Sector publico y seguridad

ENS compliance integrated with ISO 27001

If your company provides services, products or technology solutions to Spanish public-sector bodies, the Esquema Nacional de Seguridad (ENS) is not optional. Royal Decree 311/2022 (BOE-A-2022-7191) requires that the information systems of public entities and their suppliers comply with the ENS — a deadline that expired on 5 May 2024 for pre-existing systems. Summum Calidad accompanies you through this process from an information security management system (ISMS) perspective, integrating the ENS requirements with ISO 27001:2022 to leverage shared controls, reduce document duplication and prepare your organisation for the declaration or certification of conformity your system category requires. Two frameworks, one coordinated project, no unnecessary overlap.

RegulationRD 311/2022 · BOE-A-2022-7191
ProfileSuppliers to Spanish public administration
ModeStructured project with ongoing accompaniment

The Esquema Nacional de Seguridad, adopted by Royal Decree 311/2022 of 3 May, sets out the minimum security principles and requirements for Spanish public-sector information systems and for the private-sector entities that supply services to them. Its scope is broader than many companies realise: if you participate in public tenders, if you process citizens' data on behalf of a public authority, or if your software runs on public-sector infrastructure, the ENS applies to you in full. The transitional provision of RD 311/2022 allowed 24 months from the regulation's entry into force — 5 May 2022 — for existing systems to comply; that deadline passed on 5 May 2024. Operating without compliance today constitutes a breach that may jeopardise your access to public procurement and create liability for the contracting authority.

Summum Calidad approaches ENS compliance through the lens of information security management — the same lens that governs ISO 27001:2022. The two frameworks are not separate worlds: the ENS organises its requirements around a management system — security policy, risk analysis, proportionate control selection and implementation, management review, continuous improvement — which is essentially the ISO 27001 PDCA cycle applied to the Spanish public-sector context. When an organisation already holds ISO 27001 certification, or is working towards it, ENS compliance builds on existing work: Annex A controls from ISO 27001:2022 overlap with Annex II measures of the ENS, documentation serves both frameworks, and a single internal audit cycle covers the requirements of both standards. The savings compared with two parallel projects are estimated at between 30% and 40% in cost and internal effort.

System categorisation — the mandatory starting point of the ENS, governed by Annex I of RD 311/2022 — determines the level of requirement that applies: basic, medium or high, according to the impact that a security incident would have on the five security dimensions (confidentiality, integrity, availability, authenticity and traceability, or CIDAT). This categorisation defines which Annex II measures are mandatory and which conformity route is required: for basic-category systems, a self-assessed declaration of conformity suffices; for medium or high, certification by an ENAC-accredited inspection body under UNE-EN ISO/IEC 17065 is required. Summum Calidad does not issue that certification — that is the exclusive competence of accredited third parties — but we do prepare your system to pass it: gap analysis, control implementation, evidence documentation and a rigorous pre-audit review before the conformity auditor arrives.

The ENS is one piece of your company’s overall compliance. The legal layer —data protection (GDPR), outsourced DPO, whistleblowing channel, criminal compliance, equality plans and anti-money-laundering— is handled by our specialised division, Summum Consultoría, giving you a single compliance partner.

The ENS compliance integrated with ISO 27001 process.

The process · four stages
01

Initial assessment and system categorisation

We review the scope of your information systems, the services you provide to public bodies and the data you handle to determine the applicable ENS category under Annex I of RD 311/2022, assessing the impact on the five CIDAT dimensions for each in-scope service. We also assess whether you hold a current ISO 27001 certification and how far its controls already cover ENS requirements, so that existing work is reused rather than repeated.

02

ENS–ISO 27001 gap analysis

We map the Annex II ENS controls against your ISO 27001 management system controls — or against existing security practices if you do not yet have ISO 27001 — producing a prioritised gap table showing what is already covered, what is partially covered and what is missing, together with the estimated effort to close each gap before the conformity audit.

03

Integrated ISMS design and Statement of Applicability

We design or update your information security management system to cover both ISO 27001:2022 and the ENS requirements simultaneously. We draft the integrated Statement of Applicability, justifying the selection and exclusion of controls in the format expected by ENS conformity auditors, and we write the information security policy in accordance with Article 12 of RD 311/2022.

04

Control implementation and evidence documentation

We accompany the implementation of the outstanding Annex II security measures — organisational, operational and protective — and produce the required evidence documentation: procedures, records, risk analysis reports, management review minutes and training records. Everything is structured and ready to present to the conformity auditor or to underpin the self-assessed declaration of conformity. Technical control implementation (hardening, monitoring, encryption) is coordinated with our colleagues at Summum Sistemas.

What is included

What ENS compliance integrated with ISO 27001 includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • System categorisation report (ENS Annex I)

    Document justifying the assigned category — basic, medium or high — by assessing the impact on the five CIDAT security dimensions for each in-scope service, with a traceable methodology referenced to RD 311/2022.

  • ENS–ISO 27001 gap analysis with mapped controls

    Cross-reference table of Annex II ENS controls against your ISO 27001:2022 controls, identifying reusable work, partial coverage and missing controls, with estimated effort to close each gap before the conformity audit.

  • Integrated Statement of Applicability

    Formal document recording the justified selection and exclusion of ENS controls and ISO 27001:2022 Annex A controls, in the format expected by conformity auditors and by CCN-STIC 809.

  • ENS-compliant information security policy

    Corporate security policy drafted in accordance with Article 12 of RD 311/2022 and adapted to your organisation's culture and structure: purpose, scope, roles, management commitment and review cycle.

  • Procedures, records and evidence package

    Full set of operational procedures, records and evidence demonstrating real control implementation: user and access management, backups, vulnerability management, change control, incident management and staff training.

  • Pre-audit review and conformity rehearsal

    For medium or high category, an internal audit simulating the ENAC-accredited body's approach: evidence review, identification of weak points and remediation before the external auditor arrives, minimising the risk of findings during the certification audit.

Frequently asked questions about ENS compliance integrated with ISO 27001.

When does the ENS apply to a private company?

A private company must comply with the ENS when it provides services or solutions to Spanish public-sector entities that are themselves subject to the ENS. This includes software suppliers, cloud-service providers, system maintenance firms, companies that process data on behalf of public authorities, and any other service where the private company's systems interact with public-sector systems or data. The general compliance deadline for pre-existing systems was 5 May 2024, as set out in the transitional provision of RD 311/2022. New systems deployed after that date must comply from day one.

What is the difference between basic, medium and high ENS category?

The category is determined by assessing the impact that a security incident would have on each of the five CIDAT security dimensions for each in-scope service. If the highest impact across all dimensions is LOW, the system is basic; if any dimension reaches MEDIUM impact, it is medium; if any reaches HIGH impact, it is high. The category determines which Annex II measures are mandatory and the required conformity route: basic = self-assessed declaration of conformity; medium or high = certification by an ENAC-accredited inspection body.

Can I integrate ENS compliance with my existing ISO 27001 certification?

Yes, and this is the most efficient approach. ISO 27001:2022 and the ENS share a very similar management structure, and many controls overlap or complement each other. With ISO 27001 certified, the gap towards the ENS focuses only on Spain-specific aspects: Annex I categorisation, Annex II controls without a direct ISO 27001 equivalent, and adapting documentation to the CCN format. Summum Calidad carries out the precise gap analysis and closes only what is missing, without repeating work that is already in place.

Who issues the ENS certificate of conformity?

For basic-category systems, conformity is evidenced by a self-assessed declaration of conformity produced by the organisation itself, following the procedure set out in CCN-STIC 809. For medium or high-category systems, certification must be carried out by an inspection body accredited by ENAC under UNE-EN ISO/IEC 17065. Summum Calidad does not issue any conformity certificate — that is the exclusive competence of accredited bodies — but we prepare your system to pass the certification process.

How long does ENS compliance take?

It depends on the system's category, the size of the organisation and the existing security baseline. For basic-category systems with security practices already in place, the process can be completed in three to six months. For medium or high category, with complex systems and no prior ISO 27001, the process typically requires nine to eighteen months, including full MAGERIT risk analysis, implementation of technical and organisational measures, and the conformity audit by the accredited body.

What is the Statement of Applicability in the ENS context?

The Statement of Applicability (DoA) is a document that records, for each control in ENS Annex II, whether it applies to the system, to what extent it has been implemented, and the justification for any exclusions. It is a requirement of both the ENS and ISO 27001:2022, which facilitates integrated drafting. The DoA is one of the documents that conformity auditors examine most closely, so its rigour and completeness is decisive for the audit outcome.

How often must ENS conformity be renewed?

Annex III of RD 311/2022 requires that information systems subject to the ENS undergo a security audit at least every two years. For basic-category systems, the self-assessed declaration of conformity follows the same biennial cycle. For medium or high category, the accredited body carries out the renewal audit within that period. Any significant change to the scope or architecture of the information system may require an extraordinary audit outside the regular cycle.

Are the ENS and the GDPR complementary or overlapping?

They are complementary. The ENS governs the security of information systems in the public-sector context and for their suppliers; the GDPR governs the protection of EU citizens' personal data. When a public-sector supplier handles citizens' personal data — the most common scenario — both frameworks apply simultaneously. Many Annex II ENS security measures — access management, encryption, backups, incident management — also satisfy GDPR security requirements, so addressing them in an integrated way reduces documentary duplication.