Spanish National Security Scheme (ENS) Certification

To prepare for ENS certification, organizations must first understand the requirements of the ENS, as defined within Royal Decree 311/2022, of May 3. The process for the adaptation of ENS can be found at ens.ccn.cni.es. At a high-level, this includes the identification of scope, the categorization of systems according to the security dimensions of the services provided, the completion of a risk analysis, the definition and validation of the declaration of applicability, the assignment of roles and responsibilities, and the preparation and approval of the security policy.

Schellman will work with you to understand your scoping and readiness before determining the resources necessary to complete the assessment.

After we provide you with our Audit Plan and Information Request List, you'll electronically submit the requested documentation to us, which we will review in advance of fieldwork to help ensure the planned fieldwork interviews and test plans are appropriate. Fieldwork will be initiated via a formal kickoff meeting and will include interviews, evidence and documentation review, and testing for relevant ENS Chapters and Articles and applicable Annex II security measures to determine compliance with the provisions of Royal Decree 311/2022. At the conclusion of fieldwork, a closing meeting will be held to formally close out fieldwork and align on next steps. In the event of any deviations, a Findings and Observations Document will be provided to your team.

Deviations can include the following:

• Major Nonconformity — Significant failure or absence related to essential Articles of the ENS (e.g. system categorization, declaration of applicability, designation of security officer, or information security policy); absence or inadequate implementation of a significant number of Annex II measures within any grouping; legal breaches or deviations that significantly affect the system's ability to perform essential functions; or a significant number of minor nonconformities associated with the same requirement.

• Minor Nonconformity — Partial non-compliance with any ENS Article or Annex II security measure; requirements met in an improvable way or inconsistencies between aligned requirements; does not by itself reveal a serious risk to the information system.

• Observation — A weakness, vulnerability, or specific situation that, while not currently compromising the information system, could in the auditor's opinion ultimately lead to a nonconformity or security problem over time.

• Opportunity for Improvement — An area that can be improved upon based on the auditor's professional experience and best practices.

Following the ENS certification review, Schellman will issue a Certification Report, which can result in the following opinions:

• Favorable — No deviations (i.e., major nonconformity, minor nonconformity) are evident.
• Favorable with Nonconformities — Deviations are evident and the audited organization is required to submit a corrective action plan for evaluation by the lead auditor within 30 days.
• Unfavorable — A significant number of major and minor nonconformities exist whose resolution, in the opinion of the lead auditor, cannot be evidenced through a corrective action plan and requires verification via extraordinary audit (within a period of no less than six months and limited to the deviations found).

If Schellman determines that the client conforms to the requirements of the ENS (Favorable Opinion), the ENS certification and mark will be issued. The certificate is valid for a two-year period. In the event of nonconformities, Schellman will provide corrective action plans to be completed and submitted within 30 days. Schellman will be unable to issue the ENS certification and mark without the receipt of acceptable corrective action plans and evidence of correction for noted nonconformities.