New obligations for ENS certifications
May 5, 2024 marks the end of the period of grace for the mandatory nature of the new ENS established in RD 311/2022 of May 3, 2024, and this date also marks the activation of two recent obligations that may potentially affect the outcome of the audit.
Since the publication of the new Royal Decree 311/2022, of May 3, which regulates the National Security Scheme (ENS), its scope of application, which in its initial version of 2010 referred only to public sector entities, has been extended to the information systems of private sector entities that provide services or solutions to public sector entities for the exercise of their administrative competences.
National Report on the State of Security (INES)
One of the obligations is referred to in Article 32: Report on the State of Security (in Spanish Informe Nacional del Estado de la Seguridad), which regulates that all information systems included in the scope of application (public sector and private sector) must provide information on the main variables of the security in their systems, in accordance with the procedures established by the National Cryptological Center (CCN).
For these purposes, the CCN has built a tool called INES, which until recently was only accessible by public sector entities. Last August, it was published that it was also available to private sector entities. The news can be read at this link (in Spanish), which also contains the access address. The publication itself presents access to the tool as a possibility offered to private sector companies.
However, on December 31, 2023, the entities that are part of the ENS Certification Committee (CoCENS) received a new communication from the CCN indicating the obligation, as of May 5, 2024, to complete the National Report of the State of Security through this CCN platform, which will house all the data collected (we note that the tool, for the moment, is only available in Spanish). That is, all organizations that want to be certified will have to agree to show their security status to the CCN; Without a doubt INES is going to become a repository of information of tremendous interest.
Effective compliance with this obligation must be verified during the audit, through the presentation of the organization's latest INES report. Failure to have it will be considered a Major Non-Conformity.
ENS Internal Compliance Audits
Another novelty also introduced by the CCN and mandatory as of May 5, which is not mentioned in the Royal Decree or in the Technical Instructions that accompany it to date, is the obligation for systems in Medium and High categories to carry out an annual internal audit, with all the formal aspects that this entails: audit plan, report, suitability of the audit team, and implementation of corrective measures that have been identified.
The justification that the CCN uses in its Guide IC-01/19 on the general audit and certification criteria is that “it is required to have an ISMS for the management of the security, as determined in the security measure [op.pl .2] on security architecture”. And from this it follows that, consequently, an internal audit is required (which must also be carried out annually - and always prior to the certification audit - and in relation to the applicable security measures of Annex II of the ENS).
Finally, the guide states that the absence or incorrect performance of this internal audit will be classified as an Observation, but if it persists, it will lead to a Major Non-Conformity, with a directly Unfavorable result, which will require an extraordinary audit for subsequent verification.
Summary
In summary, these two aspects involve the imposition of additional actions, both on private operators who are forced to address this certification to contract in the public sector, and on certification entities, for verification, and which, in themselves, do not provide a greater guarantee of security to the ecosystem (considering that most of public sector entities do not have ENS certification themselves.