ENS vs ISO 27001: differences and when you need both.

If you are exploring information security certifications for your company, you have likely come across two key references: ISO/IEC 27001 and the ENS (Spanish National Security Framework). Both standards aim to improve cybersecurity, but they have very different origins, scope and approaches. Knowing the differences is essential to make the right decision.

ENS and ISO 27001: similar origins, different paths

ISO 27001 was born in 2005 from the British standard BS 7799 (1995), developed by BSI. It is the international standard for Information Security Management Systems (ISMS), maintained by ISO and IEC. The current version is ISO/IEC 27001:2022.

The ENS, on the other hand, was created by Royal Decree 3/2010 specifically to standardise security in the Spanish Public Administration. Its most recent revision, Royal Decree 311/2022, modernised the framework to address current threats and align it with European standards.

Mandatory or voluntary: the first essential difference

This is the most important practical difference. The ENS is mandatory by law for all bodies of the Spanish Public Administration and for private companies that provide them with ICT services. Failure to comply is, in practice, a barrier to operating with the public sector.

ISO 27001 is voluntary. A company adopts it for strategic, competitive or contractual reasons (because clients require it), but no Spanish or international law forces it.

Scope of application: who they target

The ENS is designed for organisations that handle public-sector information: the Spanish Public Administration, ICT suppliers to the Administration, integrators, software developers for public clients and the related supply chain.

ISO 27001 is universal: any organisation regardless of sector, size or country can implement it. It is especially popular among technology companies, financial services, healthcare and any organisation that handles sensitive information.

Approach to controls: prescriptive vs flexible

The ENS has a prescriptive approach. It defines 73 specific security measures organised in three frameworks: organisational, operational and protection measures. It applies them according to category (BASIC, MEDIUM or HIGH), determined by the impact a security incident would have on the information processed.

ISO 27001 has a more flexible approach based on risk management. It defines 93 controls in Annex A (Annex A of ISO/IEC 27001:2022), but the organisation selects which ones to apply based on its risk assessment. This flexibility makes it more adaptable, but also harder to implement well.

Structure and methodology

ISO 27001 is based on the Plan-Do-Check-Act (PDCA) cycle, integrating with other management standards (ISO 9001, ISO 14001, ISO 27701) under the Annex SL high-level structure. It requires the formal establishment of an ISMS, with policies, processes, roles, responsibilities and continual improvement.

The ENS organises its requirements into:

• Organisational framework (org): policies, procedures, roles, third-party agreements.
• Operational framework (op): planning, access control, exploitation, external services, business continuity, monitoring.
• Protection measures (mp): protection of facilities, personnel, equipment, communications, media, software, information and services.

Certification process

ISO 27001 is certified by accredited certification bodies (in Spain, AENOR, BSI, SGS, TÜV, among others) accredited by ENAC. The audit is performed by independent auditors, the certificate is valid for three years and there are annual follow-up audits.

The ENS distinguishes between declaration of conformity (for BASIC category) and certification (mandatory for MEDIUM and HIGH categories). Certification is performed by entities accredited by ENAC for the ENS scheme, the certificate has a similar three-year validity, and follow-up audits are also annual.

Cost and complexity

For an SME, ISO 27001 certification usually costs between €15,000 and €40,000, including consultancy, implementation and external audit. The ENS, in MEDIUM category, tends to range between €8,000 and €25,000 for an SME — the difference comes from the more prescriptive scope, which simplifies the consultant's work.

When you need ISO 27001

ISO 27001 is suitable if you operate internationally and need a globally recognised certification, if your clients (especially large corporations or international ones) demand it, if you handle sensitive information and want to demonstrate security commitment, or if you need to integrate security with other management systems already in place.

When you need the ENS

The ENS is appropriate if you work directly with the Spanish Public Administration, if you bid for public tenders that require this certification, if you are a subcontractor of a direct supplier to the Administration, or if you handle classified information from the public sector.

When you need both

Many companies in Spain end up needing both standards simultaneously: technology suppliers that work with both private companies and the public sector, multinationals operating in Spain with Spanish public-sector clients, large consultancies and integrators that combine private and public clients, and outsourcing companies that handle private and public information.

If this is your case, the good news is that the controls overlap significantly. A well-designed implementation can satisfy 70-80% of the requirements common to both standards, optimising effort and cost. ENS Audit: Preparation and Keys to Pass It.

Strategy for an SME

For an SME with limited resources my recommendation is sequential: if you work mostly in the private sector, start with ISO 27001 and add the ENS later only if necessary. If you already work with the public sector or plan to soon, start with the ENS as it is mandatory, and add ISO 27001 if commercial reasons recommend it.

Implementing both simultaneously is feasible but requires more initial resources. A consultant with experience in both standards can design a unified project that saves time and money.

---

Authorship: Ángel Ortega Castro · independent consultant on strategy, quality and digitalisation for SMEs.

Frequently asked questions

What is the difference between the ENS and ISO 27001?

The ENS is mandatory and Spanish for the public sector and its ICT suppliers; ISO 27001 is voluntary and international. The ENS is prescriptive (73 specific measures by category), ISO 27001 is risk-based and flexible (93 controls in Annex A).

Can a company have both certifications at the same time?

Yes, and many do. The controls overlap by 70-80%, so a well-designed implementation can satisfy both standards optimising effort. Typical use cases: ICT suppliers with public and private clients, consultancies and integrators.

Which is more expensive, the ENS or ISO 27001?

For an SME, ISO 27001 usually costs €15,000-40,000, while the ENS in MEDIUM category ranges from €8,000 to €25,000. The ENS tends to be cheaper because its prescriptive scope simplifies consultancy work.

Which one should I start with?

If you work mostly in the private sector, start with ISO 27001 and add the ENS later only if necessary. If you already work with the public sector or plan to soon, start with the ENS since it is mandatory.