical Guide (PDF-1,28 MB) (Opens in new window)

  • MAGERIT V.3 (English version): Methodology for Information Systems Risk Analysis and Management. - Edits: © Ministry of finance and public administrations, July 2014.- NIPO 630-14-162-0:

Book I: Method (PDF-1,44 MB) (Opens in new window)     Book I: Method (EPUB-2,94 MB) (Opens in new window)

  • MAGERIT V.2 (English version): Methodology for Information Systems Risk Analysis and Management .- Edits: © MAP, June 2006 - NIPO 326-06-044-8:

Book I: Method (PDF-1,17 MB) (Opens in new window)

Book II: Catalogue (PDF-270 KBPS) (Opens in new window)

Book III: Techniques (PDF-157 KBPS) (Opens in new window)

  • MAGERIT V.2 (Versione italiana): Metodologia di analisi dei rischi dei sistemi informativi . (solamente traducido el Libro I). Edita,  © MAP, diciembre de 2009.- NIPO 000-09-070-4:

Book I: Method (PDF-1,56 MB) (Opens in new window)


MAGERIT is the methodology of analysis and risk management developed by the former senior Council E-government (currently strategy Committee TIC), as a response to the perception that the administration, and, in general, any society increasingly dependent of information technologies for the performance of its mission.

The raison d'être of MAGERIT is directly related to the widespread use of information technologies, which makes clear benefits for citizens; but also gives rise to certain risks that must be minimized with security measures that generate confidence.

MAGERIT interest to all those who work with digital information and computer systems to treat it. If the information or services provided through it, are valuable, MAGERIT will allow them to know how much value is at stake and help them to protect it. Knowing the risk to which they are subjected elements of work is simply impossible to manage. With MAGERIT seeks a methodical approach that leaves no place to improvisation, neither depends on the arbitrariness of the analyst.

Figure 1. ISO 31000 - Framework for risk management

El análisis y gestión de los riesgos es un aspecto clave del Royal Decree 3/2010, of January 8th, that regulates the national security Scheme (Opens in new window) in the field of E-government which aims to give satisfaction to the principle of proportionality in fulfilling the basic principles and minimum requirements for adequate protection of information. MAGERIT is a tool to facilitate the introduction and implementation of the National security Scheme.

Figure 2. Risk management

MAGERIT figura en el inventario de métodos de análisis y gestión de riesgos de ENISA en (Opens in new window)

Complementary products and services

PILAR es una herramienta que implementa la metodología MAGERIT de análisis y gestión de riesgos, desarrollada por el Centro Criptológico Nacional (CCN) y de amplia utilización en la administración pública española.

You can download PILLAR Portal (Opens in new window) the CCN-CERT.

Los organismos de la administración pública española pueden solicitar una licencia libre de cargos al Centro Criptológico Nacional; para ello, dirija su solicitud a Centro Criptológico Nacional


MAGERIT pursues the following Direct Objectives:

  1. Concienciar a los responsables de las organizaciones de información de la existencia de riesgos y de la necesidad de gestionarlos
  2. Provide a systematic approach to analyse risks arising from the use of information technology and communications (TICK)
  3. Help discover and plan timely treatment to keep under control risks Indirect
  4. Preparar a la Organización para procesos de evaluación, auditoría, certificación o acreditación, según corresponda en cada caso

Guides organization

MAGERIT versión 3 se estructura en tres libros: "Método", "Catálogo de Elementos" y "Guía de Técnicas".


Is structured in the following way:

  • Chapter 2 presents the concepts informally. In particular are framed the analysis and treatment within a comprehensive process risk management.
  • Chapter 3 concrete steps and formalizes the analysis of the risks.
  • El capítulo 4 describe opciones y criterios de tratamiento de los riesgos y formaliza las actividades de gestión de riesgos.
  • Chapter 5 focuses on the projects of risk analysis, projects that we will be plunged to perform the first risk analysis of a system and eventually when there are substantial changes and redo the model widely.
  • El capítulo 6 formaliza las actividades de los planes de seguridad, a veces denominados planes directores o planes estratégicos.
  • Chapter 7 focuses on the development of information systems and how risk analysis serves to manage the safety of the final product since its initial conception until his release in production, as well as to the protection of the development process itself.
  • El capítulo 8 se anticipa a algunos problemas que aparecen recurrentemente cuando se realizan análisis de riesgos.

Appendices reflected reference material:

  1. A glossary,
  2. Bibliographical references considered for the development of this methodology,
  3. Rreferencias the legal framework that fits the tasks of analysis and management in public administration, Spanish
  4. The policy framework of assessment and certification
  5. The characteristics required tools, present or future, to withstand the process of analysis and risk management,
  6. Una guía comparativa de cómo Magerit versión 1 ha evolucionado a la versión 2 y a esta versión 3

Catalogue of Elements

Brand guidelines regarding:

  • Types of assets
  • Dimensions of valuation of assets
  • Evaluation criteria of assets
  • Typical threats on Information Systems
  • To consider safeguards to protect information systems

The objectives are twofold:

  1. On the one hand, to facilitate the work of people who addresses the project, offering standard elements which can be positioned quickly, focusing on system-specific object of analysis.
  2. Por otra, homogeneizar los resultados de los análisis, promoviendo una terminología y unos criterios uniformes que permitan comparar e incluso integrar análisis realizados por diferentes equipos.

Each section includes a XML notation that will be used to publish regular elements in a standard format can be processed automatically by tools of analysis and management.

If the reader uses a tool of analysis and risk management, this catalog will be part of the same; if the analysis is done manually, this catalogue provides a broad base of departure to move quickly without distractions or omissions.

Technical guide

Provides additional light and guidance on some techniques that are routinely used to carry out projects of analysis and risk management:

  • Specific techniques to risk analysis
  • Tables analysis through
  • Algorithmic analysis
  • Attack Trees
  • General techniques
  • Graphic techniques
  • Working sessions: interviews, meetings and presentations

Valuation Delphi is a reference guide. According To the reader step by the tasks of the project, he will recommend the use of certain specific techniques, this guide aims to be an introduction, as well as providing references to the reader deepen the techniques presented.

Rights to use

MAGERIT is a methodology public, can be used freely and does not require prior authorization. In any exploitation of the work shall record the original authorship.

Responsible for the product

General Secretariat of Digital Administration.

General access point
General access point