Sector publico y seguridad

ENS compliance in Salamanca: information security management for public sector suppliers

Salamanca is home to major public bodies — the Diputación Provincial, the Ayuntamiento de Salamanca and the Universidad de Salamanca (USAL) — that increasingly require their suppliers and contractors to demonstrate compliance with the Esquema Nacional de Seguridad (ENS, Spain's National Security Framework) before awarding contracts. RD 311/2022 (BOE-A-2022-7191) makes clear that the obligation does not rest solely with the public sector: it applies equally to private organisations whose information systems interact with those of public entities. Summum Calidad guides organisations in Salamanca through that process from an information security management perspective, integrating ENS requirements with those of ISO 27001:2022 to reduce effort, eliminate documentary duplication and achieve conformity with the rigour that tendering deadlines demand.

RegulationRD 311/2022 · BOE-A-2022-7191
TargetPublic sector suppliers in Salamanca
ModeStructured project with ongoing support

The Diputación de Salamanca, the Ayuntamiento de Salamanca and the Universidad de Salamanca (USAL) are three of the public entities with the highest procurement volumes in the province. All three are subject to the ENS as public sector bodies, meaning that any supplier whose information systems interact with theirs — a software integrator, a managed-service provider, a telecommunications company or a consultant with access to their systems — must demonstrate ENS compliance at the appropriate level. The general deadline for existing systems expired on 5 May 2024, in line with the transitional provision of RD 311/2022. Salamanca-based companies that did not begin the process at the time are now in a position of non-compliance that may block them from future tenders or create liability for the contracting authority.

Summum Calidad approaches ENS compliance from the perspective of information security management. The ENS structures its requirements — 75 measures across three frameworks and 16 families in Annex II of RD 311/2022, including the seven families of the operational framework and the op.nub family specific to cloud services — around a management logic that mirrors the PDCA cycle of ISO 27001 applied to the Spanish public administration context. When a company in Salamanca already operates with ISO 27001 or is working towards certification, ENS compliance is not a second project: it is an extension of the same management system, with shared controls, reusable documentation and a single management review that covers the requirements of both standards.

The starting point for ENS compliance is always system categorisation under Annex I of RD 311/2022: basic, medium or high, based on the impact a security incident would have on the five CIDAT dimensions (confidentiality, integrity, availability, authenticity and traceability). The category determines which of the 75 Annex II measures are mandatory and the route to conformity required: for basic category, a self-assessed declaration of conformity under CCN-STIC 809 is sufficient; for medium or high category, certification by an inspection body accredited by ENAC under UNE-EN ISO/IEC 17065 is required. Summum Calidad guides the entire process — diagnosis, implementation, evidence documentation and preparation for the external audit — without issuing the certificate, which is the exclusive competence of accredited third parties.

The ENS compliance in Salamanca process.

The process · four stages
01

Initial diagnosis and system categorisation

We analyse your organisation's information systems and the services you provide to bodies such as the Diputación de Salamanca, the Ayuntamiento or the USAL to determine the applicable ENS category under Annex I of RD 311/2022. We assess the impact across the five CIDAT dimensions and, at the same time, identify which ISO 27001 controls your organisation already has in place so we can maximise reuse rather than starting from scratch.

02

ENS–ISO 27001 gap analysis

We map the 75 Annex II measures of the ENS against the controls of your management system or your current security practices. The output is a prioritised gap table — missing controls, partially covered controls and those that can be reused directly — with an estimated effort to close each gap before the declaration or conformity audit. This analysis avoids duplicating work and focuses effort where it is genuinely needed.

03

Integrated ISMS design and Statement of Applicability

We design or update your information security management system to cover both ENS and ISO 27001:2022 simultaneously. We produce the integrated Statement of Applicability with a justified selection and exclusion of controls from both standards, and draft the security policy in accordance with Article 12 of RD 311/2022, tailored to the real structure of your organisation in Salamanca.

04

Control implementation and evidence documentation

We support the implementation of the outstanding Annex II measures — organisational, operational and protective, including those in the op.nub family if you use cloud services to deliver services to the public administration — and produce the required evidence documentation: procedures, records, risk analysis reports, management review minutes and training records, ready to present to the audit body. Technical implementation — hardening, monitoring, encryption — is coordinated with Summum Sistemas.

What is included

What ENS compliance in Salamanca includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • System categorisation report (ENS Annex I)

    Document justifying the category assigned to the system — basic, medium or high — by assessing the impact across the five CIDAT dimensions for each service provided to Salamanca public bodies, with a traceable methodology referenced to RD 311/2022.

  • ENS–ISO 27001 gap analysis with mapped controls

    Cross-reference table of the 75 ENS Annex II measures against your ISO 27001:2022 management system controls, identifying reuses, partial gaps and missing controls, with an estimated effort to close each gap before conformity.

  • Integrated ENS–ISO 27001 Statement of Applicability

    Formal document recording the justified selection and exclusion of ENS controls and ISO 27001:2022 Annex A controls, in the format expected by conformity auditors and by CCN-STIC 809.

  • Information security policy compliant with the ENS

    Corporate policy drafted in accordance with Article 12 of RD 311/2022 and tailored to your organisation's structure: purpose, scope, roles, management commitments, biennial review cycle and references to the Salamanca public bodies you work with.

  • Procedures, records and evidence package

    Complete set of operational procedures and evidence demonstrating the real implementation of controls: user and access management, backups, vulnerability management, change control, incident management and staff training, ready to present to the audit body.

  • Pre-audit review and conformity rehearsal

    For medium or high category, an internal audit that simulates the accredited ENAC body's process: evidence review, identification of weaknesses and correction before the external auditor arrives, minimising the risk of non-conformities.

Summum cluster

How it connects with its sisters.

ENS compliance through a management system approach is strengthened when combined with the technical implementation of Annex II measures carried out by Summum Sistemas: MAGERIT and PILAR risk analysis, system hardening, continuous monitoring and preparation of the technical evidence package. Together we cover both the documentary-regulatory and the technical-operational dimensions in a single coordinated project, so your team does not have to manage two separate suppliers.

Frequently asked questions about ENS compliance in Salamanca.

Do I need to comply with the ENS if I supply the Diputación de Salamanca or the Ayuntamiento?

Yes. If your information systems interact with those of the Diputación Provincial de Salamanca, the Ayuntamiento de Salamanca or any other ENS-subject public body — including the Universidad de Salamanca (USAL), a public university — RD 311/2022 requires you to achieve compliance at the level applicable to your system. This applies to software integrators, managed-service providers, telecommunications companies and consultants with access to those bodies' systems alike. The general deadline expired on 5 May 2024.

What happens if I tender with the USAL or the Diputación de Salamanca without ENS compliance?

Lack of ENS compliance can be grounds for exclusion from public tenders that require compliance certification, or for contract termination if the gap is discovered during contract performance. It also creates liability for the contracting public entity, whose own compliance may be called into question if its suppliers are not compliant. In practice, an increasing number of public procurement notices in Castilla y León include ENS compliance at the appropriate level as a technical requirement.

What is the difference between basic, medium and high categories, and which one applies to me?

The category is determined by assessing the impact a security incident would have on the five CIDAT dimensions (confidentiality, integrity, availability, authenticity and traceability) for the services in scope. If the maximum impact in any dimension is low, the system is basic category; if any dimension reaches a medium impact, it is medium category; if any reaches high impact, it is high category. Basic category requires a self-assessed declaration of conformity (CCN-STIC 809); medium or high category requires certification by an ENAC-accredited body. Summum Calidad carries out the categorisation as the first step of the project.

How long does ENS compliance take for an organisation in Salamanca?

It depends on the system category and the starting point in terms of security. For basic-category systems with some practices already in place, the process can be completed in three to six months. For medium or high category without prior ISO 27001 certification, the typical timeframe is nine to eighteen months, including risk analysis, implementation of technical and organisational measures and the conformity audit by the accredited body. If you already hold ISO 27001 certification, the time is considerably reduced because the gap concentrates on the ENS-specific aspects of the Spanish framework.

Can I integrate ENS compliance with the ISO 27001 certification I already have or am implementing?

Yes, and it is the most efficient approach. The ENS and ISO 27001:2022 share the same management structure — policy, risk analysis, proportionate control selection, review and continual improvement — and many ENS Annex II measures have a direct equivalent in ISO 27001:2022 Annex A. With ISO 27001 underway or certified, the gap towards the ENS focuses on the specific aspects of the Spanish framework, reducing the work by between 30 % and 40 % compared with two independent projects. Summum Calidad performs that gap analysis and closes only what is genuinely missing.

Does Summum Calidad issue the ENS conformity certificate?

No. The conformity certificate for medium or high category can only be issued by an inspection body accredited by ENAC under UNE-EN ISO/IEC 17065. For basic category, the declaration of conformity is self-assessed and issued by the organisation itself under CCN-STIC 809. Summum Calidad prepares you to pass that process with confidence: diagnosis, implementation, evidence documentation and pre-audit review. The final certificate is issued by the accredited third party you choose; we make sure you are in the best possible position to face that audit.