One of the aspects that causes most confusion in National Security Framework (ENS) compliance projects is the ecosystem of methodologies and tools that the National Cryptologic Centre (CCN) makes available to organisations. Acronyms such as MAGERIT, PILAR, INES, AMPARO or CLARA appear in CCN-STIC series 800 guides and in conformity auditor requirements, but it is not always clear what each one does, when it should be used and whether it is accessible to a private company. This guide clarifies those doubts.
What is MAGERIT and why is it the reference method for ENS risk analysis?
MAGERIT — Methodology for Risk Analysis and Management of Information Systems of Public Administrations — is the official risk analysis methodology published by Spain's Ministry of Finance and Public Function. Although Royal Decree 311/2022 of 3 May (BOE-A-2022-7191) does not impose the exclusive use of MAGERIT, CCN-STIC Guides 806 and 808 reference it as the standard methodology, and conformity auditors are trained to interpret its reports without adaptation.
MAGERIT structures risk analysis into four phases: asset inventory (identifying and classifying what has value to the organisation), threat assessment (determining what could damage each asset), impact and risk calculation (probability × impact per security dimension) and treatment plan (deciding which measures to apply to reduce risk to an acceptable level). The result is the system risk map, which directly justifies which Annex II measures must be implemented, at what reinforcement level and by when.
The current version is MAGERIT v3, published in 2012 and still in force. It is freely distributed as a document on the Ministry of Finance portal and is organised into three books: the Method, the Element Catalogue (asset types, threats and safeguards) and the Techniques Guide.
How does the CCN's PILAR tool work and what does it contribute to the ENS process?
PILAR — Logical IT Procedure for Risk Analysis — is the software tool the CCN develops and maintains to automate risk analysis using MAGERIT methodology. Its role is central to the ENS compliance process: without documented and traceable risk analysis, it is not possible to justify the selection of Annex II measures or obtain conformity.
PILAR enables you to:
- Build the asset inventory for the information system with its dependency tree.
- Rate each asset on the five CIDAT security dimensions (confidentiality, integrity, availability, authenticity and traceability).
- Identify and quantify threats by asset type, applying the MAGERIT threat catalogue.
- Calculate intrinsic risk and residual risk after applying existing safeguards.
- Generate structured reports in the format ENS conformity auditors expect, including the risk map and treatment plan.
PILAR is distributed in different versions: a free basic version with access via registration on the CCN portal, suitable for basic category systems, and more comprehensive versions for complex medium and high category systems. The CCN updates the tool regularly to keep it aligned with CCN-STIC guides and regulatory changes.
What is INES and when is it used in the ENS?
INES — National Security Assessment Index — is the CCN tool specifically designed for the self-assessment of basic category systems. It guides the organisation through a structured sequence of questions about the implementation of the Annex II measures applicable to its category, rates the degree of compliance with each measure and generates a results report in the format required to support the self-assessed declaration of conformity.
The basic category declaration of conformity — the procedure regulated in CCN-STIC Guide 809 — does not require an ENAC-accredited third party to verify controls, but it does require that the self-assessment be rigorous, traceable and documented with real evidence. INES provides the structured framework for conducting that self-assessment with guarantees and in the format that contracting Administrations can review.
INES also serves as a preliminary diagnostic tool: before beginning the compliance project, it can quickly identify the most critical gaps in basic category systems and prioritise the implementation work.
What is AMPARO used for in medium and high category ENS systems?
AMPARO — Application for Protection Measures and Risk Analysis and Organisation — is the CCN tool geared towards the continuous security management of medium and high category systems once the initial compliance has been completed. Unlike INES, which is a point-in-time assessment tool, AMPARO is designed for ongoing monitoring of the system's security status throughout the biennial conformity cycle.
AMPARO enables management of the risk treatment plan, recording the implementation status of each Annex II measure, documenting system changes that may affect categorisation and generating periodic security status reports. This information is particularly valuable when the biennial renewal audit arrives: the auditor from the ENAC-accredited body can verify not only the current state of controls but also their evolution over time, which reinforces the credibility of the security management system.
What is CLARA and how does it facilitate the ENS conformity audit?
CLARA — CHECKlist-based Lightweight Assessments for Reviewing Administration — is the CCN tool that structures the auditor's verification checklists for ENS conformity review. It provides a set of checks organised by Annex II measure, at the reinforcement level corresponding to the system's category, that the internal or external auditor can use to systematise their review.
From the perspective of the organisation preparing for the audit, CLARA is a valuable asset: it enables an internal pre-audit using exactly the same sequence of checks that the external auditor will use, detecting deviations in advance that could lead to non-conformities. For medium and high category systems, a pre-audit review with CLARA before the ENAC-accredited body arrives significantly reduces the probability of surprises and, therefore, the cost and timeline of the certification process.
Can a private company access and use these CCN tools?
Yes. The CCN makes PILAR, INES, AMPARO and CLARA available to any organisation that needs to comply with the ENS — both public sector entities and private supplier companies — with access subject to registration on the CCN portal. Access is free and the CCN itself provides up-to-date user documentation.
However, there are practical aspects worth bearing in mind:
- PILAR has a moderate learning curve: building a consistent asset and dependency tree that accurately reflects the real system requires knowledge of MAGERIT methodology and experience with the type of system being analysed.
- PILAR reports are the core input of the risk analysis that conformity auditors review most carefully; a superficial analysis or one with poorly valued assets is one of the most frequent causes of non-conformity findings.
- Integrating the outputs of PILAR, INES and AMPARO into the overall security management system documentation requires technical judgement to ensure the whole is coherent and directly usable in the audit.
For those reasons, organisations with medium or high category systems typically work with a specialist team that has mastery of the tools and the regulatory framework. As explained in detail in the guide on ENS Annex II security measures, the technical implementation of controls and evidence generation are processes that require both regulatory and technical knowledge.
How does Summum Sistemas integrate these tools into the ENS compliance process?
At Summum Sistemas we integrate MAGERIT, PILAR, INES, AMPARO and CLARA as everyday working tools in our ENS compliance projects, not as documentary appendices. The workflow is as follows:
- We build the client system asset inventory in PILAR, with dependencies and CIDAT ratings backed by documentary justification.
- We run the complete risk analysis using MAGERIT v3, producing the residual risk map that determines the Annex II measure selection.
- We prepare the compliance plan with CCN-STIC 806, prioritising measures by impact on residual risk.
- We implement technical controls applying platform- and domain-specific CCN-STIC guides.
- We configure INES (basic category) or AMPARO (medium/high) and generate reports in the format auditors expect.
- We conduct the pre-audit review with CLARA, detecting and correcting deviations before the conformity process.
- We deliver the complete technical evidence package organised to minimise audit time and uncertainty.
This approach ensures the system not only complies on paper but has active, verifiable controls. Our ENS technical implementation service covers the entire process from asset inventory to delivery of the complete evidence package. Forensic analysis of incidents that occurred during the compliance process — or historical incidents that need to be documented — is another area in which we work alongside the incident response team to ensure the incident management history is aligned with Annex II requirements.