Before starting, we have thoroughly covered the ENS (Esquema Nacional de Seguridad) in several lessons. This lesson focuses solely on security measures and implementation. Read an Introduction to ENS and learn more about the Organizational and Operational Framework of ENS.
To implement Spain's National Security Framework (ENS) 🇪🇸, we first need to appoint a committee responsible for the scheme's implementation.
Since the entry into force of Royal Decree 311/2022, the National Security Framework (ENS) clearly defines four key roles that must be present in all organizations subject to ENS compliance. These roles are specified in Article 11 of the decree and replace old models such as committees or presidents with casting votes, which are not included in the official regulations.
Each role has well-defined responsibilities to ensure the proper protection of systems, information, and services managed by an entity. Below are detailed descriptions:
This role is responsible for determining the security requirements for the information processed within the system. This person, or a collegiate body, must identify the sensitivity and criticality of the data and establish the necessary protection levels according to Annex I of the ENS, which sets the system category.
Key responsibilities:
Responsible for defining the security requirements of the services provided by the system. This involves assessing the impact of any alteration, interruption, or failure in service delivery and collaborating with the System Owner to identify risks and necessary measures.
Key responsibilities:
In charge of the comprehensive management of information security in the organization. Must develop security plans, conduct regular controls, coordinate audits, manage incidents, and serve as the point of contact with competent authorities.
Key responsibilities:
Mainly responsible for developing, operating, and maintaining the information system, ensuring that appropriate security measures are implemented and maintained throughout the system's lifecycle. Also responsible for categorizing the system according to the ENS and conducting risk analysis.
Key responsibilities:
🔒 Note: These four roles must be clearly defined, documented, and formally assigned within the organization and cannot be arbitrarily merged. Their proper implementation is a fundamental requirement for ENS compliance and obtaining the corresponding certification.
The implementation of the National Security Framework (ENS) should not be seen as a one-off action, but as a continuous process covering the entire system lifecycle, from initial design to final decommissioning.
This process must be guided by a risk analysis that determines which measures to apply, at what level of stringency (BASE, Reinforced, High), and at what stage. Proper ENS implementation ensures not only regulatory compliance but also effective protection of services and information.
Before applying any measures, the organization must understand its context and obligations. This initial step lays the foundation for the rest of the process:
This analysis allows you to understand the organization's current state against ENS requirements and identify weaknesses:
This analysis will feed into the ENS Adaptation Plan, which outlines concrete steps to achieve compliance.
To comply with the ENS, the organization must establish a clear structure of responsibilities, without resorting to informal committees or bodies not recognized by regulations.
This step involves creating the organizational and technical foundations for structured security management:
Here, the ENS technical measures are deployed, always aligned with the risk analysis results. Among them:
Technical implementation without clear governance or policies can be ineffective. Both components must go hand in hand.
Administrative measures complement technical and organizational ones, ensuring that the human factor is also properly managed:
Security does not end at the organization's boundaries. The ENS requires managing risks from external providers or contracted services:
Once measures are implemented, ENS compliance must be verified through audits:
Certification is not the end, but the start of a continuous improvement cycle. Measures must be maintained and updated throughout the system's lifecycle.
The security measures of the National Security Framework (ENS) are organized into three frameworks:
org
)op
)mp
)Each measure has application levels according to the system's security profile:
=
: BASE requirement (mandatory for all)+
: Requirement for medium-level systems++
: Requirement for high-level systemsThis is not an exhaustive list. The full 73 measures are available in Guide CCN-STIC 808.
org
)Measure | Low Level | Medium Level | High Level | Code |
---|---|---|---|---|
Security policies | = | + | ++ | org.2 |
Security procedures | = | + | ++ | org.3 |
Measure | Low Level | Medium Level | High Level | Code |
---|---|---|---|---|
Control of facilities and components | = | = | = | org.4 |
op
)Measure | Low Level | Medium Level | High Level | Code |
---|---|---|---|---|
Risk analysis | = | + | ++ | op.pl.1 |
Security architecture | = | + | ++ | op.pl.2 |
Acquisition of new components | = | = | = | op.pl.3 |
Capacity management | — | = | = | op.pl.4 |
mp
)mp.if.*
)Measure | Low Level | Medium Level | High Level | Code |
---|---|---|---|---|
Separate areas with access control | = | = | = | mp.if.1 |
Identification of people | = | = | = | mp.if.2 |
Conditioning of premises | = | = | = | mp.if.3 |
Power supply | + | = | = | mp.if.4 |
Fire protection | = | = | = | mp.if.5 |
Flood protection | — | = | = | mp.if.6 |
Equipment entry and exit log | = | = | = | mp.if.7 |
Alternative facilities | — | — | = | mp.if.8 |
mp.per.*
)Measure | Low Level | Medium Level | High Level | Code |
---|---|---|---|---|
Job characterization | — | = | = | mp.per.1 |
Duties and obligations | = | = | = | mp.per.2 |
Awareness | = | = | = | mp.per.3 |
Training | = | = | = | mp.per.4 |
Alternative personnel | — | — | = | mp.per.5 |
Alternative means (equipment) | — | — | = | mp.per.8 |
mp.info.*
)Measure | Low Level | Medium Level | High Level | Code |
---|---|---|---|---|
Personal data | = | = | = | mp.info.1 |
Information classification | + | = | = | mp.info.2 |
Encryption | — | — | = | mp.info.3 |
Electronic signature | + | ++ | ++ | mp.info.4 |
Timestamps | = | = | = | mp.info.5 |
Document sanitization | = | = | = | mp.info.6 |
Backups | = | = | = | mp.info.9 |
mp.s.*
)Measure | Low Level | Medium Level | High Level | Code |
---|---|---|---|---|
Email protection | = | = | = | mp.s.1 |
Web services and application protection | = | + | + | mp.s.2 |
Protection against denial of service | — | = | + | mp.s.8 |
Alternative means for critical services | — | — | = | mp.s.9 |
=
: BASE level, mandatory for all systems+
: Applicable to medium-level systems++
: Applicable to high-level systems—
: Not explicitly applicable (may depend on risk analysis)