ENS audit for suppliers · how to prepare and pass it on the first attempt (2026)

Executive summary · TL;DR

An ENS audit for a supplier is prepared in 6-10 weeks if the system is already adequated. The three keys are: have the Annex II documentation organised by dimension and measure, evidence operational implementation (not just paper) and demonstrate continuous improvement. The external audit is executed by an ENAC-accredited certification body and lasts 2-4 days on site for an SME. The 15 most frequent non-conformities concentrate in five blocks: access control (37%), continuity and backups (19%), incident management (14%), suppliers (12%), traceability (10%).

In this article

Types of ENS audit: internal, external, on-demand
Preparation calendar (8-10 weeks)
Mandatory evidence by dimension
The 15 most frequent non-conformities
Practical differences with the ISO 27001 audit
How an external audit day unfolds
After the audit: closure and certification
Frequently asked questions

Types of ENS audit: internal, external, on-demand

Annex III of Royal Decree 311/2022 requires at least three types of audit activities on the system during the certification lifecycle. Knowing the difference from the start avoids preparing each one badly.

Internal audit

It is the first line of defence. It is executed by qualified personnel independent from the audited system (it cannot be whoever designed or implemented the controls) and must cover all Annex II measures applicable to the category. Its minimum frequency is biennial but the more solid practice plans it annually, split into blocks (access, continuity, training, etc.). Its findings are documented as major non-conformities, minor non-conformities or improvement opportunities. They are closed with corrective action plans before the next external audit.

External certification audit

It is executed by a certification body accredited by ENAC for the ENS. It has two phases. Phase 1 is documentary: the auditor reviews the security policy, statement of applicability, risk analysis, key procedures, internal audit evidence and incident log. It lasts 1-2 days, usually remote. Phase 2 is implementation: the auditor visits the site or sites, interviews staff at different levels (executive, technical, user), audits specific controls by sampling. It lasts 2-4 days for an SME in the MEDIUM category.

Surveillance audit

Biennial during the validity of the certificate (three years). Lighter than the initial one, it usually lasts 2-3 days for an SME and focuses on changes since the last audit, pending findings and sampling of critical measures. It is not a second certification: it confirms maintenance of the system.

On-demand or motivated audit

The CCN-CERT can request a motivated audit in case of significant incident, well-founded complaint or suspicion of systemic non-compliance. It is infrequent but it exists. The company has an obligation to cooperate and provide evidence. The best preparation is to keep the system actually alive throughout the cycle, not just on the eve of the scheduled audit.

Preparation calendar (8-10 weeks)

The following calendar assumes the system is already adequated (controls implemented, policy approved, risk analysis done, training delivered) and only the external certification audit is being prepared. If there are still controls to deploy, the prior adequacy calendar must be added.

Weeks -10 to -8 · planning and evidence map

Scope, category, calendar and interviewees are agreed with the certification body. An evidence map by Annex II measure is built: for each applicable measure, where the evidence is (folder, system, person). This is documented in a spreadsheet or GRC. Without this map the audit becomes a last-minute search chaos.

Weeks -7 to -5 · complete internal audit

If the recent annual internal audit covered all measures, the findings register is updated. If not, a specific internal pre-audit is executed. Here it is common to hire an external consultant different from the one who did the implementation: a fresh pair of eyes catches what the team has stopped seeing.

Weeks -4 to -3 · closing critical findings

Critical findings identified in the pre-audit are closed as a priority. Less critical ones are documented as improvement opportunities with an action plan.

Weeks -2 to -1 · interview rehearsal and documentary cleanup

The most likely questions are rehearsed with interviewees: security policy, incident management, backup, access control, training received. It is not about reciting documents: it is about staff demonstrating they know their responsibilities. Documentation is organised by dimension and measure in a shared folder with read-only permissions for the auditor.

Week 0 · external audit

On audit day you must have: single point of contact with authority to resolve doubts, dedicated room for the auditor with connectivity and projection, confirmed interview agenda with margin, interviewees freed from their regular agenda for the day, coffee and food. Logistics matter because they set the tone.

Mandatory evidence by dimension

Evidence is organised by the five Annex II dimensions. For each I identify here the minimum evidence the auditor will ask for.

Confidentiality

Information classification policy, inventory of classified information, access controls applied by classification, cryptography policy, encryption evidence for data at rest and in transit, access logs to classified information, endpoint control evidence (DLP, disk encryption) and secure media destruction procedure.

Integrity

Documented change management procedure with approvals, change records of the last 12 months, integrity controls on critical databases (signature, hash, modification audit), input data validation in applications, evidence of tests in development and pre-production environments.

Traceability

Logging and monitoring policy, log configuration (what is recorded, where it is stored, how long), evidence of periodic log review (having them is not enough, they must be reviewed), event correlation in a SIEM or equivalent, ability to reconstruct an incident from logs.

Authenticity

Identity and authentication policy, user and privilege inventory, evidence of MFA on privileged access, onboarding and offboarding procedure with documented SLA, quarterly privilege review with evidence, use of qualified electronic signature where applicable.

Availability

Business impact analysis (BIA), business continuity plan, backup and restoration procedures with evidence of recent test (documented evidence of the last real restoration is the most requested and the one most companies do not have), RPO and RTO metrics, infrastructure redundancy evidence where applicable, crisis and communications plan.

The 15 most frequent non-conformities

From the ENS audits of the last 24 months that I have analysed and discussed with auditors from three certification bodies, the 15 most frequent findings are as follows.

Access control (37% of total)

Privileged accounts without MFA or with weak MFA (SMS instead of app or token).
Service accounts without documented expiry and without periodic review.
Administrator privileges granted years ago without review.
Offboarding procedure with SLA over 24 hours (regular would be less than 4 h).
Shared generic accounts without individual traceability.

Continuity and backups (19%)

Backups without documented restoration test in the last 12 months.
Business continuity plan not updated after major changes.
Absence of annual continuity test or drill.

Incident management (14%)

Incident registry incomplete or without severity classification.
Lack of communication procedure to CCN-CERT or competent authority for notifiable incidents.

Suppliers (12%)

Contracts with ICT suppliers without security clauses or audit obligation.
Lack of SaaS supplier inventory with public client data.

Traceability (10%)

Logs configured but never reviewed (without evidence of periodic review).
Log retention time below that required by the category.

Other (8%)

Outdated risk analysis (over 12 months without review) or with a methodology not MAGERIT and not well justified.

Five practical differences with the ISO 27001 audit

If your company already has valid ISO 27001 and is also going to audit ENS, it is worth being clear about the five practical differences to avoid strategic mistakes.

1. The focus

ISO 27001 audits the management system (the ISMS mechanics: policy, risks, continuous improvement). ENS audits the specific system and the implementation of Annex II measures. The ENS auditor asks to see controls operating, not just procedures.

2. The success metric

ISO 27001 accepts a certain level of residual risk if justified. ENS prescribes specific mandatory measures by category: not applying them is not "accepted risk", it is a major non-conformity.

3. Product nationality

ISO 27001 does not require specific products. ENS, especially in the HIGH category and on specific MEDIUM components, requires products qualified by the CPSTIC of the CCN. This can force replacement of technology that ISO would consider perfectly valid.

4. The supervisory authority

In ISO the ultimate supervisor is the certification body and, above it, ENAC. In ENS there is also the CCN-CERT as a national authority with inspection capability.

5. Integration with other standards

ENS dialogues naturally with NIS2 and with the Spanish Law on Critical Infrastructure Protection. ISO 27001 dialogues naturally with ISO 27002, 27017, 27018 and the NIST frameworks. An ENS auditor will ask you about NIS2; an ISO auditor will ask you about NIST CSF.

How an external audit day unfolds

So the team does not arrive blind on D-day, this is a typical on-site audit day at a supplier SME in the MEDIUM category.

09:00 opening meeting with management, security officer and single point of contact. The auditor presents the audit plan, the techniques to be used (documentary review, interviews, observation, sampling) and resolves doubts. Lasts 30-45 minutes.

09:45 documentary review led with the security officer: security policy, statement of applicability, risk analysis, treatment plan. Lasts 2-3 hours.

12:30 interview with the IT manager on access management, cryptography, monitoring, backups. Live evidence is usually requested: "show me the last restoration test". Lasts 1-2 hours.

14:30 interview with a random end user (administrative assistant, salesperson, etc.) about training received, passwords, what they do if they receive a suspicious email, where the policy is. 20-30 minutes.

15:00 interview with HR manager about onboarding, offboarding and staff training. 30-45 minutes.

16:00 interview with supplier or contracts manager about security clauses, SaaS inventory, critical supplier review. 30-45 minutes.

17:00 day closure with oral summary of preliminary findings to the security officer. It is not binding: final findings go in the final report.

After the audit: closure and certification

The audit report arrives between 2 and 4 weeks after the visit. It documents findings as major non-conformities, minor non-conformities or observations. The closure procedure varies by finding type.

Major non-conformities must be closed before certificate issuance. The usual deadline is 60-90 days from receipt of the report. A corrective action plan must be presented, executed, closure evidenced and, if the auditor considers it, a short verification visit may be requested.

Minor non-conformities can be closed in the period after receiving the certificate, with a firm closure commitment and verification at the biennial surveillance audit.

Observations or improvement opportunities are not an obligation: they are recommendations to strengthen the system. Documenting them and including them in the internal improvement plan is good practice and is positively valued in the next audit.

The issued certificate is valid for three years from the certification decision date. It is maintained with the biennial surveillance audit and renewed with a re-certification audit at the end of the cycle. Major changes in the system (scope, infrastructure, category) must be communicated to the certification body.

How to choose an ENS certification body without making mistakes

The choice of certification body sets calendar, budget and, above all, process experience. The six most active bodies in Spain for ENS are AENOR, Bureau Veritas, SGS, LRQA, TUV Rheinland and AUDISEC. Three criteria discriminate well between them.

Criterion 1 · sectoral experience

Some bodies have done more ENS audits in your sector than others. AENOR dominates public sector and professional services. Bureau Veritas has volume in industry and logistics. SGS is strong in technology and software. LRQA in consulting and financial services. Asking for references of the specific auditor they assign you, not only the body, is good practice.

Criterion 2 · schedule availability

Schedules fill up. AENOR can have waiting lists of 4-6 months for specific dates; the others usually commit dates with 6-10 weeks notice. If your public client requires a certificate at month 8 from formalisation, schedule decides more than price.

Criterion 3 · fees and breakdown

Differences for an SME in MEDIUM category are 1,500-3,000 EUR between the six bodies. Asking for quotes from three and requiring detailed breakdown (phase 1, phase 2, travel, administrative management, issuance) prevents surprises. Beware of significantly cheaper offers: they may be removing audit days that translate into a less rigorous audit and worse certificate reputation with the public client.

ENS audit versus ISACA-style audit (CISA, CRISC): what changes

Some large companies face ISACA (CISA-style) audits from their clients and wonder how they differ from the ENS audit. The difference is clear: the ISACA audit looks at governance, risk management, IT service management and value assurance; it is designed for corporate internal audit, not for official certification.

The ENS auditor will not discuss corporate governance: they go straight to compliance with Annex II measures. But if your organisation has a good ISACA foundation, internal processes will make life easier in phase 1 documentary of ENS. Leveraging that foundation without confusing audits is a useful lever for companies with a mature internal audit function.

Tools that make the audit easier from the inside

Five tools or platform types significantly reduce ENS audit preparation cost.

Light GRC (structured Excel or SaaS tool). A spreadsheet of evidence per Annex II measure with owner, location, last update date and link. For an SME, Excel works; beyond certain complexity, tools like Vanta, Drata or Eramba simplify maintenance.

SIEM or equivalent for logs. Microsoft Sentinel, Splunk, Wazuh or ELK Stack centralise logs with search. Without centralisation, periodic review cannot be demonstrated.

Identity manager with universal MFA. Microsoft Entra ID, Okta or equivalent. The auditor will ask for a list of privileged users with MFA: if it is in the cloud, 30 seconds; if it is in manual spreadsheets, hours.

Training and phishing platform. KnowBe4, Hoxhunt, Mailteck. Automatically generates evidence of attendance, phishing simulations and culture metrics. Covers two common non-conformities in a single tool.

Backup solution with automated test. Veeam, Acronis, Microsoft 365 Backup with verification. The key is the documented automated test: the auditor asks for the last restoration report and it must exist, dated, with result and responsible.

Last-minute mistakes: what you can still fix on the eve

If you reach 7 days before the external audit and detect any of these five mistakes, there is still room to correct them.

1. The website does not have an updated privacy and cookies policy. The auditor will check. Update template with a GDPR adviser, publish and keep evidence. 4-6 hours.

2. There is no record of the last security committee meeting. Convene the committee in short format, generate a minute with agenda and basic agreements. Real date, not backdated (the auditor spots it).

3. The backup of the last month has no restoration test. Run the test now, document the procedure, log the result.

4. The SaaS inventory is outdated. Spend one hour with IT and purchasing reviewing cloud subscription billing of the last year. Update the inventory and review clauses.

5. The mandatory training of the last year has no acknowledgement of receipt from some employee. Send a formal reminder with a 24-hour deadline and keep the response log.

If you reach D-day with these five points resolved, you have eliminated 60% of the minor non-conformities the auditor would have detected.

Audit culture: how mature companies live with the cycle

The most mature companies do not see the ENS audit as a punctual event but as a fixed point in an annual rhythm of continuous improvement. Three habits distinguish a company with audit culture from a company that simply passes audits.

First habit: monthly mini-evidence reviews. Once a month, half an hour with the security committee and the system owners to refresh evidence on critical measures. No technology, just discipline. Result: when the auditor arrives, evidence is from the last 30 days, not from the last 6 months.

Second habit: small-scale incident drills. Every quarter, simulate a real incident (lost laptop, suspicious email opened, server outage) and exercise the procedure end to end. Document. Lessons learned. Update procedure if appropriate. The auditor recognises a company that drills because it answers without hesitation about scenarios that have actually happened.

Third habit: voluntary improvement plan. Each year, add 2-3 controls beyond the strict minimum of your category as voluntary improvement. Document the rationale. The auditor values the gesture and the company gains real maturity. It is also a defence in case of incident: the willingness to do more shows due diligence.

These three habits do not require a CISO or a large investment. They require routine. Routine is built by adding the same hour every month and not skipping it. Companies that do it certify on the first attempt year after year, with surveillance audits closed without findings, and a real security posture much above the minimum required by the framework.

Frequently asked questions

When should the internal audit be done and when the external one?

The internal audit is mandatory at least every two years and must be executed by qualified personnel independent of the audited system. The external certification audit is done initially to obtain the certificate, with renewal every three years and biennial intermediate surveillance audits.

How long does an external audit last for an SME supplier?

For a single system in MEDIUM category and 20-50 employees, phase 1 documentary lasts 1-2 days and phase 2 on-site 2-3 days. Companies with several systems or sites can reach 5-7 days.

Which bodies can audit the ENS?

Only certification bodies accredited by ENAC for the ENS. The most active in Spain are AENOR, Bureau Veritas, SGS, LRQA, TUV and AUDISEC. The choice depends on price, schedule and sector experience.

Does an ISO 27001 audit work for the ENS?

Not directly. Some bodies offer integrated audits that cover both in the same visit and leverage common evidence, saving 30-40% in cost and calendar. But they are formally distinct processes: two separate certificates.

What happens if I have a major non-conformity?

The certificate is not issued until it is closed. There is a deadline (usually 90 days) to present a corrective action plan, execute it and provide evidence. If it is not closed within that deadline, the audit has to be restarted.

Can I appeal the result if I disagree with the auditor?

Yes. Each certification body has a complaints procedure and the accreditation body (ENAC) admits complaints when there is a suspicion that the auditor has breached the accreditation standard. Technical disagreement complaints are rare and rarely resolved in favour of the audited party, but they exist.

Do I need to have all the CPSTIC catalogue products of the CCN?

Not for BASIC. Yes for HIGH on the components specifically identified by Annex II (for example encryption devices, qualified identity management products). For MEDIUM it is recommended but only mandatory in certain specific cases.

How do cloud services (Azure, AWS, GCP) fit into an ENS audit?

Three of the big hyperscalers have CCN-CERT qualified regions (Azure Spain Central, AWS Madrid, Google Cloud Madrid). If your system runs in one of them and you apply their shared responsibility model correctly, much of the infrastructure controls are already covered and you only have to demonstrate the configuration on your side.

Author: Ángel Ortega Castro · independent consultant in strategy, compliance and digitalisation for Spanish SMEs and public administrations. Aranda de Duero (Burgos) · Castilla y León.