How to perform a risk analysis with MAGERIT in an SME? MAGERIT is the official risk analysis and management methodology of the Spanish public administration, published by the Higher Council for Electronic Administration and maintained through its PILAR tool by the National Cryptologic Centre (CCN). The method comes down to four steps: (1) identify assets and their value, (2) identify threats that could affect them, (3) evaluate safeguards already in place, and (4) calculate the residual risk that remains after those safeguards, and decide whether to accept it. This article walks you through the process applied to a real SME (small and medium-sized enterprise), with a concrete example and no unnecessary jargon.
What is MAGERIT?
MAGERIT is the acronym for Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información (Methodology for Information Systems Risk Analysis and Management). It is the methodology Spanish public administrations use to analyse their security risks, and the natural reference whenever an organisation implements the ENS (Spanish National Security Framework), which requires managing security on a risk basis.
The current version is MAGERIT v3, from October 2012, structured in three books: the method, the element catalogue, and the techniques guide. The tool that operationalises it is called PILAR and is maintained by the CCN. Using MAGERIT is not strictly mandatory — the ENS accepts any recognised risk analysis methodology — but it is the most widely adopted in Spain's public sector and the one that fits most naturally with the ENS.
Is MAGERIT mandatory under the ENS?
Not exactly. The ENS requires a risk analysis but does not prescribe a specific methodology: you can use MAGERIT, ISO 31000, ISO 27005 or any other recognised approach. That said, MAGERIT was developed by the Spanish administration itself and aligns perfectly with the ENS, making it the de-facto standard for public-sector engagements. If you want the broader enterprise risk management perspective, see the guide on enterprise risk management with ISO 31000 in practice.
The 4 Steps of MAGERIT
Step 1: Identify and value your assets
An asset is any element that holds value for the organisation and is worth protecting: servers, applications, databases, information itself, communications, and even people and services. The first MAGERIT step is to inventory relevant assets, understand how they interrelate, and assess what harm their degradation would cause.
Valuation is not done directly in monetary terms but across the security dimensions: confidentiality, integrity, traceability, authenticity and availability. For each asset you ask: what would happen if this information were leaked (confidentiality)? If it were altered without authorisation (integrity)? If it were unavailable for a full day (availability)? These dimensions are the same ones the ENS uses to categorise systems, so a MAGERIT analysis feeds directly into ENS system categorisation.
SME example: a fifteen-person consultancy identifies its key assets as its client management application, the database holding tax records, the server hosting it, and corporate email. The tax database scores high on confidentiality and integrity; email scores high on availability.
Step 2: Identify threats
A threat is any event that could compromise an asset. MAGERIT classifies them into broad groups: natural disasters (flooding, fire), industrial-origin events (power failure, hardware fault), unintentional errors and failures (an employee accidentally deleting a file), and intentional attacks (ransomware, credential theft, impersonation).
For each asset you identify which threats apply, the likelihood of each materialising, and the degradation each would cause across the security dimensions. Not every threat affects every asset equally: a power cut hits server availability but does not compromise the confidentiality of an encrypted document.
Example: for the consultancy's tax database, the most relevant threats are ransomware (high degradation of availability and integrity), unauthorised access (confidentiality), and human error when manipulating records (integrity).
Step 3: Evaluate safeguards
Safeguards are the measures already in place to reduce risk: backups, access controls, encryption, antivirus, staff training, firewalls, and so on. In this step you assess which safeguards you have and how effective they are against each threat.
MAGERIT distinguishes between potential risk (what would exist with no safeguards at all) and the reducing effect of implemented measures. A safeguard can act by lowering the probability of a threat occurring (preventive) or by limiting the damage when it does (corrective). Backups, for instance, do not prevent ransomware, but they drastically reduce its impact.
Example: the consultancy has daily backups (reduces ransomware impact), password-based access controls (reduces unauthorised access), but no database encryption or multi-factor authentication — those remain as open gaps.
Step 4: Calculate residual risk
Residual risk is the risk level the system still carries after applying safeguards. It is the most important figure in the entire analysis, because it tells you exactly how much risk you are actually accepting. It is calculated by combining the impact and likelihood of each threat after discounting the effect of safeguards.
Once you have the residual risk for each asset and threat, compare it against the acceptable risk level defined by management. If residual risk falls below the threshold, accept it and document the decision. If it exceeds it, you must iterate: add or reinforce safeguards until risk drops to an acceptable level. That iteration is the heart of risk management: the goal is not to eliminate all risk (impossible) but to reduce it to a consciously accepted level.
Example: after evaluating safeguards, the consultancy sees that residual ransomware risk against the database remains high — the backups are not network-isolated and could also be encrypted. Decision: implement immutable backups and multi-factor authentication. After that improvement, residual risk drops to acceptable and is formally accepted.
Risk matrix: example SME
This illustrative matrix shows the analysis for the consultancy's critical assets, before and after safeguards:
| Asset | Main threat | Potential risk | Safeguards | Residual risk | Decision |
|---|---|---|---|---|---|
| Tax database | Ransomware | High | Daily backups (improvable) | High → Medium after immutable backups | Reinforce and accept |
| Tax database | Unauthorised access | High | Access controls + MFA | Low | Accept |
| Management app | Human error | Medium | Role-based permissions + audit log | Low | Accept |
| Corporate email | Availability failure | Medium | Cloud service with SLA | Low | Accept |
| Server | Power cut | Medium | UPS + managed service | Low | Accept |
How to value impact and likelihood
For the analysis to be consistent, MAGERIT works with scales. For an SME, qualitative scales with a few levels are usually sufficient, as long as they are applied consistently:
- Impact: measures the severity of harm if the threat materialises against the affected dimension. A common scale is low, medium, high and very high, each tied to concrete consequences (e.g. "high" = service outage for more than a day or loss of tax records).
- Likelihood or frequency: how often the threat could occur. Also graded in levels (rare, possible, frequent, very frequent).
Risk results from combining both: a very-high-impact but extremely-rare threat may yield acceptable risk, while a medium-impact but high-frequency threat may be the priority. The key is to apply the same scale across all assets so you can compare and prioritise consistently. Document the scale used — an auditor will want to understand how you reached each valuation.
How often should the risk analysis be reviewed?
A risk analysis is not a one-off document. Within the ENS framework it is tied to the biennial review and audit cycle, but it should also be revisited whenever something significant changes: new systems or services, changes in how information is processed, significant new threats (a ransomware campaign in your sector, for example), or after an incident. An analysis frozen for years stops reflecting reality and loses all value. Risk management is, by definition, a continuous process — not a snapshot.
Tips for applying MAGERIT in an SME without burning out
- Don't inventory the entire universe. Focus on the assets that are genuinely critical. An endless inventory exhausts the project before it even starts.
- Be honest about safeguards. Record what is actually working, not what you think you should have. An optimistic analysis is a useless analysis.
- Document acceptance decisions. Accepting a risk is legitimate, but it must be a conscious management decision committed to writing.
- Review it regularly. The risk analysis is not a one-time document: assets, threats and safeguards change. Under the ENS, it is also tied to the audit cycle.
- Use PILAR if your system is complex. For a micro-enterprise, a well-structured spreadsheet may be enough; for larger systems, PILAR provides structure, predefined catalogues and automatic risk calculation.
Risk analysis is the foundation on which the entire ENS is built. To see how it connects with the rest of the framework, see the guide on MAGERIT risk analysis within the ENS.
Spreadsheet or PILAR tool?
A frequent question from SMEs is whether they need the official PILAR tool or can get by with a spreadsheet. The answer depends on scale and complexity:
- Spreadsheet: for a micro-enterprise or a simple system with few assets and threats, a well-structured spreadsheet — with columns for asset, dimension, threat, impact, likelihood, safeguards and residual risk — is perfectly sufficient and far more manageable.
- PILAR: when the system grows, with many interrelated assets and complex dependencies, the CCN-maintained PILAR tool adds structure, predefined threat and safeguard catalogues, and automatic risk calculation. It reduces errors and makes it easier to keep the analysis current over time.
For an SME starting out, the advice is not to obsess over tooling: what matters is understanding the method and applying it honestly. A simple, well-done spreadsheet analysis is worth more than a poorly fed PILAR with overly optimistic data.
Conclusion
MAGERIT is not a monster reserved for large public administrations: applied sensibly, an SME can analyse its risks in four steps — assets, threats, safeguards and residual risk — and make informed decisions about what to protect and to what degree. The key is to focus on what is critical, be honest about actual safeguards, and document acceptance decisions. Done this way, risk analysis stops being an ENS formality and becomes a real tool for avoiding unpleasant surprises.
Sources
- CCN — MAGERIT version 3.0, Book I: Method.
- Royal Decree 311/2022 (BOE-A-2022-7191) — requirement for risk-based security management.
- National Cryptologic Centre — ENS portal (ens.ccn.cni.es).