Sector publico y seguridad

ENS compliance in Valladolid through information security management

The Junta de Castilla y León, the Diputación Provincial de Valladolid, the Ayuntamiento de Valladolid and the Universidad de Valladolid (UVa) represent one of the largest concentrations of public-sector procurement in central Spain. If your company supplies software, cloud services, system maintenance or any other technology solution to these institutions, the Esquema Nacional de Seguridad (RD 311/2022, BOE-A-2022-7191) already obliges you: the compliance deadline for existing systems expired on 5 May 2024. Summum Calidad guides you through that process from the information security management system (ISMS) perspective, integrating ENS requirements with those of ISO 27001:2022 to reuse common controls, eliminate documentary duplication and reach the declaration or certificate of conformity that your system category requires.

RegulationRD 311/2022 · BOE-A-2022-7191
ProfileSuppliers of the Junta de Castilla y León and Valladolid public entities
ModalityStructured project with continuous accompaniment

Valladolid hosts the presidency of the Junta de Castilla y León and numerous regional government departments, making it the primary hub for public-sector technology procurement across the autonomous community. The Diputación Provincial, the Ayuntamiento de Valladolid and the Universidad de Valladolid add to that demand contracts for digital services, infrastructure maintenance, bespoke software development and the processing of citizens' data. All these entities are subject to the ENS as public-sector bodies; consequently, all their suppliers whose information systems come into contact with theirs must comply with the same Esquema Nacional de Seguridad. Article 2 of RD 311/2022 is unambiguous: the ENS also applies to private entities when their information systems process public-sector information or provide services to public-sector entities.

Summum Calidad approaches ENS compliance from the management and continual improvement perspective — the same approach that underpins ISO 27001:2022. Both frameworks share the same logic: security policy, risk analysis, proportionate control selection, documented implementation and periodic review. When a company in Valladolid already holds an ISO 27001-certified ISMS, the gap towards ENS compliance focuses on the aspects specific to the Spanish framework — the categorisation under Annex I, controls in Annex II without an exact equivalent in the international standard, and adapting documentation to the CCN format — and the additional effort is considerably less than starting a project from scratch.

Annex II of RD 311/2022 contains 75 security measures across three frameworks (organisational, operational and protective) and 16 families, including the op.nub family specifically for cloud services — highly relevant for SaaS providers operating in the public-sector ecosystem of Castilla y León. System categorisation — basic, medium or high according to impact on the five CIDAT dimensions — determines which measures are mandatory and which conformity path applies: for basic category, a self-assessed declaration of conformity under CCN-STIC 809; for medium or high category, certification by an inspection body accredited by ENAC under UNE-EN ISO/IEC 17065. Summum Calidad does not issue that certificate — that is the exclusive competence of accredited bodies — but prepares your system to pass that process with confidence, from initial categorisation through to the pre-audit review.

The ENS compliance in Valladolid through information security management process.

The process · four stages
01

Initial diagnosis and system categorisation

We analyse the scope of your information systems in relation to active or pending public contracts with Valladolid entities — Junta de Castilla y León, Diputación, Ayuntamiento, UVa or others — and determine the ENS category that applies under Annex I of RD 311/2022, assessing impact across the five CIDAT security dimensions. At the same time, we identify your starting point in terms of management systems — whether you hold or are pursuing ISO 27001 certification — in order to design the most efficient route to ENS conformity.

02

ENS–ISO 27001 gap analysis

We map the 75 controls of Annex II — across 16 families and three frameworks — against the controls of your ISO 27001 management system or existing security practices. The result is a prioritised gap table with the estimated effort to close each gap, distinguishing what can be reused directly, what requires minor adjustment and what must be implemented from scratch, with particular attention to the op.nub family if you use cloud infrastructure or services to deliver your service to the Castilla y León public administration.

03

Integrated ISMS design and Statement of Applicability

We design or update the information security management system to cover simultaneously the requirements of ISO 27001:2022 and the ENS. We produce the integrated Statement of Applicability, which justifies the selection and exclusion of controls in conformity with the format of CCN-STIC 809, and draft the information security policy according to Article 12 of RD 311/2022, adapted to your organisation's structure and culture.

04

Control implementation and evidence documentation

We accompany the implementation of the pending security measures in Annex II — organisational, operational and protective — and generate the required evidence documentation: procedures, records, risk analysis reports, management review minutes and personnel training records. Everything is structured and ready to present to the conformity auditor or to support the self-assessed declaration of conformity. The technical implementation of controls — hardening, monitoring, encryption — is coordinated with our colleagues at Summum Sistemas.

What is included

What ENS compliance in Valladolid through information security management includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • System categorisation report (ENS Annex I)

    Document justifying the category assigned — basic, medium or high — assessing impact across the five CIDAT dimensions for each in-scope service, with a traceable methodology referenced to RD 311/2022 and the company's public-sector contractual context in Valladolid.

  • ENS–ISO 27001 gap analysis with mapped controls

    Cross-reference table of the 75 controls of ENS Annex II with the controls of your ISO 27001:2022 system, identifying reusable elements, partial gaps and absent controls, with estimated effort to close each gap before the conformity audit.

  • Integrated Statement of Applicability

    Formal document recording the justified selection and exclusion of ENS controls and ISO 27001:2022 Annex A controls, in conformity with the format expected by conformity auditors and by CCN-STIC 809.

  • ENS-compliant information security policy

    Corporate policy drafted in accordance with Article 12 of RD 311/2022, adapted to your organisation's structure and contractual relationships with the public sector of Castilla y León: purpose, scope, roles, management commitments and review cycle.

  • Procedures, records and evidence package

    Complete set of operational procedures, records and evidence demonstrating real implementation of controls: user and access management, backups, vulnerability management, change control, incident management and personnel training.

  • Pre-audit review and conformity simulation

    For medium or high category, an internal audit simulating the ENAC-accredited body's process: evidence review, identification of weak points and correction before the external auditor arrives, minimising the risk of non-conformities in the certification audit.

Summum cluster

How it connects with its sisters.

ENS compliance in Valladolid is strengthened when the documentary and normative side led by Summum Calidad is complemented by the technical implementation of Annex II measures carried out by Summum Sistemas: MAGERIT/PILAR risk analysis, system and service hardening, security event monitoring and preparation of the technical evidence package. Two specialist teams, one coordinated project, so that your company can tender to public institutions in Valladolid and the Junta de Castilla y León with full compliance guarantees.

Frequently asked questions about ENS compliance in Valladolid through information security management.

Why do suppliers of the Junta de Castilla y León need to comply with the ENS?

The Junta de Castilla y León, headquartered in Valladolid, is a regional public-sector administration subject to the Esquema Nacional de Seguridad. Article 2 of RD 311/2022 establishes that the ENS also applies to private entities when their information systems process public-sector information or provide services to entities subject to the framework. If your company manages citizens' data, operates systems on behalf of the Junta, or supplies technology solutions to it, you must comply. The deadline for existing systems was 5 May 2024.

Does the ENS also apply to suppliers of the Ayuntamiento de Valladolid and the Universidad de Valladolid?

Yes. Both the Ayuntamiento de Valladolid and the Universidad de Valladolid (UVa) are public-sector entities subject to the ENS. Their digital services contracts — software development, system maintenance, cloud services, processing of citizens' or students' data — pass the ENS compliance obligation on to their private suppliers. The Diputación Provincial de Valladolid is in the same position. If you tender for or provide services to any of these institutions, the ENS applies to you.

How do I know whether my system is basic, medium or high category?

The category is determined by assessing the impact a security incident would have on the five CIDAT dimensions — confidentiality, integrity, availability, authenticity and traceability — for each in-scope service. If the maximum impact across any dimension is LOW, the system is basic category; if any dimension reaches MEDIUM, it is medium category; if any reaches HIGH, it is high category. The category determines which Annex II measures are mandatory and whether you need a self-assessed declaration of conformity (basic) or certification by an ENAC-accredited body (medium or high). Summum Calidad carries out that categorisation analysis as the first step of the project.

Can I integrate ENS compliance with my existing ISO 27001 certification?

Yes, and it is the most efficient route. ISO 27001:2022 and the ENS share the same management system logic — security policy, risk analysis, control selection, review and continual improvement — and many of their controls are coincident or directly reusable. With ISO 27001 certified or in progress, the gap towards ENS focuses on aspects specific to the Spanish framework: the Annex I categorisation, controls without an exact ISO 27001 equivalent and adapting documentation to the CCN format. Summum Calidad closes only what is missing, without repeating what already works.

What are the 75 measures in ENS Annex II and which ones apply to me?

Annex II of RD 311/2022 contains 75 security measures organised across three frameworks — organisational, operational and protective — and 16 families. The applicable measures depend on your system's category: basic, medium or high. Not all 75 measures are mandatory at every level; each measure specifies which categories it applies to. Among the families most relevant for digital services providers are op.nub (cloud services security), mp.com (communications protection) and op.exp (operations). Summum Calidad identifies the exact subset of measures that applies to you and prioritises their implementation by effort and impact on conformity.

What is the difference between the ENS declaration of conformity and ENS certification?

For basic-category systems, conformity is accredited through a self-assessed declaration of conformity by the organisation itself, following the procedure of CCN-STIC 809: the company declares under its own responsibility that it meets the ENS requirements for that category. For medium or high category, conformity must be certified by an inspection body accredited by ENAC under UNE-EN ISO/IEC 17065: an independent third party audits the system and issues the certificate. Summum Calidad does not issue that certificate — that is the exclusive competence of accredited bodies — but does prepare your documentation, controls and evidence to pass that certification process with confidence.