The 73 ENS controls explained with applicability.

Annex II of RD 311/2022 defines the 73 security controls that organisations must implement according to the category of their system. Knowing each control, understanding what it requires and knowing the evidence auditors look for is essential for an efficient implementation and a successful audit. This guide provides a complete breakdown of the three control frameworks with practical implementation guidance.

Organisational framework: the foundations of security (4 controls)

The organisational framework establishes the bases of security governance. These are the controls that define who decides what, how it is documented and how it is authorised.

org.1 — Security policy

The security policy is the top-level document that establishes the organisation's principles, guidelines and commitments on information security. It applies in all three categories (BASIC, MEDIUM and HIGH).

The policy must include, as a minimum, organisational objectives, the regulatory framework, security roles and responsibilities, the structure of the security committee, categorisation guidelines, risk analysis guidelines and training guidelines. It must be approved by management and communicated to all staff.

The evidence auditors look for is a signed and dated policy document, records of communication to staff, periodic review minutes and evidence that staff are familiar with the policy.

org.2 — Security standards

Standards develop the policy into more specific documents regulating particular aspects of security. They apply in all three categories.

Typical standards include rules on system use, password management, information classification, email use, teleworking and physical access. Each standard must be approved, communicated and accessible to all relevant staff.

org.3 — Security procedures

Procedures detail how security activities are executed day to day. They apply in all three categories.

The essential procedures cover incident management, change management, access management, backups, service continuity, vulnerability management and internal audit. Each procedure must include its scope, responsible parties, detailed description of activities and records generated.

org.4 — Authorisation process

This control establishes that a formal process must exist to authorise the entry into operation of new system components or significant changes in existing ones. It applies in all three categories, with increasing stringency.

In BASIC category, a documented authorisation by the system owner is sufficient. In MEDIUM category, a formal process with prior risk analysis is required. In HIGH category, a compliance verification before production deployment is also required.

Operational framework: security in practice (31 controls)

The operational framework contains the controls that regulate the daily operation of information systems. It is organised into six families.

op.pl — Planning (5 controls)

The planning family includes the risk analysis (op.pl.1), which is mandatory in all categories and is the basis for control selection. It also includes the security architecture (op.pl.2), which defines the system's protection structure. Acquisition of new components (op.pl.3) sets security requirements in purchasing. Capacity sizing and management (op.pl.4) ensures the system has sufficient resources. And certified components (op.pl.5) requires that, where possible, products from the CCN CPSTIC catalogue are used.

op.acc — Access control (7 controls)

Access control is one of the most demanding families and where most non-conformities are detected. It includes identification (op.acc.1), requiring each user to have a unique identifier with no generic accounts. Authentication (op.acc.2) is especially relevant: in BASIC, strong passwords are accepted; in MEDIUM, multi-factor in defined contexts; and in HIGH, multi-factor is mandatory with cryptographic mechanisms. Access rights control (op.acc.3), privilege management (op.acc.4), the authentication mechanism (op.acc.5), local access (op.acc.6) and remote access (op.acc.7) complete this family.

op.exp — Operation (11 controls)

This family covers the secure operation of systems: asset inventory, security configuration, configuration management, maintenance and updates, change management, malicious code protection, incident management, activity logging, incident management records, log protection and cryptographic key protection.

op.ext — External services (4 controls)

Regulates supplier relations: contracting and service level agreements, day-to-day management, service monitoring and alternative means.

op.cont — Service continuity (4 controls)

Includes business impact analysis (BIA), the continuity plan, periodic testing and alternative means. In HIGH category, continuity exercises with documented scenarios are required at least annually.

op.mon — System monitoring (3 controls)

Includes intrusion detection, the security metrics system and surveillance. In MEDIUM and HIGH, continuous monitoring with anomaly detection capability is required.

Protection measures: technical implementation (38 controls)

Protection measures are the technical and procedural controls that protect specific assets.

mp.if — Facilities and infrastructure (7 controls)

Cover physical security: segregated areas with access control, identification of persons, conditioning of premises, electrical power, fire protection, flood protection and equipment entry/exit logging.

mp.per — Personnel management (4 controls)

Include job characterisation (defining security requirements per role), duties and obligations of staff, awareness and training, and measures upon leaving the post.

mp.eq — Equipment protection (4 controls)

Clean desk, protection of unattended equipment, protection of portable devices and alternative means.

mp.com — Communications protection (4 controls)

Secure perimeter, confidentiality of communications, authenticity and integrity protection, and separation of information flows on the network.

mp.si — Media protection (5 controls)

Labelling, cryptography, custody, transport, and erasure and destruction of media.

mp.sw — Software protection (2 controls)

Secure application development and acceptance and entry into service.

mp.info — Information protection (6 controls)

Personal data, information classification, encryption, electronic signature, time stamps and document sanitisation.

mp.s — Service protection (3 controls)

Email protection, web services and applications protection, and web browsing protection.

mp.c — Cryptography (3 controls, new in RD 311/2022)

Use of authorised algorithms and protocols, use of certified products, and cryptographic key management. This family is new in RD 311/2022 and reflects the growing importance of cryptography in the security of public systems.

How to approach control implementation

The recommendation is to tackle implementation in phases, starting with organisational controls (which create the governance framework), then operational controls (which establish processes) and finally protection measures (which deploy technical solutions). Within each phase, prioritise the controls identified as most critical by the risk analysis.

📩 Need to implement the ENS controls in your organisation? Get in touch for a personalised implementation plan that prioritises controls based on your risk analysis and optimises available resources and budget in €.

Need help with this? Get in touch — first 45-minute session at no cost, with a clear action plan and transparent costs in €.

---

Author: Ángel Ortega Castro — independent consultant in strategy, quality and digitalisation for Spanish SMEs and public administrations.