Process of adaptation
Certification and Compliance with the ENS entails the prior elaboration of an Adequacy Plan that includes the following four previous phases: Security Policy, Categorisation of systems, Risk Analysis and Statement of Applicability/Compliance Profile.
1. Adaptation plan
It is a document with the following information: the scope of the systems to be submitted to the ENS certification process, the category of the systems, which Annex II measures are to be implemented (Statement of Applicability), which risks are assumed, the security policy of the organisation with its security organisation...
The following steps need to be taken in order to efficiently address the Plan of Adjustment:
- Identify the scope of the system
- Categorise the system according to the security dimensions of the services provided.
- Obtain the Declaration of Provisional Applicability.
- Conduct Risk Analysis.
- Validate the Definitive Statement of Applicability or Specific Compliance Profile.
- Prepare and approve the Security Policy.
2. Security implementation
Once the Adaptation Plan has been drawn up, the next step is the security implementation phase. This phase consists of the following steps:
- Roadmap: documents to be drawn up, technical measures to be implemented and priorities to be defined.
- Develop the Regulatory Framework and Security Implementation.
- Approve the Information Security Management System.
3. Declaration / Certification of Conformity
The determination of the conformity of information systems within the scope of the ENS shall be determined according to two different procedures depending on whether they are of MEDIUM and HIGH or BASIC category:
- MEDIUM or HIGH categories: The compliance of information systems with these categories shall be performed by a formal audit verifying the requirements of the ENS at least every two years, or on an extraordinary basis in case of significant modifications.
- BASIC category: Compliance of information systems in this category requires a self-assessment to verify compliance at least every two years, or extraordinarily if significant changes occur. This requirement for compliance does not preclude a BASIC category system from being formally audited.
4. Report on Security Status. Metrics and Indicators
The bodies to which the ENS applies are obliged to complete and report on the Security Status. In order to fulfil this mandate, the CCN has developed the INES (National Security Status Report) project:
5. Monitoring and Continuous Improvement
Information security management is a process subject to constant change, which may come from organisational changes, threats, technologies and/or legislation, and therefore continuous improvement of our systems is necessary.
This continuous updating will entail among other actions:
- Review of the Information Security Policy
- Review of information and services, and their categorisation
- Updating the risk analysis at least annually
- Revision of the Statement of Applicability or Compliance Profile
- Conducting internal audits
- Review of the Improvement Plan
- Review of security measures
- Review and update of procedures
- Security Status Review (INÉS)
6. Adequacy Processes for Local Bodies
The Spanish Federation of Municipalities and Provinces (FEMP), with the collaboration of the National Cryptologic Centre, has published the Book of recommendations: Itinerario de adecuación al Esquema Nacional de Seguridad (ENS) in which a description is made of the guidelines, requirements and steps to follow to achieve the definition of a personalised roadmap for the adaptation to the ENS of local entities.
7. Catalogue of Qualified Products
These are products suitable for use in systems under the scope of the ENS in any of its categories (HIGH, MEDIUM and BASIC). The qualification of a product in one category allows its use in lower categories.
