CPSTIC catalogue by the CCN: qualified products for the ENS.

Control op.pl.5 of the ENS (Spanish National Security Framework) establishes that the security components of systems must be qualified or certified products wherever possible. The Catalogue of ICT Security Products and Services (CPSTIC) of the CCN is the official reference for identifying these products. Knowing this catalogue, knowing how to use it and documenting product selection correctly is an aspect ENS auditors verify and where many organisations fail through lack of awareness.

What is the CPSTIC catalogue?

CPSTIC is the inventory of ICT security products evaluated and qualified or approved by the CCN for use in systems classified under the ENS. It is a living resource updated periodically as new products are evaluated and others lose their qualification.

The catalogue is divided into two main categories. Qualified products have undergone a technical evaluation process by an accredited laboratory and meet the functional and security requirements required for their category. Approved products, in addition to being qualified, have been authorised to handle national classified information.

For most ENS systems (BASIC, MEDIUM and unclassified HIGH categories), the reference is qualified products.

Product families in the catalogue

CPSTIC organises products into functional families that cover the main security needs. Families include antimalware and EDR solutions, perimeter and next-generation firewalls, intrusion detection and prevention systems (IDS/IPS), VPN and secure remote access, identity and access management (IAM), SIEM systems for security monitoring, data and communications encryption solutions, backup and recovery tools, mobile device management (MDM), and email security.

For each qualified product, the catalogue provides information on the manufacturer, the evaluated version, the ENS category for which it is suitable, the verified security features, the qualification date and its validity period.

When is using CPSTIC products mandatory?

The mandatory use of CPSTIC products depends on the system category. In BASIC category, the use of qualified products is recommended but not mandatory. You must document product selection on technical security criteria but they need not appear in the catalogue.

In MEDIUM category, you must use qualified or certified products where they exist in the catalogue for the required security function. If no qualified product is available, you may use a commercial one with documented justification.

In HIGH category, the use of qualified products is mandatory for critical security functions. Only justified exceptions are permitted when no qualified product covers a specific need, and in that case you must document a complementary risk analysis.

How to consult the catalogue

CPSTIC is accessible on the CCN website (ccn-cert.cni.es). To access the full catalogue you must be registered as a CCN user. The catalogue can be filtered by product family, ENS category and manufacturer.

It is important to verify that the version of the product you intend to use is exactly the one listed in the catalogue. A different version, even a minor update, may not be qualified.

How to document product selection in the Statement of Applicability

The Statement of Applicability (SoA) must reflect the security products used and their justification. For each control that requires a technical solution, document the product used (manufacturer, version), whether it is CPSTIC-qualified (with a reference to the catalogue), or — if not qualified — the technical justification of its selection and the compensating measures applied.

Auditors specifically verify this aspect. The absence of documentation on product selection is a frequent non-conformity, especially in MEDIUM and HIGH categories.

What to do when no qualified product exists

There is not always a CPSTIC product for every need. In those cases, the organisation should select a product with recognised security certifications (Common Criteria, FIPS 140-2/3), document a risk analysis evaluating the suitability of the selected product, implement additional compensating measures if necessary, and keep an eye on new additions to the catalogue that may replace the current product.

Most common CPSTIC products in ENS projects

Without going into specific commercial brands, the types of products most often selected from the catalogue for ENS adequacy projects are next-generation firewalls for perimeter protection, communication encryption systems for inter-site connections and connections with the public administration, VPN solutions for secure remote access, SIEM tools for the monitoring required in MEDIUM and HIGH categories, and identity management solutions for multi-factor authentication.

📩 Need guidance on which security products to select for your ENS project? Get in touch. We help you choose the right solutions for your category and budget in €, and document the selection correctly for the audit.

Need help with this? Get in touch — first 45-minute session at no cost, with a clear action plan and transparent costs in €.

---

Author: Ángel Ortega Castro — independent consultant in strategy, quality and digitalisation for Spanish SMEs and public administrations.