ISO 27001

The ISO 27001 standard It is a voluntary, certifiable international standard for any information security management system. Its compliance is evidenced erga omnes through a certification, issued by an authorized auditor and after an audit with satisfactory results. The requirements of the UNE-ISO/IEC 27001 Standard, as with other management systems, are applicable to all types of organizations, regardless of its nature, size or sector of activity.

National Security Scheme

For his part, the National Security Scheme, better known by its acronym, ENS, is a legal provision, mandatory for information systems within the scope of application of Law 40/2015, of October 1, on the Legal Regime of the Public Sector. Its compliance is evidenced erga omnes through a declaration of legal conformity, also after an audit with satisfactory results.

ENS and ISO 27001

Although both mechanisms are different, many of the security measures are identical or complementary. That is why, in this post, we will focus on those measures that require greater effort between both security frameworks in order to clarify some doubts that arise when certifying companies that wish to carry out complementary audits with both security frameworks. security.

Firstly, the ENS includes a series of controls to guarantee the continuity of the service compared to ISO 27001, which is a framework that does not address this issue, since ISO 22301 is there for this, an international business continuity management standard.

Regarding the “Planning” section of the ENS, it should be noted that a specific control is added for the acquisition of new components, while ISO27001 reflects it in a very dispersed way.

Regarding “Access Controls”, ISO 27001 practically only addresses passwords and shared secrets in general. However, the ENS establishes several authentication modes and modulates their use depending on the system category.

Regarding the “Exploitation” section, the ENS includes several controls on security configuration and its management. For its part, ISO 27001 does not contemplate them.

Likewise, you must pay attention to the “Information Protection” section of the ENS; since ISO 27001 does not refer to “Time Stamps” or “Document Cleaning”.

Finally, the “Protection of Services” section is not included in ISO 27001, so it must be covered in its entirety by the ENS.

Fountain:

CCN-STIC 825 Guide

Subscribe to our newsletter to stay up to date with all the news

Name and surname *

Email *

*I give my express consent and accept the Privacy Policy.

Basic information on data protection.
Responsible for the treatment: Mainjobs Internacional Educativa y Tecnológica SAU
Purpose: Manage your subscription to the newsletter.
Legitimation for processing: Explicit consent of the interested party granted when requesting registration.
Transfer of data: No data will be transferred to third parties, except under legal obligation.
Rights: You may exercise the rights of Access, Rectification, Deletion, Opposition, Portability and, where applicable, Limitation, as explained in the additional information.
Additional information: You can consult additional and detailed information on Data Protection at https://www.mainfor.edu.es/politica-privacidad