ISO 27001

The ISO 27001 standard It is a voluntary, certifiable international standard for any information security management system. Its compliance is evidenced erga omnes through a certification, issued by an authorized auditor and after an audit with satisfactory results. The requirements of the UNE-ISO/IEC 27001 Standard, as with other management systems, are applicable to all types of organizations, regardless of its nature, size or sector of activity.

National Security Scheme

For his part, the National Security Scheme, better known by its acronym, ENS, is a legal provision, mandatory for information systems within the scope of application of Law 40/2015, of October 1, on the Legal Regime of the Public Sector. Its compliance is evidenced erga omnes through a declaration of legal conformity, also after an audit with satisfactory results.

ENS and ISO 27001

Although both mechanisms are different, many of the security measures are identical or complementary. That is why, in this post, we will focus on those measures that require greater effort between both security frameworks in order to clarify some doubts that arise when certifying companies that wish to carry out complementary audits with both security frameworks. security.

Firstly, the ENS includes a series of controls to guarantee the continuity of the service compared to ISO 27001, which is a framework that does not address this issue, since ISO 22301 is there for this, an international business continuity management standard.

Regarding the “Planning” section of the ENS, it should be noted that a specific control is added for the acquisition of new components, while ISO27001 reflects it in a very dispersed way.

Regarding “Access Controls”, ISO 27001 practically only addresses passwords and shared secrets in general. However, the ENS establishes several authentication modes and modulates their use depending on the system category.

Regarding the “Exploitation” section, the ENS includes several controls on security configuration and its management. For its part, ISO 27001 does not contemplate them.

Likewise, you must pay attention to the “Information Protection” section of the ENS; since ISO 27001 does not refer to “Time Stamps” or “Document Cleaning”.

Finally, the “Protection of Services” section is not included in ISO 27001, so it must be covered in its entirety by the ENS.

Fountain:

CCN-STIC 825 Guide

Subscribe to our newsletter to stay up to date with all the news

Name and surname *

Email *

I give my express consent and accept the Privacy Policy.

EIP International Business School informs you that the data in this form will be processed by Mainjobs Internacional Educativa y Tecnológica, SAU as the party responsible for this website. The purpose of collecting and processing personal data is to manage your subscription to the newsletter as well as to send commercial information about the services of the data controller. The legitimacy is the explicit consent of the interested party. Data will not be transferred to third parties, except under legal obligation. You may exercise your rights of access, rectification, limitation and deletion of data at compliance@grupomainjobs.com, as well as the right to lodge a complaint with the supervisory authority. You can consult additional and detailed information on Data Protection in the Privacy Policy that you will find on our website.