Sector publico y seguridad

ENS compliance in Las Palmas de Gran Canaria: integrated with ISO 27001

The Gobierno de Canarias, the Cabildo de Gran Canaria, the Ayuntamiento de Las Palmas de Gran Canaria and the Universidad de Las Palmas de Gran Canaria (ULPGC) are public-sector entities subject to Spain's Esquema Nacional de Seguridad. If your company delivers technology services, software solutions or any other service where your information systems interact with theirs, RD 311/2022 (BOE-A-2022-7191) requires you to comply with the ENS. The deadline for existing systems expired on 5 May 2024. Summum Calidad accompanies supplier companies in Las Palmas de Gran Canaria from an information security management system (ISMS) perspective, integrating ENS requirements with those of ISO 27001:2022 so the process is efficient, traceable and directly oriented towards conformity.

RegulationRD 311/2022 · BOE-A-2022-7191
ProfileSuppliers to public-sector bodies in Las Palmas de Gran Canaria
ApproachStructured ISMS project with continuous support

Las Palmas de Gran Canaria is home to the principal institutions of the eastern Canary Islands: the Gobierno de Canarias, the Cabildo de Gran Canaria, the city's Ayuntamiento and the ULPGC all manage high-impact information systems — population registers, electronic offices, tax management under the Canarian Economic and Fiscal Regime (REF), public procurement platforms — and are all subject to the Esquema Nacional de Seguridad. This institutional concentration makes Las Palmas one of the most active public procurement markets in the Canary Islands, with a constant flow of tenders for technology services, digital infrastructure maintenance and administrative management solutions. For any company wishing to compete in that market, ENS compliance is not an optional formality: it is an access requirement that the technical specifications of these administrations are incorporating with increasing frequency.

Summum Calidad approaches ENS compliance from an information security management system perspective — the same axis that structures ISO 27001:2022. The ENS is not a disconnected technical checklist; its framework — security policy, risk analysis, system categorisation, proportionate control selection, review and continuous improvement — mirrors the PDCA cycle that ISO 27001 has applied to the corporate context for decades. When a supplier already holds a valid ISO 27001 certificate, or is actively working towards one, the path to ENS compliance shortens considerably: the controls in Annex A of ISO 27001:2022 directly cover many of the 75 measures in Annex II of the ENS, distributed across three frameworks (organisational, operational and protective) and sixteen families, including the op.nub family governing cloud service use — particularly relevant for companies providing cloud services to Canarian public bodies.

The ENS category of the system — basic, medium or high, depending on the impact across the five CIDAT security dimensions — determines both the required measures and the conformity route. For basic-category systems, the regulation allows a self-assessed declaration of conformity in accordance with CCN-STIC 809, without the involvement of an accredited third party. For medium or high category, certification must be carried out by an inspection body accredited by ENAC under UNE-EN ISO/IEC 17065. Summum Calidad does not issue conformity certificates — that is the exclusive competence of accredited third parties. Our work consists of preparing the organisation's management system so that, when the external auditor arrives, they find genuinely implemented controls, rigorous documentation and auditable evidence. The goal is for the conformity audit to be the natural culmination of work done properly, not an improvised test.

The ENS compliance in Las Palmas de Gran Canaria process.

The process · four stages
01

Initial diagnosis and system categorisation

We analyse the services you provide to public bodies in Las Palmas de Gran Canaria — Gobierno de Canarias, Cabildo de Gran Canaria, Ayuntamiento or ULPGC — and the degree of interaction between your information systems and theirs. From this analysis we determine the applicable ENS category under Annex I of RD 311/2022, assessing the impact across the five CIDAT dimensions for each in-scope service. If you already have ISO 27001 certified or in progress, we evaluate which existing work can be transferred directly to ENS without additional effort.

02

ENS–ISO 27001 gap analysis with control mapping

We cross-reference the 75 measures in Annex II of the ENS — organisational, operational and protective, across sixteen families — with the controls in your ISO 27001:2022 management system, or with existing security practices if you do not yet have the standard certified. The result is a prioritised table distinguishing already-covered, partially implemented and absent controls, with estimated effort to close each gap before the conformity audit or self-assessed declaration.

03

Integrated ISMS design and Statement of Applicability

We design or update the information security management system to meet both ISO 27001 and ENS requirements simultaneously. We produce the integrated Statement of Applicability, justifying the selection and exclusion of controls in the format expected by ENS conformity auditors, and draft the security policy in accordance with Article 12 of RD 311/2022, adapted to the real structure and activity of your organisation.

04

Control implementation and evidence documentation

We support the implementation of outstanding Annex II measures — from organisational and protective frameworks to operational ones, including the op.nub family if your company provides cloud services to Canarian public bodies — and generate the required evidence documentation: procedures, records, risk analyses, management review minutes and training and awareness registers. Technical implementation — hardening, monitoring, encryption — is coordinated alongside us by Summum Sistemas.

What is included

What ENS compliance in Las Palmas de Gran Canaria includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • System categorisation report (ENS Annex I)

    Document justifying the assigned category — basic, medium or high — by assessing the impact across the five CIDAT dimensions for each service provided to public bodies in Las Palmas de Gran Canaria, with traceable methodology referenced to RD 311/2022.

  • ENS–ISO 27001 gap analysis with mapped controls

    Cross-reference table of the 75 Annex II ENS measures with the controls of your ISO 27001:2022 system, identifying direct reuses, partial gaps and absent controls, with estimated effort to close each gap before conformity.

  • Integrated ENS–ISO 27001 Statement of Applicability

    Formal document recording the justified selection and exclusion of ENS controls and ISO 27001:2022 Annex A controls, in the format expected by conformity auditors and by CCN-STIC 809.

  • Information security policy compliant with the ENS

    Corporate policy drafted in accordance with Article 12 of RD 311/2022 and adapted to your organisation's reality: purpose, scope, roles, management commitments and review cycle, ready for approval and internal dissemination.

  • Procedures, records and evidence package

    Complete set of operational procedures and records evidencing real implementation of controls: user and access management, backups, vulnerability management, change control, incident management and staff training, structured for presentation to the conformity auditor.

  • Pre-audit review and conformity simulation

    For medium or high category systems, an internal audit prior to the ENAC-accredited entity's process: evidence review, identification of weaknesses and correction before the external auditor arrives, minimising the risk of non-conformities.

Summum cluster

How it connects with its sisters.

ENS compliance from a management system perspective is reinforced when complemented by the technical implementation of Annex II measures carried out by Summum Sistemas: risk analysis with MAGERIT and PILAR methodologies, infrastructure hardening, security event monitoring and preparation of the technical evidence package. Both teams cover, in a coordinated project, the documentary-normative and the technical-operational planes, without duplication and with a single point of contact for your organisation in Las Palmas de Gran Canaria.

Frequently asked questions about ENS compliance in Las Palmas de Gran Canaria.

Does the ENS apply to companies contracting with the Gobierno de Canarias or the Ayuntamiento de Las Palmas?

Yes. Article 2 of RD 311/2022 establishes that the ENS applies to Spanish public-sector entities and to private entities providing them with services or solutions when the information systems of both parties are interconnected or when the private company processes information on behalf of the Administration. The Gobierno de Canarias, the Cabildo de Gran Canaria, the Ayuntamiento de Las Palmas de Gran Canaria and the ULPGC are all public-sector entities subject to the ENS, so their technology and digital service suppliers must comply. The procurement specifications of these administrations already include this requirement on a regular basis.

Does the Canarian Economic and Fiscal Regime (IGIC, REF) affect the ENS scope for a Canarian company?

The Canarian Economic and Fiscal Regime, which includes IGIC instead of mainland VAT and a set of specific tax incentives, does not modify the scope or requirements of the ENS: RD 311/2022 applies equally across the entire national territory, including the Canary Islands. What may have an impact is system categorisation if your company manages REF tax data on behalf of the Canarian regional administration, as the impact on availability and confidentiality of that data may raise the system category to medium or high.

Which bodies in Las Palmas de Gran Canaria most frequently require ENS compliance in their tenders?

The bodies with the largest volume of technology procurement in Las Palmas de Gran Canaria are the Gobierno de Canarias — through the Consejería de Hacienda and the network of ministerial departments — the Cabildo de Gran Canaria, the Ayuntamiento de Las Palmas de Gran Canaria and the ULPGC. All are public-sector entities subject to the ENS and publish their tenders on the Plataforma de Contratación del Sector Público. ENS compliance requirements appear most frequently in the technical specifications of tenders for ICT services, systems maintenance, software development and cloud services.

How does Summum Calidad's approach differ from a technical cybersecurity consultancy?

Summum Calidad approaches ENS compliance from an information security management system perspective: policy, risk analysis, proportionate control selection, evidence documentation, review cycles and continuous improvement. This approach is complementary to, not a substitute for, the implementation of technical measures. Technical cybersecurity — hardening, monitoring, encryption — is coordinated by Summum Sistemas, which works in parallel with our team. The result is an integrated project covering both the normative-documentary and the technical-operational planes under a single coordination.

How long does ENS compliance take for a mid-sized company in Las Palmas?

For a mid-sized company providing ICT services to public bodies in Las Palmas de Gran Canaria with existing security practices, basic-category compliance can be completed within three to six months. If the system reaches medium or high category — common when handling tax data under the REF, population register data or electronic office systems for the Canarian administration — the full process including the conformity audit before an ENAC-accredited entity typically takes between nine and eighteen months. Having a prior ISO 27001 certification significantly reduces that timeline.

What additional advantages does ENS compliance bring in the Canarian market beyond access to public tenders?

Beyond strict mandatory compliance, ENS compliance — especially when integrated with ISO 27001 — means implementing a mature information security management system that improves operational resilience, facilitates incident response and strengthens trust with private clients who also demand security guarantees from their technology suppliers. In an island market where business reputation circulates within relatively close-knit networks of contacts, demonstrating ENS compliance distinguishes a company in the local market and opens doors both in public procurement and in the private sector with demanding clients.