Skip to content
CertENS
ES
Regulation

ENS vs ISO 27001: are they compatible? Which one first?

How ENS and ISO 27001 compare, where they overlap and how to leverage an existing ISO 27001 certification to accelerate ENS compliance.

6 min read Laura Méndez · Lead Auditor CISA · CertENS

“We already have ISO 27001. Do we really need ENS?” It’s one of the most common questions in the Spanish public-procurement market. The short answer: yes, but your ISO 27001 covers a substantial part of the ground. This article unpacks the comparison, the overlaps, and a practical strategy if you need both.

What each framework is

ENS

  • Mandatory for the Spanish public sector and its providers.
  • Defined by Royal Decree 311/2022.
  • Based on a specific control catalogue (Annex II, 73 controls).
  • Prescribes categories (Basic, Medium, High) and dimensions.
  • Requires certification by ENAC-accredited bodies.
  • Has specific technical guides (CCN-STIC).

ISO 27001

  • Voluntary, internationally recognised.
  • Standards-body framework (ISO/IEC).
  • Based on an Information Security Management System (ISMS) and Annex A controls.
  • Risk-based, with strong documented management requirements.
  • Certified by accredited certification bodies worldwide.

Where they overlap

In terms of controls, the overlap is around 80%. Both address:

  • Security policy.
  • Roles and responsibilities.
  • Risk management.
  • Asset management.
  • Access control.
  • Operational security.
  • Incident response.
  • Continuity.
  • Supplier management.
  • Human resources security.

An organisation with mature ISO 27001 will find most ENS requirements already implemented under different names.

Where they differ

Specific CCN-STIC compliance

ENS requires alignment with CCN-STIC guides: very specific Spanish technical instructions. ISO 27001 does not.

Categorisation

ENS prescribes formal categories (Basic/Medium/High) derived from five explicit dimensions. ISO 27001 is more flexible: the organisation designs its own risk-appetite framework.

Dimensions

ENS mandates five dimensions including traceability and authenticity explicitly. ISO 27001 covers these under integrity and access control, less explicit.

Certification scope

ENS certification is per system, typically quite narrow. ISO 27001 is per organisation or business unit.

ENS is legally binding in its scope. ISO 27001 is contractual / voluntary.

Reinforcements

ENS has specific reinforcements per category (e.g., certain controls become mandatory at Medium, more at High) that are very prescriptive. ISO 27001’s Annex A applies uniformly, with judgement on applicability.

Compatibility in practice

Both frameworks can coexist and mutually leverage each other. The CCN and ENAC have produced mapping documents between ISO 27001 Annex A and ENS Annex II. In a well-coordinated project:

  • The same ISMS serves both frameworks.
  • Documents are unified (one policy, one SoA with cross-references).
  • Audits can be coordinated (same evidence).
  • Savings can reach 20-30% compared to running two parallel systems.

Which one first?

If you’re a public body

ENS is mandatory. Start there. ISO 27001 later if you want international recognition.

If you’re a provider to the Spanish public sector

ENS is the real driver — you won’t win tenders without it. Start there. ISO 27001 later as a nice-to-have.

If you’re an international provider expanding to Spain

ISO 27001 is probably already in place. Use the existing ISMS as the base and add the ENS-specific layer.

If you’re a private sector organisation with no public-sector clients

ISO 27001 is more fitting. ENS only if you plan to enter the public market.

Typical integrated project

For an organisation with no prior certifications tackling both:

  1. Design the ISMS once, aligned with both frameworks from day one.
  2. Use a single risk analysis with ENS dimensions (five) but comprehensive enough for ISO 27001.
  3. Write a single SoA with two columns mapping to Annex A (ISO) and Annex II (ENS).
  4. Coordinate audits: some ENAC-accredited bodies offer combined ENS + ISO 27001 audits.
  5. Unified training and awareness.

The combined project cost is typically 60-70% of the cost of doing them separately.

Typical reinforcement project

If you already have ISO 27001 and need to add ENS:

  1. Perform a gap analysis against Annex II with reinforcements for your target category.
  2. Identify specific gaps: typically around CCN-STIC-specific requirements, traceability, authenticity and specific continuity/BCP tests.
  3. Extend the existing ISMS documentation with ENS-specific clauses.
  4. Run a single audit covering both (if you pick a body accredited for both).

Project size: 30-40% of the cost of a standalone ENS project from zero.

Typical reinforcement project (reverse)

If you already have ENS and want ISO 27001:

  1. Extend the ISMS scope to the whole organisation (ENS is per system).
  2. Document the management framework (PDCA, management review, internal audit).
  3. Review risk criteria for ISO 27001 compatibility.
  4. Select a certification body.
  5. Audit.

Size: 25-35% of a standalone ISO 27001 project.

Common mistakes when combining

Running two parallel systems

Two policies, two SoAs, two ISMSs. Double work and constant reconciliation.

Copying ISO 27001 controls without Spanish adaptation

ENS expects explicit alignment with CCN-STIC. Copy-paste of ISO Annex A is detectable in audit.

Treating ENS as “ISO-lite”

ENS is more prescriptive than ISO 27001 in many areas. Treating it as lighter underestimates reinforcements at Medium or High.

Missing the traceability dimension

ENS’s traceability dimension requires specific logging and audit-trail controls that go beyond typical ISO 27001 practice.

Final recommendation

ISO 27001 and ENS are compatible and mutually leverage each other if planned together. If you have ISO 27001 and need ENS, budget 40-50% of the effort of a standalone ENS project. If you’re starting from scratch and need both, plan them together — the savings are substantial. Running them as two projects in parallel is the worst of both worlds.

Keep reading

Regulation

What is the Spanish National Security Scheme (ENS): introductory guide

A clear introduction to the ENS (Esquema Nacional de Seguridad), the mandatory Spanish information-security framework governed by RD 311/2022.

6 min
News

ENS and NIS2: how both regulations fit together in 2025

Practical mapping of ENS and NIS2 for Spanish organisations facing both: overlaps, specific NIS2-only requirements and an integrated compliance approach.

7 min
News

ENS 2026: trends and expected updates

What's changing in ENS in 2026: NIS2 consolidation, AI Act integration, evolution of the CCN catalogue, and reinforced supply-chain expectations.

6 min

Ready to get ENS certified?

Free, no-commitment initial assessment. We reply within 24 business hours.

Request assessment info@certificacionens.eu