How often is an ENS audit required and who carries it out? ENS (Spanish National Security Framework) requires an ordinary regular audit at least every two years (biennial audit), per Article 31 of Royal Decree 311/2022. In addition, an extraordinary audit must be conducted whenever substantial modifications occur to the information system that may affect the required security measures, and that extraordinary audit resets the two-year period. Who conducts it depends on the category: for basic a self-assessment suffices; for medium and high it is audited by a certification body accredited by ENAC. In this article I explain the complete cycle: frequency, who audits, what is reviewed and how it fits with conformity.
How often is an ENS audit required?
Article 31.1 of Royal Decree 311/2022 is clear: systems within the ENS scope shall undergo an ordinary regular audit, at least every two years, verifying compliance with the ENS (Spanish National Security Framework) requirements. That is the biennial frequency that defines the ENS audit cycle.
The "at least" matters: two years is the maximum interval between ordinary audits, not a minimum. An organization can audit itself more frequently if it deems appropriate, but it can never let more than two years pass without a regular audit.
What is an ENS extraordinary audit?
In addition to the ordinary biennial audit, the same Article 31 requires an extraordinary audit whenever substantial modifications occur to the information system that may affect the required security measures. What counts as a substantial modification? Significant changes to the architecture, to the services provided, to how information is processed, or to the system scope — not a routine patch.
A detail that is often overlooked: carrying out an extraordinary audit resets the two-year count for the next ordinary audit. In other words, if you carry out an extraordinary audit, the biennial deadline clock restarts from that date.
ENS audit cycle
Who can audit ENS?
It depends on the system category, because the conformity route changes:
- Basic category: conformity can be determined by self-assessment. No external auditor is required; the organization itself verifies compliance. Even so, that verification must be repeated at least every two years.
- Medium and high categories: conformity is accredited by certification, through a formal audit carried out by a certification body accredited by ENAC (the National Accreditation Body). In the public sector, certain bodies may use authorized technical audit bodies.
The difference is substantial: a self-assessment is signed by the entity itself, while a certification is granted by an independent, accredited third party. If your system is medium or high category, you will need an external auditor without exception. To arrive well prepared, review how to prepare for an ENS audit.
Is the ENS audit biennial or annual?
It is biennial: the ordinary regular audit is conducted at least every two years, not every year. This is a common misunderstanding, especially among those coming from frameworks with annual cycles. In ENS, the standard interval is two years. What can happen before that interval expires is an extraordinary audit — but only if there are substantial modifications to the system.
It is important not to confuse the ENS cycle with that of ISO 27001, which has annual surveillance audits and recertification every three years. They are different frameworks with different calendars; if you manage both, you will have two audit cycles to coordinate.
What is the difference between self-assessment and certification audit?
Both verify ENS compliance, but they are not the same:
- Self-assessment: carried out by the organization itself. Valid for basic category and results in a declaration of conformity. It is more agile and economical, but all responsibility rests with whoever signs it.
- Certification audit: carried out by an ENAC-accredited body. Mandatory for medium and high categories and results in a conformity certificate. It provides independence and external recognition.
If you want to go deeper into the first route, I develop it in my guide on the ENS declaration of conformity at basic level and how to self-assess.
Table: ENS audit cycle and responsible parties
This table summarizes the cycle and who audits by review type:
| Type of review | When it takes place | Who conducts it | Result |
|---|---|---|---|
| Ordinary (biennial) | At least every 2 years | Self-assessment (basic) / ENAC body (medium–high) | Maintains conformity |
| Extraordinary | On substantial system changes | Same route as ordinary per category | Resets the 2-year period |
| Self-assessment (basic) | At least every 2 years | The organization itself | Declaration of conformity |
| Certification (medium/high) | At least every 2 years | ENAC-accredited certification body | Conformity certificate |
What does an ENS audit review?
The audit verifies that the security measures required by ENS are implemented and operating, not merely documented on paper. Broadly, it reviews:
- The organizational framework: approved security policy, regulations, procedures and assignment of roles and responsibilities.
- The operational framework: operational management, access controls, monitoring, incident management and continuity.
- The protection measures: protection of premises, equipment, communications, information media, applications and services.
- The risk analysis: that it exists, is current and guides security decisions.
The auditor compares each applicable Annex II measure of Royal Decree 311/2022 for the system category against real evidence. An audit that only reviews documents without verifying that measures actually work does not fulfil its purpose.
How does an ENS audit proceed?
A certification audit of ENS is not a surprise examination: it follows an orderly process that is worth knowing in order to arrive prepared. Broadly, it goes through these phases:
- Planning and scope. The system to be audited, its category and the applicable set of measures are defined. The certification body agrees the schedule and prior documentation with the organization.
- Documentary review. The auditor examines the security policy, risk analysis, declaration of applicability, procedures and records. They verify that the documentary framework exists and is coherent.
- Field work. The auditor verifies on the ground that the measures work: reviews configurations, interviews responsible parties, checks evidence of operating controls (logs, incident records, access controls).
- Report and non-conformities. The auditor issues a report with conclusions and, where applicable, non-conformities classified by severity.
- Remediation and decision. The organization corrects the non-conformities within the set deadlines and the body decides on issuing or renewing the certificate.
Arriving at this process with documentation in order and measures genuinely implemented is what makes the difference between a smooth audit and one full of findings. That is why it pays to prepare for the audit well in advance rather than improvising.
ENS audit vs. ISO 27001 audit
If your organization manages both ENS and ISO 27001, you will coexist with two different audit cycles, and it is important not to mix them:
- ENS: ordinary regular audit at least every two years, plus extraordinary audits for substantial changes. The route depends on the category (self-assessment or ENAC certification).
- ISO 27001: initial certification audit, annual surveillance audits and recertification audit every three years, always by an accredited certification body.
The good news is that, if you integrate both systems, you can coordinate the audits so that field work overlaps and reduces the burden on the organization. A single security policy, one risk analysis and a common documentary body allow the auditor to review once what serves both frameworks. I develop this in my comparison between ENS and ISO 27001.
How to prepare for the biennial audit
The fact that the interval is two years does not mean security is reviewed only every two years. Organizations that arrive well-prepared at the audit are those that maintain conformity continuously:
- Keep the risk analysis alive. Update it when assets, threats or safeguards change — not only before the audit.
- Retain evidence throughout the entire cycle. Incident logs, access records, backup and review records must be available, not reconstructed at the last minute.
- Conduct interim internal reviews. A mid-cycle review detects gaps with enough time to correct them before the official audit.
- Monitor substantial modifications. If you make a significant change to the system, remember it may trigger an extraordinary audit and reset the deadline.
What happens if you do not pass the audit?
If the audit detects non-conformities, the organization must correct them within the deadlines set by the certification body before obtaining or renewing the certificate. Holding a conformity badge without actual conformity — for example, letting the biennial period lapse or failing to address non-conformities — is an irregularity. For private companies working with the Spanish Public Administration, losing conformity may also mean failing to meet contract requirements.
The role of ENAC and certification bodies
When your system is medium or high category, not just anyone can audit it: the conformity audit is carried out by a certification body accredited by ENAC, the National Accreditation Body. ENAC accreditation is the guarantee that the body meets the technical criteria to certify ENS, just as in other certification schemes. This provides independence: the certificate is not issued by the audited organization itself or by any provider, but by an accredited, supervised third party.
Within the public sector, Royal Decree 311/2022 also allows certain bodies to rely on their own authorized technical audit bodies. For a private company seeking certification, however, the usual route is to contract an ENAC-accredited certification body, which will conduct the audit and, if appropriate, issue the conformity certificate with its corresponding badge. Choosing an accredited body is not a minor detail: a certificate issued by a non-accredited party has no validity under ENS.
Conclusion
ENS sets a biennial audit cycle: ordinary regular audit at least every two years, plus extraordinary audits for substantial changes — which reset the period. Who audits depends on the category: self-assessment for basic, certification by an ENAC-accredited body for medium and high. The audit is not a formality: it verifies that security measures genuinely work. Knowing this calendar well is what prevents surprises and allows you to arrive at each review with conformity fully in order.
Frequently asked questions
How often is an ENS audit required?
At least every two years. Article 31 of Royal Decree 311/2022 establishes an ordinary regular audit with a biennial frequency. In addition, an extraordinary audit must be conducted when substantial modifications occur to the system, and that extraordinary audit resets the two-year period.
Who can audit ENS?
It depends on the category. For basic category, conformity can be determined by the organization's own self-assessment. For medium and high categories, it is audited by a certification body accredited by ENAC; in part of the public sector, authorized technical audit bodies may act.
Is the ENS audit biennial or annual?
It is biennial: the ordinary regular audit is conducted at least every two years, not annually. It should not be confused with ISO 27001, which has annual surveillance audits and recertification at three years.
What is the difference between self-assessment and certification audit?
Self-assessment is carried out by the organization itself, is valid for basic category, and leads to a declaration of conformity. The certification audit is carried out by an ENAC-accredited body, is mandatory for medium and high categories, and leads to a conformity certificate.
Sources
- Royal Decree 311/2022, of 3 May, regulating ENS (Spanish National Security Framework) (BOE-A-2022-7191) — Art. 31, security audit; Art. 38, conformity.
- CCN-CERT — Frequently asked questions about ENS (ens.ccn.cni.es).
- CCN-CERT IC-01/19 — General criteria for ENS audit and certification.