More and more private companies working with public administrations face a double requirement: complying with the National Security Framework (ENS) — mandatory for providers of digital services to public bodies — and obtaining or maintaining the ISO/IEC 27001 certification demanded by their corporate clients. The question we are asked most often is direct: how much do we save by doing both at once? The answer, based on experience accumulated since 2007 across more than ~200 ISO certifications accompanied, is that savings range between 30% and 45% of the combined cost if the two projects were run separately. In this article we break down why, which controls can be reused, and what the real market ranges look like for each cost item.
ENS and ISO 27001: two frameworks, one security core
The ENS, regulated by Royal Decree 311/2022 (which replaced RD 3/2010), is mandatory for public administrations and their IT service providers when they deliver services affecting information systems classified as basic, medium or high category. ISO/IEC 27001:2022, published by the International Organization for Standardization, is the global information security management system (ISMS) standard recognised by auditors and accredited certification bodies worldwide.
Both frameworks share a very similar risk architecture: identify assets, assess threats, select controls, and establish a continuous improvement cycle. Annex A of ISO 27001:2022 includes 93 controls organised across four themes (organisational, people, physical and technological); the ENS sets out 73 security measures grouped into organisational, operational and protection frameworks. When compared control by control, the effective overlap covers around 60–70% of the documentary and process controls.
That overlap is the source of the savings: the security policy, risk analysis, asset inventory, continuity plan, incident management, access procedures and staff training are written once and mapped to the requirements of both frameworks. Without a joint project, each consultancy produces that documentation independently, duplicating the effort.
ENS-exclusive controls not covered by ISO 27001
Not everything overlaps. The ENS introduces requirements specific to the Spanish administration that ISO 27001 does not address explicitly:
- System categorisation (basic, medium or high) according to the availability, integrity, confidentiality, authenticity and traceability criteria of RD 311/2022.
- ENS Statement of Applicability referencing the compliance profile published by the National Cryptologic Centre (CCN).
- CCN-STIC guides: the CCN publishes more than 800 technical guides specifying how to apply ENS measures to specific technologies (Active Directory, Windows Server, Cisco network equipment, etc.). Their application is mandatory in medium and high categories.
- Security status report and reporting to the CCN dashboard (INES) for entities subject to biennial audits.
- Use of CC (Common Criteria) or ENS certified products for certain critical components in high-category systems.
These differential requirements cannot be transferred from ISO 27001 and require specific additional work. That is why the saving is not 100% of shared controls: there is a fraction of effort exclusive to each framework that always needs to be carried out.
Comparison table: cost items in separate vs. joint projects
| Item | Separate projects (ENS + ISO 27001) | Joint project | Estimated saving |
|---|---|---|---|
| Risk analysis | Carried out twice with different methodologies | A single unified methodology valid for both frameworks | 40–50% of this item |
| ISMS documentation / organisational framework | Two sets of policies, procedures and records | One set documented with dual ENS / ISO mapping | 35–45% of this item |
| Staff training and awareness | Two training actions, potentially overlapping | One unified training action | 50–60% of this item |
| Management review and internal audit | Two separate annual cycles | One combined internal audit cycle | 30–40% of this item |
| ENS-exclusive technical controls (CCN-STIC) | Applies only to the ENS project | Applies only to the ENS project | 0% (no synergies) |
| ISO 27001 certification audit | Cost of independent certification body | Same (certification body fee, not reducible by conjunction) | 0% (fixed by the body) |
| ENS audit (biennial, for medium/high category) | Cost of CCN-accredited ENS audit entity | Same (independent) | 0% (fixed by the entity) |
| Total consultancy and implementation | Base 100% | 55–70% of separate cost | 30–45% |
Note: percentages are indicative market ranges based on projects in SMEs with 20–150 employees and basic or medium category systems. External audit costs are set by the certification bodies and ENS audit entities; they are not negotiable through the consultancy.
Real market cost ranges in Spain (2025–2026)
Below are indicative market ranges for private companies in Spain. These are not Summum Marketing fees; they reflect figures published by certification bodies, sector associations (ISACA, ISMS Forum Spain) and public administration procurement notices. The factors that shift the price within the range are detailed in the next section.
ENS implementation consultancy (basic or medium category)
For an SME with 20–80 employees and a basic or medium category information system, the market range for ENS implementation consultancy is between €8,000 and €22,000. For high category, the cost can exceed €40,000 due to CC-certified product requirements and the greater depth of applicable CCN-STIC guides.
ISO 27001:2022 implementation consultancy
Implementing ISO 27001 in a similarly sized SME (20–80 employees, no prior certification) ranges between €7,000 and €20,000. The range varies according to the number of assets in scope, the prior maturity of the system, and whether the company has an internal security officer.
Joint ENS + ISO 27001 project
Executed in an integrated way by the same consultancy, the market range for the same company profile is €10,000 to €28,000: the real saving versus adding the two separate projects (€15,000–€42,000) is between 30% and 45%, as the table above indicated.
ISO 27001 certification audit (accredited bodies)
Fees from bodies accredited by ENAC (AENOR, Bureau Veritas, SGS, Lloyd's Register, DNV…) for the certification audit of an SME with a limited scope range between €3,500 and €9,000 for the phase 1 + phase 2 initial audit (first year). Annual surveillance audits are 40–60% of that cost.
ENS biennial audit (CCN-accredited audit entities)
Entities authorised by the CCN to audit the ENS in medium or high category charge the same company profile between €4,000 and €12,000 per biennial audit, depending on the number of systems audited, the category and the number of applicable controls.
Factors that shift the price within the range
- ENS system category: basic, medium or high determines the number of applicable CCN-STIC guides and the depth of the audit. A company with several high-category systems can see consultancy costs three times higher than for basic category.
- ISO 27001 scope: how many processes, locations and assets fall within the ISMS. A reduced scope (only the service provided to the administration) is more economical than a full corporate scope.
- Prior maturity: if the company already has documented risk analyses, security policies or technical controls, the consultant's workload is significantly reduced.
- IT team size: more assets, more servers, more applications in scope means more hours of inventory and control implementation.
- Client involvement: a joint project requires more internal coordination (security officer, management, IT department). If the client can allocate internal resources to evidence-gathering tasks, external costs fall.
- Certification body: each entity sets its own fees independently. The difference between the cheapest and the most expensive for the same scope can be as much as 40%.
Typical timeline for a joint project
An integrated ENS + ISO 27001 project in an SME with basic or medium category typically follows this schedule:
- Months 1–2: gap analysis against both frameworks, asset inventory, and unified risk analysis.
- Months 3–4: design and drafting of the ISMS with dual ENS / ISO 27001 mapping. Security policy, access management, incident management, continuity and supplier procedures.
- Months 5–6: implementation of technical controls (encryption, patch management, audit logs, network segmentation) with reference to relevant CCN-STIC guides.
- Month 7: combined internal audit, management review and closure of non-conformities.
- Months 8–9: ISO 27001 certification audit (phase 1 document review + phase 2 on-site) and, where applicable, ENS audit by a CCN-authorised entity.
The total timeline is 8 to 10 months for an SME profile with basic or medium category. Running the projects separately and sequentially would take between 14 and 18 months, in addition to the higher cost.
If your company needs to demonstrate ENS compliance to a public body while also strengthening its security credentials with private clients, Summum Calidad's ENS consultancy integrates both frameworks from day one so you do not pay twice for the same work.
When does it NOT make sense to run a joint project?
Integration is not always the optimal option. There are situations where separating the projects makes more sense:
- Asymmetric regulatory urgency: if you have a public contract with an ENS accreditation deadline in 3 months and ISO 27001 is not urgent, it is better to close the ENS first and tackle ISO 27001 in a second cycle.
- Very different scopes: if the ENS system is only a minor subsystem (for example, a communications portal) while the ISO 27001 ISMS covers the entire company, integrating them can unnecessarily complicate project management.
- Different certification bodies with independence requirements: in some public contracts the ENS auditor must be independent from the implementation consultant; this can limit synergies with the ISO 27001 auditor.
Frequently asked questions
Is the ENS mandatory for a private company providing services to a local council?
Yes. Royal Decree 311/2022 extends the ENS obligation to "private sector providers that supply services or solutions to entities within the scope of application" (art. 2.2). In practice, any company that operates information systems for a public administration — from a local council to a national body — must implement the ENS in the systems affected by that service. The level of requirement (basic, medium or high) depends on the category the public body assigns to the system.
Does ISO 27001 «replace» the ENS or are they cumulative certifications?
They are cumulative and independent frameworks. ISO 27001 is issued by a certification body accredited by ENAC (the national accreditation body); the ENS is audited by an entity authorised by the CCN. Neither replaces the other before the administration, although the implementation work is highly synergistic. There are companies holding both certifications simultaneously.
Is the 30–45% saving the same for high-category ENS?
In high category the percentage saving is lower, because the exclusive ENS requirements (Common Criteria certified products, application of more in-depth CCN-STIC guides, more extensive audits) represent a larger proportion of the total cost. In practice, the consultancy and implementation saving for high category is around 20–30% versus the 30–45% of basic and medium categories.
Which bodies can audit the ENS for a private company?
The CCN publishes and updates the list of authorised ENS certification entities on its portal (ccn.cni.es). As of 2025–2026, authorised entities for medium and high categories include AENOR, Bureau Veritas, DEKRA, Lloyd's Register and several others accredited by ENAC. For basic category, verification may be carried out by a qualified internal audit or a private audit entity without the need for CCN authorisation, although many public bodies still require a recognised external entity.