I am Angel Ortega Castro, independent ENS consultant. I prepare companies for their ENS conformity audit — Annex III of RD 311/2022: internal pre-audit, evidence organisation and full accompaniment during the visit of the ENAC-accredited body that conducts the official audit and issues the certificate.
The ENS conformity audit is the independent verification process governed by Annex III of Royal Decree 311/2022, of 3 May (BOE-A-2022-7191). Its purpose is to verify rigorously that an organisation's information systems comply with the requirements of the Esquema Nacional de Seguridad applicable to their category: the controls in the Annex II, the security policy, the risk analysis and continuity management.
It is not a superficial document review. The audit examines the actual implementation of controls, the existence of auditable evidence and the coherence between what is declared in the Statement of Applicability (SoA) and what is practised in the organisation. Its outcome is a conformity report detailing findings, non-conformities and, in medium or high category, the basis for the certificate issued by the accredited body.
The conformity audit is carried out by a third party — in medium or high category, an ENAC-accredited body — which objectively assesses the degree of compliance of the system.
Public procurement specifications increasingly require suppliers to demonstrate ENS conformity. The certificate is the document that satisfies those requirements.
The ENS certificate is valid for two years. After that period a new conformity audit must be passed to keep the accreditation current.
The audit cycle requires controls to be maintained and updated, turning ENS conformity into a living system of security improvement, not a one-off administrative formality.
The Sole Transitional Provision of RD 311/2022 set 24 months for pre-existing systems to adapt; that deadline expired on 5 May 2024. The obligation is fully in force: new systems must comply from day one and contracts in force require conformity to be demonstrated at each renewal. If your company provides services to the public sector and has not yet started the adaptation process, the starting point is set out in the complete ENS guide and the ENS consultancy for companies service page.
The main cause of non-conformities in an ENS audit is improvisation: arriving without ordered evidence, with an outdated SoA or with controls implemented but undocumented. My work begins before the accredited auditor's visit; each phase produces a concrete deliverable on which the next phase builds.
| Phase | What we do | Reference and deliverable |
|---|---|---|
| Phase 01 Pre-audit diagnosis |
Differential analysis between the actual state of the system and the requirements of Annex III. We identify controls without evidence, procedures not yet formalised and gaps the auditor would detect. | Gap report with criticality ratings and closure order. Basis for the Annex III of the ENS. |
| Phase 02 Evidence map |
Comprehensive catalogue of all evidence required by Annex II for the system's category (basic, medium or high). For each control: current status, available evidence, outstanding items and responsible party. | Evidence register with traffic-light status indicators. Aligned with CCN-STIC 808 and 850 guides. |
| Phase 03 Document review and update |
Update of the Statement of Applicability (SoA), the security policy and the MAGERIT risk analysis. Coherence between documentation and actual implementation of controls. | Documentation aligned with Annex III and CCN-STIC 806 and 807 guides. |
| Phase 04 Internal audit (pre-audit) |
Full rehearsal simulating the accredited auditor's visit: control review, interviews with responsible personnel and technical tests. Outcome: list of non-conformities before the real audit. | Pre-audit report with non-conformities and closure plan. See guide on ENS audit preparation. |
| Phase 05 Accompaniment during the accredited audit |
Support during the ENAC-accredited body's visit: meeting coordination, real-time evidence clarification and technical response to auditor findings. | Reduction of non-conformities during the process. The certificate is issued by the ENAC-accredited body, not the consultant. |
| Phase 06 Closure and biennial follow-up |
Resolution of non-conformities identified by the auditor. Road map to maintain active conformity until the biennial renewal and prepare the next audit cycle. | Continuous improvement plan and two-year renewal calendar. |
Want to understand each test the auditor runs? I detail them in the article on Annex III of the ENS and the conformity audit. And if your company provides services to public authorities, you will find the legal context in ENS for suppliers: does the public sector require it from me?
Annex I of RD 311/2022 establishes three system categories based on the impact a security incident would have on the five CIDAT dimensions: confidentiality, integrity, availability, authenticity and traceability. The dimension with the highest level determines the system's category, and that category defines the conformity pathway your organisation must follow and the type of audit required.
When an incident would cause limited harm to the organisation's functions, its assets or individuals.
When an incident would cause serious harm; at least one dimension reaches the medium level.
When an incident would cause very serious or even irreparable harm; at least one dimension reaches the high level.
Carried out by the consultant or the in-house security team before the accredited third party's visit. Its purpose is to detect non-conformities with enough time to correct them. It has no official standing and does not accredit conformity before public authorities, but it is the most effective tool for passing the external audit first time and minimising the number of findings.
In medium or high category, conformity can only be accredited through an ENAC-accredited body in accordance with UNE-EN ISO/IEC 17065:2012. This body issues the ENS certificate of conformity, which is the document that satisfies public procurement specifications. The consultant prepares and accompanies; the certificate is issued by the accredited third party. Never "guaranteed certification": that does not exist in any rigorous audit process.
Need help categorising your system before deciding which pathway to follow? The guide on ENS levels and how to choose your category will help, and if you are unsure between ENS and ISO 27001, I compare both frameworks in ENS or ISO 27001 for public-sector contracts.
The preparation work does not consist of drafting documents that nobody reads. Each deliverable has a specific audience — the accredited auditor, your security team or the person responsible for the tender — and is designed to be genuinely useful in the real certification process.
I am Angel Ortega Castro, an independent consultant specialising in adaptation to the Esquema Nacional de Seguridad and information security. I prepare companies supplying the public sector to pass the ENS conformity audit: I identify gaps before the accredited auditor does, organise the documentation and accompany you throughout the entire process.
My approach is one of genuine, person-to-person accompaniment: I do not hand over a report and disappear. I work alongside you at each phase, from the initial diagnosis to resolving the non-conformities the certifying body identifies. When the project ends, your team knows how to maintain conformity until the next biennial renewal without depending on anyone.
I am explicit about what I can and cannot promise: I prepare and accompany your organisation towards conformity; the certificate is issued by the ENAC-accredited body. Anyone who promises "guaranteed certification" either does not understand the process or is not being honest. That candour, combined with rigorous adherence to RD 311/2022 and its Annexes I–IV, is what sets me apart.
Systems integrators, cloud service providers and software developers who need to certify ENS conformity to maintain their public contracts or access new tender specifications that require it.
Private companies facing ENS certification for the first time as a solvency requirement to enter public tenders. The audit is the gateway to a market that would otherwise be closed to them.
Organisations whose ENS certificate expires in the coming months and need a review of their current state, evidence updates and accompaniment through the new biennial conformity audit.
The cost depends on the system category (basic, medium or high), the number of systems in scope and the starting maturity level: the more gaps that exist before the audit, the greater the preparatory closure work. There is no single figure valid for all cases.
In addition to the preparation and accompaniment fees, medium and high category systems also incur the certifying body's fees, which are independent of mine and invoiced by the third party that issues the certificate. We assess both items together in the first call, with no obligation.
The ENS conformity audit, governed by Annex III of Royal Decree 311/2022, is an independent review that verifies whether an organisation's information systems comply with the Annex II controls, the security policy, the risk analysis and continuity management. The auditor examines real evidence — records, configurations, procedures, interviews — to verify that what is declared in the SoA matches what is implemented. The outcome is a conformity report with the findings detected. I detail this in the article on Annex III of the ENS and the conformity audit.
It is if you provide services to the public sector and your systems are classified as medium or high category. In basic category you may opt for a self-assessed declaration of conformity, although an increasing number of tender specifications require additional evidence or even independent certification regardless of the level. The general adaptation deadline for pre-existing systems expired on 5 May 2024; the obligation is fully in force and applies from day one to new systems or those with significant changes. If you are unsure whether your company is required to comply, I explain it in the guide on ENS for suppliers and public tenders.
In medium or high category, only an ENAC-accredited body in accordance with UNE-EN ISO/IEC 17065:2012 may issue the certificate of conformity. The ENS consultant prepares the conformity and accompanies during the process; the certification audit is carried out by the accredited third party. In basic category, conformity is accredited by the organisation itself through a self-assessed declaration. I explain this in detail in the article on who conducts the ENS audit and how often.
The ENS certificate is renewed every two years (biennial renewal). During that period the implemented controls and the evidence supporting them must remain active. The usual practice is to schedule an annual review to detect deviations and correct them before the renewal audit, avoiding the accumulation of gaps. I develop this in the article on how often the ENS is audited and who does it.
An internal audit, also known as a pre-audit, is a review carried out by the consultant or the in-house team before the accredited third party's visit. Its purpose is to detect non-conformities with enough time to correct them; it has no official standing and does not accredit conformity before public authorities. External certification is conducted by an ENAC-accredited body: its results have official standing and are those that accredit conformity in public procurement specifications. Both are complementary; the internal audit is the best investment for passing the external one first time.
The five key steps are: (1) gap diagnosis against Annex III with sufficient time before the visit, (2) closure of identified non-conformities before the auditor finds them, (3) organisation and verification of evidence for each Annex II control, (4) a full internal rehearsal simulating the real visit, and (5) accompaniment during the audit to clarify evidence in real time. I detail this in the ENS audit preparation guide.
The body issues a findings report. Non-conformities are classified by severity: major ones prevent certification until they are remediated and the correction verified; minor ones can be resolved with documentary evidence without a new visit. Rigorous preparation minimises the number and severity of findings. If they arise despite that, I accompany you through the closure process and the demonstration of remediation to the auditor.
No. ENS consultancy covers the entire adaptation cycle: initial diagnosis, system categorisation, MAGERIT risk analysis, adaptation plan and implementation of Annex II measures. The ENS audit is the final verification phase by an accredited third party. If your organisation is starting from scratch, the full journey begins with consultancy; if your systems are already adapted and you only need to prepare for the audit, we go straight into the pre-audit phases described on this page.
First call at no cost or commitment. We assess your category and system scope, identify the main gaps and, if we are a good fit, I send you a fixed proposal to prepare and pass the conformity audit first time.