ENS or ISO 27001 for working with Spanish public administration? For bidding or contracting with the Spanish public sector what is required is the ENS (Spanish National Security Framework), not ISO 27001. ENS is legally mandatory (Royal Decree 311/2022) for systems that handle public sector information; ISO 27001 is voluntary. That said, implementing ISO 27001 before ENS typically costs less, because a large share of the controls can be reused. This article focuses on the angle almost nobody explains: what procurement documents actually require, in which order to implement each framework, and how to avoid paying twice for the same work.
If you are looking for the full technical comparison (origins, scope, control mapping, risk analysis), I have developed it in my guide on differences between ENS and ISO 27001. I will not repeat it here: I go straight to the practical decision for a company that wants to sell to public administration.
What does public administration actually require: ENS or ISO 27001?
The short answer is ENS. Royal Decree 311/2022, of 3 May, which regulates the ENS (Spanish National Security Framework), explicitly extended its scope to private sector operators that provide services or solutions to public entities when those systems handle public sector information. In other words: if your company will be handling data or systems of a public body, you fall within the ENS scope even as a private company.
ISO 27001, in contrast, is an international voluntary standard. Nobody requires you to have it. What happens is that many procurement documents value it or treat it as equivalent for certain purposes, but it does not substitute ENS when ENS is mandatory. Confusing the two is the most expensive mistake at a procurement table.
What do procurement documents say about ENS?
In practice, in a public procurement tender the ENS appears in three distinct forms, and knowing how to distinguish them matters because the consequences are very different:
- As a technical solvency requirement (mandatory): the tender requires the bidder to demonstrate ENS conformity at the category corresponding to the service. Without it, you are excluded.
- As a scoreable award criterion (points): ENS is not required to bid, but demonstrating conformity — or a higher level — scores points against competitors.
- As an execution obligation (during the contract): it is not required when bidding, but the contract requires conformity to be achieved within a deadline from award. If you fail to comply, you incur penalties or contract termination.
ISO 27001 typically appears in procurement documents in the "scoreable" or good-practices zone, almost never as an exclusionary requirement for public sector contracts. So, if you only have ISO 27001 and the tender requires ENS as a solvency requirement, you cannot bid. To understand how this plays out in contractual practice, see my guide on the ENS certification process, requirements and costs.
Can I use ISO 27001 to comply with ENS?
Not directly, but yes as an accelerator and cost reducer. ISO 27001 and ENS share a significant part of their logic: both start from a risk analysis, require a management-approved security policy, control documentation, incident management and continuous improvement. This means if you already have a certified ISO 27001 ISMS, a large part of the ENS work is already done: policies, procedures, asset inventory, risk analysis and records can be reused.
What ISO 27001 does not do is automatically give you ENS conformity. ENS has its own control framework (Annex II of RD 311/2022), its level-based categorisation and its conformity procedure. You must map what you already have against ENS measures, cover the gaps, and go through the appropriate conformity route. But starting from ISO 27001 substantially reduces the effort: you are not starting from zero.
Is it cheaper to implement ISO 27001 before ENS?
For most private companies that want to sell to public administration, yes, and for two reasons. First, ISO 27001 gives you an internationally recognised Information Security Management System (ISMS) that also works for private clients, not just the public sector. Second, once the ISMS is built, ENS implementation builds on it rather than duplicating it.
The reverse order — ENS first, ISO 27001 after — is also valid, but is usually less efficient for a private company: ENS is designed from a public administration perspective and its documentation does not always fit neatly with what ISO requires. If your primary goal is to bid and you also want a certification sellable to private clients, the sequence ISO 27001 → ENS gives the best return on investment.
Recommended implementation order for bidding
Table: what you need based on your situation
This table summarises the decision based on where your company is and what it is seeking. This is an indicative guide, not a substitute for reading the specific tender document:
| Your situation | Need ENS? | Need ISO 27001? | Recommended order |
|---|---|---|---|
| Only private clients | No (unless they handle public info) | Optional, builds commercial trust | ISO 27001 if clients request it |
| Starting to bid with public administration | Yes, if tender requires it | Recommended as a base | ISO 27001 → ENS |
| Tender requires ENS as solvency | Yes, mandatory to bid | Not mandatory | ENS priority; ISO accelerates |
| Tender values ISO 27001 with points | Depends on contract | Scores points | Both if competing for award |
| Already have ISO 27001 and want to bid | Yes, if tender requires it | Already have it | Map ISO onto ENS |
Common mistakes at the procurement table
When I review bids with companies new to public procurement, the same mistakes keep appearing. These are the ones that most often exclude bids or cost points:
- Submitting ISO 27001 when the tender requires ENS. They are different frameworks. Attaching an ISO certificate does not demonstrate ENS conformity and the procurement board may reject the bid for lack of technical solvency.
- Demonstrating an ENS category lower than the service requires. ENS has levels (basic, medium, high). If the contract handles medium-category information and you provide basic conformity, you do not meet the requirement.
- Confusing declaration with certification. At basic level ENS is demonstrated through a self-assessment conformity declaration; at medium and high levels, through certification with an accredited body audit. Providing a declaration where the tender requires certification is grounds for exclusion.
- Not displaying the conformity badge. RD 311/2022 requires conformity to be evidenced through the official badge on the website or e-government portal. Some tenders check for this.
- Leaving conformity until "after we win". If the tender requires it as solvency, it must be in place before submitting the bid, not after award.
Deadlines and penalties: ENS as an execution obligation
Some contracts do not require ENS when bidding, but impose it as an execution obligation. In those cases the tender typically sets a deadline from contract formalisation to achieve conformity — usually a few months — and links non-compliance to financial penalties or, in more serious cases, contract termination.
This is where having prior ISO 27001 makes all the difference: if you are already starting from a mature ISMS, reaching ENS conformity within the contractual deadline is feasible; if you are starting from scratch with the clock running, the risk of missing the milestone is real. That is why, when a company tells me it wants to "enter the public sector", the first thing we look at is not the first tender, but whether it makes sense to build the ISO 27001 base first to avoid gambling on every execution deadline.
Practical case: a technology SME that wants to bid
Imagine a ten-person software development SME (small and medium-sized enterprise) that has so far only worked with private clients and wants to bid for contracts from a regional government department. The service will involve hosting and processing administration data, placing it within the ENS scope. Where to start?
The sensible route is: (1) implement an ISO 27001-compliant ISMS, which also builds trust with private clients; (2) categorise the public service to be provided to determine which ENS level is needed; (3) map the ISO controls already implemented against ENS measures and cover the gaps; and (4) go through the conformity route — declaration or certification depending on the level. With this sequence, the SME avoids duplicating documentation, obtains a sellable certification, and reaches tenders with ENS conformity in order.
What if I need both? How not to pay twice
Many companies working with both private clients and public administration end up needing both frameworks. The key to avoiding duplicated costs is implementing a single management system covering both: one security policy, one risk analysis, one shared asset inventory and a common document body, with the specific annexes each framework requires.
That convergence is precisely what I offer in my ISO 27001 + ENS + GDPR pack for public administration contracts in Castilla y León: instead of three separate projects, a single system covering all three frameworks audited in a coordinated way. If you operate from Castilla y León or the Canary Islands, I provide end-to-end support from initial diagnosis to conformity.
Conclusion: ENS to enter, ISO 27001 to build
If your goal is to work with public administration, ENS is the door: without it, in many cases you cannot even bid. ISO 27001 is the foundation worth building on, because it saves effort in the ENS and works outside the public sector too. The most cost-effective sequence for a private company is usually ISO 27001 first, ENS after and, when both are needed, integrating them in a single management system to avoid paying twice for the same effort.
The mistake I see over and over is treating conformity as a last-minute formality just before a specific tender. It does not work that way: neither ENS nor ISO 27001 can be improvised in two weeks, because both require evidence — approved policies, analysed risks, operating controls — that needs real operating time before it can be audited. Planning ahead, deciding the right order and building a single system that works for multiple tenders is what turns compliance into a competitive advantage rather than a race against the clock.
Frequently asked questions
Do I need ENS or ISO 27001?
It depends on who you work for. For bidding or contracting with the Spanish public sector, ENS (Royal Decree 311/2022) is mandatory. ISO 27001 is voluntary, international and useful for private clients; it does not substitute ENS when ENS is mandatory.
Can I use ISO 27001 to comply with ENS?
Not automatically, but yes as a base: both share security policy, risk analysis and incident management. If you already have ISO 27001, you reuse most of the documentation and reduce ENS effort, though you must map and cover the specific measures in ENS Annex II.
What do I need to work with public administration?
Typically, ENS conformity at the category corresponding to the service. It may appear as a solvency requirement (mandatory to bid), a scoreable criterion (points) or a contract execution obligation. Always read each individual tender document.
Is it cheaper to implement ISO 27001 before ENS?
For most private companies, yes. The ISO 27001 ISMS works inside and outside the public sector and, once built, ENS implementation builds on it rather than duplicating it. The ISO 27001 → ENS sequence usually provides better return on investment.
Sources
- Royal Decree 311/2022, of 3 May, regulating the ENS (Spanish National Security Framework) (BOE-A-2022-7191)
- CCN-CERT — ENS frequently asked questions
- AEPD — ENS conformity declaration
Content by Ángel Ortega Castro. Always verify regulatory requirements with the specific tender document and official sources.