ENS Annex III of ENS governs the security audit: the procedure by which it is verified that a system genuinely complies with the Annex II measures. According to Royal Decree 311/2022 and its Article 31, medium and high category systems must undergo an ordinary audit at least every two years — plus an extraordinary one following substantial changes — while basic category systems may accredit their conformity through self-assessment. The auditor goes beyond the paperwork: they verify that each measure is implemented, adequate and, above all, demonstrable with evidence.
Annex II tells you what must be in place; Annex III verifies that you actually have it. This is the difference between drafting a security policy and being able to show the record approving it, the logs applying it, and the configuration materializing it. If Annex II is the exam, Annex III is the examiner. In this guide I explain exactly what the ENS audit reviews, what evidence it requires by type of measure, how it differs from self-assessment, and which findings recur most often.
I support companies and entities through this process from Castilla y León and Las Palmas, and almost always the problem is not a lack of controls, but a lack of organized evidence. Let us avoid that stumbling block.
What is ENS Annex III?
Annex III of Royal Decree 311/2022 sets the purpose, levels and interpretation of the security audit. It is the natural complement to Annex II: it defines how conformity with the measures catalogued there is verified. Its operational development is supported by Article 31 of the Royal Decree and by the CCN-STIC 808 guide, which details how to verify compliance measure by measure.
The ENS audit is not a bureaucratic formality. It verifies three things for each applicable measure: that it is implemented, that it is adequate for the risk and category, and that its operation can be demonstrated. A measure that exists on paper but leaves no operational trace is, for audit purposes, an unaccredited measure.
Who can audit ENS conformity?
It depends on the purpose of the audit and the nature of the entity:
- Public sector. Verification can be carried out by a Technical Audit Body (TAB) of the public sector itself or, through the Declaration of Conformity, by the entity itself relying on the CCN-STIC 809 guide.
- Conformity certification. When the ENS Conformity Certification is sought (common for private companies providing services to the public sector), the audit is carried out by a Certification Body accredited by ENAC for ENS. The result takes the form of a time-limited certificate.
In practice, if you are a provider seeking to accredit ENS for public tenders, you will end up working with an accredited certification body. I relate this to the process detail and costs in my guide on ENS certification: process, requirements and costs.
How often must a system be audited under ENS?
Article 31 of Royal Decree 311/2022 sets the frequency by category:
| System category | Verification mechanism | Ordinary frequency |
|---|---|---|
| Basic | Self-assessment or audit | Periodic review recommended |
| Medium | Formal audit | At least every 2 years |
| High | Formal audit | At least every 2 years |
In addition to the ordinary audit, Article 31 requires an extraordinary audit whenever substantial modifications to the information system occur: an architecture change, a relevant migration, a new integration with external services. The two-year clock does not exempt the organization from reviewing when the system changes significantly.
What is the difference between self-assessment and audit?
This distinction is critical and is determined by the system category. If you do not know your category, I clarify it step by step in how to choose between basic, medium and high level.
- Self-assessment (basic category). The entity itself verifies compliance with the applicable measures, normally with the support of the verification annex in CCN-STIC 808. It is lighter but no less rigorous: documented evidence of the review must be retained.
- Audit (medium and high category). Verification is carried out by an auditor with the required independence (TAB or certification body). It produces a formal report with findings and, where applicable, the conformity certificate.
The essential difference is not only "who looks," but the degree of independence and the formality of the result. A well-conducted self-assessment is excellent preparation for a future audit, but it does not replace one when the category demands independent verification.
What evidence does an ENS audit review?
Here is the practical core. The auditor goes through the Annex II measures applicable to your system and, for each one, looks for objective evidence. This is the typical correspondence by framework:
| Framework / measure | What the auditor asks for (evidence) |
|---|---|
| org.1 Security policy | Document approved by the governing body, with date and approval record. |
| org.3 Procedures | Written, versioned procedures communicated to staff. |
| op.pl Risk analysis | Current risk analysis with a recognized methodology (MAGERIT). |
| op.acc Access control | Permissions matrix, onboarding/offboarding records, evidence of periodic review. |
| op.exp Activity logging | Logs retained with the required retention period and protection. |
| op.cont Continuity | Continuity plan and records of tests carried out. |
| mp.info Backups | Backup policy, execution logs, evidence of restoration tests. |
| mp.com Communications | Encryption configuration, network segmentation, perimeter rules. |
The pattern repeats: document that defines it + record that applies it + proof that it works. A backup without a restoration test, a log that is not retained, or a policy without an approval record are classic gaps. The Annex II measures underpinning this review are broken down in Annex II explained.
What does an ENS audit report contain?
The report is the formal deliverable of the audit. Per Annex III and CCN-STIC 808, it must cover at least:
- Scope: which systems and services were audited and their category.
- Criteria and methodology: the reference framework (Royal Decree 311/2022, CCN-STIC guides) and how verification was conducted.
- Findings: non-conformities, observations and improvement opportunities, graded by severity.
- Recommendations: proposed corrective actions to close the findings.
- Opinion: the conclusion on the system's degree of conformity.
A report with non-conformities does not necessarily mean "failure": it means a corrective action plan must be opened and the issues resolved. Managing that plan is as important as the audit itself.
Typical findings in an ENS audit
From experience, these are the most recurring — and almost all are avoidable:
- Policy without formal approval. The document exists, but the governing body's approval record is missing.
- Outdated risk analysis. It was done once and never reviewed after system changes.
- Backups without restoration tests. Backups are made, but nobody has verified they can be recovered.
- Permissions without periodic review. Accounts belonging to people who have left, accesses that nobody audits.
- Uncontrolled supply chain. Providers and cloud services to which ENS requirements have not been passed on.
- Incoherent Declaration of Applicability. Measures marked as applicable without evidence, or exclusions without justification.
Audit levels: what the auditor examines according to category
Annex III does not apply the same standard to all systems. The depth of verification grows with the category, just as Annex II requirements grow. In practical terms, this translates into how much and with what detail each measure is reviewed:
- Basic category. Verification focuses on confirming that applicable measures exist and are operational. Documented self-assessment usually suffices, provided it records what was reviewed and with what result.
- Medium category. The auditor goes into implementation detail: not just that the measure exists, but that it is correctly configured, applied systematically and generates repeatable evidence. Sampling tests over logs and configurations appear.
- High category. The most demanding verification. Annex II reinforcements are reviewed, the effectiveness of measures is tested against specific risk scenarios, and the robustness of the most critical controls (encryption, segregation, continuity, monitoring) is examined.
This is why knowing your category well is also the starting point for the audit: it defines not just which measures apply, but the scrutiny under which they will be examined. If you have not yet finalized it, revisit it in ENS categories: basic, medium and high.
The certification conformity lifecycle
When the audit is seeking ENS Conformity Certification, it is not a one-off act but a cycle that repeats over time. It is worth understanding this to plan resources:
- Prior alignment. Before any audit, the system must be deployed: categorized, with its Annex II measures implemented and its Declaration of Applicability signed.
- Initial certification audit. The certification body verifies conformity and, if the opinion is favorable, issues the certificate.
- Certificate validity. The certificate has a limited validity period and is subject to surveillance.
- Surveillance and renewal audits. Periodically — at least every two years for medium and high — conformity is re-verified to keep the certificate current.
- Extraordinary audits. Any substantial system change re-opens the need for verification.
The implication is clear: ENS conformity is not something you "achieve and forget." It is a state that must be maintained, which requires integrating security into the day-to-day operation of the system rather than treating it as a one-off project. The cost and timeline detail for this cycle is developed in ENS certification: process, requirements and costs.
An example of well-constructed evidence
To illustrate the difference between "having the measure" and "being able to demonstrate it," let us take the backup measure (mp.info). An entity can claim it makes backups, but in an audit that is not enough. Solid evidence would be:
- A documented backup policy (what is backed up, how often, how long it is retained, where it is stored).
- Execution logs showing that backups are carried out as planned, without gaps.
- Restoration test records demonstrating that backups are not just made but can be recovered.
- Evidence that backups are protected (encrypted, access-controlled, offsite copy where the category requires it).
That combination — policy, log, test and protection — is what turns a claim into an accredited measure. Apply the same reasoning to each measure in your Declaration of Applicability and you will have half the audit solved.
How to prepare for a successful audit
The best preparation is not improvised the week before. An approach that works:
- Start from the Declaration of Applicability and, for each marked measure, identify where its evidence is. If you cannot find it, neither will the auditor.
- Conduct a prior self-assessment with CCN-STIC 808 even if your category is medium or high: it reveals the gaps before a third party sees them.
- Organize evidence in a single repository, traceable from each measure.
- Review the sensitive points: policy approval, currency of the risk analysis, restoration tests and access reviews.
If you want to go deeper into the operational preparation, I cover it in detail in how to prepare for an ENS audit.
Frequently asked questions about ENS Annex III
What is ENS Annex III?
It is the part of Royal Decree 311/2022 that governs the security audit: it defines the purpose, levels and interpretation of the conformity verification against Annex II measures. Its operational development is supported by Article 31 and the CCN-STIC 808 guide.
Who can audit ENS conformity?
In the public sector, a Technical Audit Body or the entity itself through a Declaration of Conformity. For the Conformity Certification — typical for private providers — the audit is carried out by a certification body accredited by ENAC for ENS.
How often is an audit required?
Medium- and high-category systems are audited at least every two years, per Article 31, plus an extraordinary audit on substantial changes. Basic-category systems can prove conformity through self-assessment.
What evidence does an ENS audit review?
For each applicable Annex II measure, the auditor looks for the document that defines it, the record that applies it and the proof that it works: approved policy, current risk analysis, preserved logs, backup restoration tests, reviewed access matrix, communications configuration, etc.
What is the difference between self-assessment and audit?
Self-assessment is carried out by the entity itself (valid for basic category) and the audit is performed by an independent verifier with a formal result (mandatory for medium and high). Both verify the same thing, but differ in independence and the formality of the opinion.
What happens if the audit detects non-conformities?
They are recorded in the report classified by severity and a corrective action plan is opened to address them. Non-conformities do not imply automatic failure; what matters is closing them within the deadline and leaving evidence of the correction.
Sources
- Royal Decree 311/2022, of 3 May (BOE-A-2022-7191) — Article 31 (audit) and Annex III.
- CCN-CERT — CCN-STIC 808 guide: ENS compliance verification.
- ENS Portal — CCN (ens.ccn.cni.es) — CCN-STIC 808 and 809 guides (Declaration and Certification of Conformity).
Content prepared by Summum Marketing for angelortegacastro.com. For informational purposes only; for a formal audit, always verify against the current Royal Decree 311/2022 and the latest version of CCN-STIC 808.