Certification ENS
Complete preparation and end-to-end support for ENS (Spanish National Security Framework) certification, mandatory for Spanish public sector entities and their critical suppliers.
Marco Normativo
What is the ENS?
The National Security Framework (ENS) is the regulatory framework that establishes security policy for the use of electronic means by Public Administrations and their suppliers in Spain.
ENS certification is mandatory for public sector entities and for suppliers providing technology services to the Public Administration. It categorizes systems into Basic, Medium, and High based on the impact of a security incident.
Nivel Basic
Systems where an incident would have a limited impact on the organization.
~40 security measures
Nivel Medium
Systems where an incident would have a significant impact.
~60 security measures
Nivel High
Systems where an incident would have a catastrophic impact.
~75 security measures
Proceso
ENS Certification Process
6 phases specifically tailored to the requirements of the National Security Framework (ENS).
CATEGORIZATION
Determination of the system category (Basic, Medium, High) based on availability, integrity, confidentiality, authenticity, and traceability criteria.
- Dimension assessment
- Assigned category
- Defined scope
ENS GAP ANALYSIS
Assessment of current compliance status against the 75 applicable ENS measures.
- Gap analysis report
- Compliance level
- Action plan
STATEMENT OF APPLICABILITY
Selection of applicable security measures and justification for those not applicable.
- Statement of applicability
- Applicable measures
- Exclusion justification
IMPLEMENTATION
Implementation of ENS organizational, operational, and technical controls.
- Policies and standards
- Operational procedures
- Technical configurations
INTERNAL AUDIT
Full preparatory audit with a non-conformity report and corrective action plan.
- Audit report
- Non-conformities
- Corrective actions
CERTIFICATION
Support during the official audit conducted by the accredited certification body.
- Audit support
- Findings management
- ENS certification achieved
Controles
ENS Control Families
Organizational Framework
Security policy, security standards, procedures, and authorization processes.
Operational Framework
Planning, access control, operations, external services, continuity, and monitoring.
Protection Measures
Protection of facilities, personnel, equipment, communications, media, applications, information, and services.
Required
Required Technical Audits
We perform all required technical audits with certifiable reports.
Vulnerability Analysis
op.exp.4
Periodic vulnerability analysis of systems and infrastructure within the ENS scope.
Penetration Testing
op.exp.5
Penetration tests to validate the resilience of systems against attacks.
Configuration Review
op.exp.3
Verification of secure configurations on servers, networks, and applications.
Communications Audit
mp.com
Assessment of communications security, encryption, and perimeter protection.
Access Control Review
op.acc
Validation of access policies, authentication, and privilege management.
Entregables
Lo Que Recibes
Security Policy
Security policy document tailored to ENS requirements.
Security Standards
Specific standards for each ENS security area.
Operational Procedures
Detailed procedures for the secure operation of systems.
Statement of Applicability
List of applicable measures with exclusion justifications.
Internal Audit Report
Preparatory audit with findings and corrective actions.
Technical Reports
Penetration testing results, vulnerability analysis, and configuration reviews.
FAQ
Preguntas Frecuentes
The National Security Framework (ENS) is the Spanish regulation governing security in the use of electronic means by Public Administrations. It is mandatory for all public sector entities and for suppliers providing technology services to them.
Three: Basic, Medium, and High. The category depends on the impact a security incident would have across the dimensions of availability, integrity, confidentiality, authenticity, and traceability. The higher the category, the more controls are mandatory.
Typically between 4 and 8 months, depending on the category, organization size, and current maturity level. Basic category can be achieved in 3–4 months; High category may require 8–12 months.
No, but they are complementary. ENS is a mandatory Spanish regulation for the public sector. ISO 27001 is a voluntary international standard. They share many controls, and obtaining both certifications simultaneously is more efficient.
Yes. The ENS requires technical audits such as vulnerability analysis (op.exp.4) and penetration tests (op.exp.5). Our service includes all necessary technical audits performed by our penetration testing team.
If you provide technology services to the Public Administration, you need ENS certification. It is increasingly a requirement in public procurement tenders. Without certification, you cannot access many public contract opportunities.
Yes. ENS certification is valid for 2 years. Annual surveillance audits and a recertification audit every 2 years are required. In addition, annual internal audits and continual system review are mandatory.
The ENS is based on the CCN-STIC guidelines from the National Cryptologic Center (CCN). Key references include CCN-STIC-801 (responsibilities), CCN-STIC-802 (auditing), CCN-STIC-804 (ENS in the cloud), and the CCN-STIC configuration guides for various technologies.
Explore more services
Ready to protect your business?
Request a free initial assessment and discover how we can strengthen your organization's security. No obligation.
Contact Now