Sector publico y seguridad

ENS compliance in Burgos: information security management for public-sector suppliers

If your company in Burgos supplies services, software or manages information systems for the Diputación de Burgos, the Ayuntamiento de Burgos or the Universidad de Burgos (UBU), the Esquema Nacional de Seguridad (National Security Framework) applies to you in full force. RD 311/2022 (BOE-A-2022-7191) requires both public-sector entities and their suppliers and contractors to bring their information systems into line with the ENS, at the basic, medium or high level depending on the potential impact of a security incident. Summum Calidad guides you from the information security management system (ISMS) perspective: integrated with ISO 27001 when you already hold that certification, built from the ground up when you do not. A structured project, free of duplication, focused on helping you pass the conformity declaration or certification your category demands.

RegulationRD 311/2022 · BOE-A-2022-7191
Local scopeDiputación de Burgos · Ayuntamiento de Burgos · UBU
ApproachAccompaniment and preparation — Summum Calidad

Burgos has a growing technology and services business community with increasing participation in local and provincial public procurement. The Diputación de Burgos manages services for more than 370 municipalities in the province and regularly tenders contracts covering information systems, technology maintenance and digitisation projects. The Ayuntamiento de Burgos, with a well-established electronic administration, procures document management solutions, citizen-facing platforms and cloud services. The Universidad de Burgos (UBU), as a public higher-education entity, is also subject to the ENS and brings its technology suppliers into scope. Any Burgos-based company operating in any of these environments must have completed its ENS compliance: the general deadline for existing systems expired on 5 May 2024, in accordance with the sole transitional provision of RD 311/2022, and new systems must comply from the moment they go live.

The Esquema Nacional de Seguridad organises its requirements around an information security management system: policy, risk analysis, proportionate selection of measures, operation, monitoring and continuous improvement. This approach is structurally identical to the Plan-Do-Check-Act cycle of ISO 27001:2022, making the integration of both frameworks the most efficient path for a public-sector supplier. Annex II of RD 311/2022 contains 75 security measures organised across three frameworks (organisational, operational and protection) and 16 families, of which 7 families and 33 measures belong to the operational framework — including the op.nub family on cloud service security, which is especially relevant for SaaS suppliers hosting applications for Burgos-based public entities. When an organisation already has an ISO 27001 ISMS in place, many of those measures are already covered or require only a documentary adaptation to the ENS context.

The category of the system — basic, medium or high — is determined by assessing the impact a security incident would have on the five CIDAT dimensions (confidentiality, integrity, availability, authenticity and traceability) for each service in scope. The category is not a minor detail: it determines which Annex II measures are mandatory and, above all, what form of conformity is required. For basic-category systems, conformity is demonstrated through a self-assessed conformity declaration in accordance with CCN-STIC 809. For medium or high-category systems, certification by an inspection body accredited by ENAC under UNE-EN ISO/IEC 17065 is mandatory. Summum Calidad does not issue conformity certificates — that is the exclusive remit of accredited third parties — but prepares your organisation to enter that process in the best possible condition: documented system, complete evidence and gaps closed before the external auditor arrives.

The ENS compliance in Burgos process.

The process · four stages
01

Initial diagnosis and system categorisation

We analyse the services you provide to Burgos-based public bodies — Diputación, Ayuntamiento, UBU or other provincial public-sector entities — and the information systems involved. We apply Annex I of RD 311/2022 to determine the ENS category that applies to your case, assessing the CIDAT impact for each dimension. If you already hold an ISO 27001 certification, we identify from the outset which controls can be reused and which ENS-specific gaps remain to be addressed.

02

Gap analysis: ENS versus your existing management system

We map the 75 Annex II measures of RD 311/2022 against the controls of your ISO 27001 ISMS or against your current security practices if you do not yet hold the certification. The result is a prioritised gap table — controls that are absent, partially covered or directly reusable — with an estimated effort to close each gap before the conformity audit. We pay particular attention to the op.nub family if your services are delivered from the cloud.

03

Integrated ISMS design and Statement of Applicability

We design or update the information security management system to cover both the ENS requirements and those of ISO 27001:2022 simultaneously. We produce the integrated Statement of Applicability, which justifies the selection and exclusion of controls in the format expected by ENS conformity auditors and by CCN-STIC 809, and we draft the information security policy in accordance with Article 12 of RD 311/2022.

04

Control implementation and evidence documentation

We support the implementation of the pending Annex II security measures — organisational, operational and protection-related — and produce the evidence documentation: procedures, records, risk analysis reports, management review minutes and training records. The technical implementation side (hardening, monitoring, PILAR/MAGERIT tools) is coordinated, when the project requires it, with Summum Sistemas.

What is included

What ENS compliance in Burgos includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • System categorisation report (ENS Annex I)

    Document justifying the assigned category — basic, medium or high — by assessing the CIDAT impact for each service provided to Burgos-based public bodies, with a traceable methodology referenced to RD 311/2022.

  • ENS–ISO 27001 gap analysis with mapped controls

    Cross-reference table of the 75 Annex II ENS measures against your management system controls, identifying direct reuses, partial gaps and absent controls, with estimated effort to close each gap.

  • Integrated ENS–ISO 27001 Statement of Applicability

    Formal document recording the justified selection and exclusion of controls in the format expected by conformity auditors and CCN-STIC 809, integrated with the ISO 27001:2022 Statement of Applicability where applicable.

  • Information security policy compliant with the ENS

    Corporate policy drafted in accordance with Article 12 of RD 311/2022 and adapted to your organisation's culture and structure: purpose, scope, roles, management commitments and biennial review cycle.

  • Evidence package for the conformity audit

    Complete set of operational procedures, records and evidence demonstrating the real implementation of controls: user and access management, backups, vulnerability management, change control, incident management and personnel training.

  • Pre-audit review and conformity simulation

    For medium or high-category systems, an internal audit that simulates the ENAC-accredited entity's process: evidence review, identification of weaknesses and correction before the external auditor arrives, minimising the risk of non-conformities.

Summum cluster

How it connects with its sisters.

ENS compliance in Burgos from the management system perspective is complemented by the technical implementation of the Annex II measures carried out by Summum Sistemas: risk analysis with MAGERIT and the PILAR tool, system hardening, monitoring configuration and preparation of the technical evidence package. Together, the two teams cover both the documentary-normative and the technical-operational dimensions in a single coordinated project, so you do not have to manage two separate suppliers for the same compliance effort.

Frequently asked questions about ENS compliance in Burgos.

Does my Burgos-based company need to comply with the ENS if it only works with the Diputación or the Ayuntamiento de Burgos?

Yes. RD 311/2022 establishes that the ENS applies not only to public-sector entities themselves but also to their suppliers and contractors when the private company's information systems interact with those of the public sector. If you provide technology services, manage citizens' data or supply software to the Diputación de Burgos, the Ayuntamiento de Burgos or the Universidad de Burgos (UBU), your obligation to comply with the ENS is full and unconditional. The deadline for existing systems expired on 5 May 2024; new systems must comply from the moment they go live.

Is the Universidad de Burgos (UBU) subject to the ENS, and does that extend to its ICT suppliers?

Yes. The Universidad de Burgos is a public higher-education entity and is expressly included in the scope of Article 2 of RD 311/2022. This means its information systems must comply with the ENS and that the suppliers managing or accessing those systems — academic management platforms, cloud services, ICT infrastructure maintenance — are equally obliged to comply at the category level that corresponds to those services.

What ENS category typically applies to a cloud-service supplier for the local Burgos administration?

It depends on the service and the data processed, but SaaS suppliers hosting applications for public-sector entities often categorise their systems as basic or medium. If the application manages citizens' personal data, budgetary information or administrative files with significant criticality, the medium category is common. The high category is less frequent in the local government context but can arise for systems managing critical infrastructure or emergency services. The final categorisation requires assessing the five CIDAT dimensions case by case — which is the first step of every project we undertake.

What is the advantage of integrating ENS compliance with ISO 27001 rather than treating them separately?

The main advantage is efficiency. Both frameworks share a very similar management structure — security policy, risk analysis, control selection, audit and continuous improvement — and many Annex II ENS controls have direct or partial equivalents in Annex A of ISO 27001:2022. With a certified or in-progress ISO 27001 ISMS, the gap towards the ENS is limited to the aspects specific to the Spanish framework. Addressing both frameworks in a single project avoids duplicating risk analyses, documentation and internal audits, with an estimated saving of 30–40 % compared to two independent projects.

Who certifies ENS conformity for medium or high-category systems in Burgos?

Conformity with the ENS for medium or high-category systems can only be certified by inspection bodies accredited by ENAC under the standard UNE-EN ISO/IEC 17065. Summum Calidad does not issue that certificate. What we do is prepare your system — documentation, implemented controls, evidence and pre-audit review — so that you pass the certification process with the accredited body of your choice. For basic-category systems, conformity is demonstrated through a self-assessed conformity declaration in accordance with CCN-STIC 809, which we fully prepare and accompany.

How does the ENS affect a Burgos-based company looking to bid for public contracts in the coming months?

ENS compliance is a technical solvency requirement in the procurement specifications of public contracts involving information systems. If you want to bid with the Diputación de Burgos, the Ayuntamiento de Burgos or the UBU for contracts that involve managing public-sector data or systems, the specifications will typically require proof of ENS compliance at the category corresponding to the contract. Failing to have completed it can disqualify you outright from that tender. Starting the project with sufficient lead time — a minimum of three to six months for basic category, nine to eighteen for medium or high — is the only way to be ready in time.