Sector publico y seguridad

ENS compliance in Palencia: information security management for public-sector suppliers

The Diputación Provincial de Palencia and the Ayuntamiento de Palencia are subject to the Esquema Nacional de Seguridad (ENS), Spain's National Security Framework. This means that companies providing technology services to those bodies, managing their information systems or seeking access to their public procurement must also comply with the ENS, as established by RD 311/2022 (BOE-A-2022-7191), dated 3 May. At Summum Calidad we approach that compliance from the information security management system (ISMS) perspective, integrating it with ISO 27001:2022 so that your company meets the Framework requirements, reuses existing controls and reaches the declaration or certification of conformity that matches its system category, without duplicating effort or documentation.

RegulationRD 311/2022 · BOE-A-2022-7191
ProfileSuppliers and contractors of the public administration of Palencia
ModalityCompliance project with ongoing support from the ISMS perspective

RD 311/2022, of 3 May, approves the Esquema Nacional de Seguridad and defines its scope in Article 2: public-sector entities and, to the extent it affects them, suppliers providing services or solutions to those entities are subject to it. The Diputación Provincial de Palencia and the Ayuntamiento de Palencia — as territorial administrations within the Spanish public sector — fall squarely within that scope. Any company that manages their information systems, supplies software, processes citizens' data on their behalf or maintains their technology infrastructure shares the obligation to comply with the ENS. The general deadline for systems already in operation expired on 5 May 2024. Operating without compliance may close access to public contracts and generate liability for the contracting administration.

Summum Calidad treats ENS compliance as what it is: the construction or update of an information security management system oriented towards the context of the Spanish public administration. The ENS structures its requirements around the same pillars as ISO 27001:2022 — security policy, risk analysis, proportionate control selection and continual improvement — which makes it possible to integrate both frameworks in a single project. Annex II of RD 311/2022 sets out 75 measures structured in three frameworks (organisational, operational and protection) and 16 families, including the op.nub family for cloud services. When a supplier of the Diputación or the Ayuntamiento de Palencia already holds ISO 27001 certification or is working towards it, the overlap with the Annex II measures is significant: the gap analysis identifies precisely what is missing and what can be reused directly, reducing both the cost and the duration of the project.

The system category — basic, medium or high — is determined by assessing the impact that a security incident would have on the five CIDAT dimensions (confidentiality, integrity, availability, authenticity and traceability) for each in-scope service, as set out in Annex I of RD 311/2022. That category defines which Annex II measures are mandatory and which conformity pathway applies: for basic-category systems a self-assessed declaration of conformity pursuant to CCN-STIC 809 is sufficient; for medium or high category, certification by an inspection body accredited by ENAC under UNE-EN ISO/IEC 17065 is required. Summum Calidad does not issue that certificate — that is the exclusive competence of the accredited third parties — but it prepares the organisation's system to face that process with full confidence: from the initial diagnosis through to the pre-audit review.

The ENS compliance in Palencia process.

The process · four stages
01

Initial diagnosis and system categorisation

We analyse the real scope of the services you provide to the Diputación Provincial de Palencia, the Ayuntamiento de Palencia or any other local public body, identify the information systems involved and determine the ENS category that applies to them under Annex I of RD 311/2022, assessing the impact on the five CIDAT dimensions. If you already hold a valid ISO 27001 certificate, we simultaneously evaluate the starting point to leverage existing controls and reduce the scope of the project.

02

ENS–ISO 27001 gap analysis and work plan

We map the 75 controls of Annex II of the ENS against the security practices and controls of your existing management system. The result is a prioritised gap table — absent controls, partially implemented controls and controls that can be reused directly — with an estimated effort to close each gap and a structured work plan with realistic deadlines aimed at conformity.

03

Integrated ISMS design and Statement of Applicability

We design or update the information security management system to simultaneously cover the requirements of ISO 27001:2022 and the ENS. We draft the integrated Statement of Applicability, which justifies the selection and exclusion of each Annex II control in the format expected by conformity auditors, and we write the information security policy in line with Article 12 of RD 311/2022.

04

Control implementation and evidence package

We support the implementation of the measures across the three Annex II frameworks — organisational, operational and protection — and produce the required evidence documentation: user and access management procedures, backup procedures, vulnerability management, change control and incident management. The technical side of control implementation is coordinated with Summum Sistemas so that the normative and technical layers advance together.

What is included

What ENS compliance in Palencia includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • System categorisation report (Annex I ENS)

    Document justifying the assigned category — basic, medium or high — by assessing the impact on the five CIDAT dimensions for each in-scope service linked to the public administration of Palencia, with traceable methodology referenced to RD 311/2022.

  • ENS–ISO 27001 gap analysis with mapped controls

    Cross-reference table of the 75 Annex II controls of the ENS against the controls of your existing management system, identifying reusable controls, partial gaps and absent controls, with estimated effort to close each gap before the conformity audit.

  • Integrated ENS–ISO 27001 Statement of Applicability

    Formal document recording the justified selection and exclusion of the ENS controls and the Annex A controls of ISO 27001:2022, in the format expected by conformity auditors and consistent with CCN-STIC 809.

  • Security policy compliant with Article 12 of RD 311/2022

    Corporate policy drafted in accordance with the requirements of Article 12 of RD 311/2022 and tailored to your organisation's structure and culture: purpose, scope, roles, management commitments and biennial review cycle.

  • Procedures, records and complete evidence package

    Structured set of operating procedures and records evidencing the actual implementation of Annex II controls: user and access management, backup procedures, vulnerability management, change control, incident management and personnel training.

  • Pre-audit review and conformity simulation

    For medium or high category, an internal audit simulating the ENAC-accredited body's process: evidence review, identification of weak points and correction before the external auditor arrives, reducing the risk of non-conformities in the certification audit.

Summum cluster

How it connects with its sisters.

ENS compliance from the management system perspective is strengthened when paired with the technical implementation of Annex II measures carried out by Summum Sistemas: risk analysis with MAGERIT and PILAR, system hardening, security event monitoring and preparation of the technical evidence package. Both teams cover the normative-documentary layer and the technical-operational layer in a single coordinated project, leaving no gaps between frameworks.

Frequently asked questions about ENS compliance in Palencia.

Which public bodies in Palencia are subject to the ENS, and therefore require their suppliers to comply?

The Diputación Provincial de Palencia and the Ayuntamiento de Palencia are territorial administrations of the Spanish public sector and are directly subject to the ENS under Article 2 of RD 311/2022. Other dependent or linked bodies are also in scope, including patronatos, consortia and instrumental entities of the local Palencia administration. Any company providing technology services, managing information systems or processing citizens' data on behalf of those bodies shares the obligation to comply with the ENS to the extent it affects them.

Does a supplier to the Ayuntamiento de Palencia need ENS certification to keep bidding for contracts?

It depends on the category of the information system involved in the contract. If the systems are basic category, a self-assessed declaration of conformity pursuant to CCN-STIC 809 is sufficient; no third-party certification is required. If they are medium or high category, certification by an inspection body accredited by ENAC under UNE-EN ISO/IEC 17065 is mandatory. The procurement documents of each tender usually specify the exact level of requirement; it is advisable to review them before starting the compliance process.

Why integrate ENS compliance with ISO 27001 rather than treating them separately?

Because the ENS and ISO 27001:2022 share the same management architecture: security policy, risk analysis, proportionate control selection and continual improvement. Many Annex II controls of the ENS have a direct equivalent in Annex A of ISO 27001:2022, so organisations that already hold the standard can close the gap towards the ENS by focusing only on the aspects specific to the Spanish framework. An integrated approach avoids duplicating documentation, reduces the audit burden and optimises the total cost of the project.

How many measures does Annex II of the ENS contain and how are they structured?

Annex II of RD 311/2022 sets out 75 security measures distributed across three frameworks and 16 families. The organisational framework groups policy, regulatory, procedural and authorisation measures; the operational framework includes 7 families with 33 measures covering planning, access control, operations, external resources, continuity and the op.nub family for cloud services; the protection framework covers measures protecting specific assets. Not all measures are mandatory for all systems: the applicable subset depends on the category — basic, medium or high — assigned to the system during the Annex I categorisation process.

How long does it take to comply with the ENS for a supplier based in Palencia?

The timeline depends on the system category, the size of the organisation and the starting point in terms of security. For basic-category systems with security practices already in place, the process can be completed in three to six months. For medium or high category, without prior ISO 27001, the process typically takes between nine and eighteen months, including risk analysis, measure implementation and the conformity audit by the accredited body. With ISO 27001 already certified, timelines are significantly reduced.

How does Summum Calidad help companies in Palencia that already hold ISO 27001?

When a company already holds ISO 27001 certification or is working towards it, Summum Calidad carries out a precise gap analysis mapping the Annex II controls of the ENS against the controls already implemented in the ISMS. The result is an inventory of what can be reused directly — with no additional work — what requires documentary adjustment and what is genuinely new with respect to the ENS. The project then focuses solely on closing the actual gaps, without redoing what already works, and the cost is substantially lower than a compliance project starting from scratch.