ISO 27001
The ISO 27001 standard It is a voluntary, certifiable international standard for any information security management system. Its compliance is evidenced erga omnes through a certification, issued by an authorized auditor and after an audit with satisfactory results. The requirements of the UNE-ISO/IEC 27001 Standard, as with other management systems, are applicable to all types of organizations, regardless of its nature, size or sector of activity.
National Security Scheme
For his part, the National Security Scheme, better known by its acronym, ENS, is a legal provision, mandatory for information systems within the scope of application of Law 40/2015, of October 1, on the Legal Regime of the Public Sector. Its compliance is evidenced erga omnes through a declaration of legal conformity, also after an audit with satisfactory results.
ENS and ISO 27001
Although both mechanisms are different, many of the security measures are identical or complementary. That is why, in this post, we will focus on those measures that require greater effort between both security frameworks in order to clarify some doubts that arise when certifying companies that wish to carry out complementary audits with both security frameworks. security.
Firstly, the ENS includes a series of controls to guarantee the continuity of the service compared to ISO 27001, which is a framework that does not address this issue, since ISO 22301 is there for this, an international business continuity management standard.
Regarding the “Planning” section of the ENS, it should be noted that a specific control is added for the acquisition of new components, while ISO27001 reflects it in a very dispersed way.
Regarding “Access Controls”, ISO 27001 practically only addresses passwords and shared secrets in general. However, the ENS establishes several authentication modes and modulates their use depending on the system category.
Regarding the “Exploitation” section, the ENS includes several controls on security configuration and its management. For its part, ISO 27001 does not contemplate them.
Likewise, you must pay attention to the “Information Protection” section of the ENS; since ISO 27001 does not refer to “Time Stamps” or “Document Cleaning”.
Finally, the “Protection of Services” section is not included in ISO 27001, so it must be covered in its entirety by the ENS.
Fountain: