Las Palmas de Gran Canaria is home to the principal institutions of the eastern Canary Islands: the Gobierno de Canarias, the Cabildo de Gran Canaria, the city's Ayuntamiento and the ULPGC all manage high-impact information systems — population registers, electronic offices, tax management under the Canarian Economic and Fiscal Regime (REF), public procurement platforms — and are all subject to the Esquema Nacional de Seguridad. This institutional concentration makes Las Palmas one of the most active public procurement markets in the Canary Islands, with a constant flow of tenders for technology services, digital infrastructure maintenance and administrative management solutions. For any company wishing to compete in that market, ENS compliance is not an optional formality: it is an access requirement that the technical specifications of these administrations are incorporating with increasing frequency.
Summum Calidad approaches ENS compliance from an information security management system perspective — the same axis that structures ISO 27001:2022. The ENS is not a disconnected technical checklist; its framework — security policy, risk analysis, system categorisation, proportionate control selection, review and continuous improvement — mirrors the PDCA cycle that ISO 27001 has applied to the corporate context for decades. When a supplier already holds a valid ISO 27001 certificate, or is actively working towards one, the path to ENS compliance shortens considerably: the controls in Annex A of ISO 27001:2022 directly cover many of the 75 measures in Annex II of the ENS, distributed across three frameworks (organisational, operational and protective) and sixteen families, including the op.nub family governing cloud service use — particularly relevant for companies providing cloud services to Canarian public bodies.
The ENS category of the system — basic, medium or high, depending on the impact across the five CIDAT security dimensions — determines both the required measures and the conformity route. For basic-category systems, the regulation allows a self-assessed declaration of conformity in accordance with CCN-STIC 809, without the involvement of an accredited third party. For medium or high category, certification must be carried out by an inspection body accredited by ENAC under UNE-EN ISO/IEC 17065. Summum Calidad does not issue conformity certificates — that is the exclusive competence of accredited third parties. Our work consists of preparing the organisation's management system so that, when the external auditor arrives, they find genuinely implemented controls, rigorous documentation and auditable evidence. The goal is for the conformity audit to be the natural culmination of work done properly, not an improvised test.