ICT Security Guide CCN-STIC 852 Application of the ENS in

ICT Security Guide CCN-STIC 852

Application of the ENS in paying agencies

MAY 2020

2 National Cryptologic Centre (Centro Criptológico Nacional).

CCN-STIC-852 Application of the ENS in paying agencies

Published by:

Centro Criptológico Nacional, 2020 NIPO: 083-20-195-5 Publication Date: may 2020 ISDEFE participated in the creation and modification of this document and its annexes, which were financed by Ministry of Economic Affairs and Digital Transformation. LIMITATION OF LIABILITY This document is provided in accordance with the terms compiled in it, expressly rejecting any type of implicit guarantee that might be related to it. In no case can the Centro Criptológico Nacional be considered liable for direct, indirect, accidental or extraordinary damage derived from using information and software that are mentioned, even when a warning is provided concerning this damage. LEGAL NOTICE Without written authorisation from the Centro Criptológico Nacional, it is strictly forbidden, incurring penalties set by law, to partially or totally reproduce this document by any means or procedure, including photocopying and computer processing, or to distribute copies of it by means of rental or public lending.



PROLOGUE

In an increasingly complex and globalized world, in which information and communication technologies (ICTs) play an extremely important role, we must be aware that the proper management of cybersecurity is a common challenge that we must necessarily address. It is necessary to ensure that our country's economic, technological, and political capacity is protected, especially since the proliferation of targeted attacks and the theft of sensible information is an overwhelming reality. For this reason, it is essential to be up to date with the threats and vulnerabilities associated with the use of new technologies. Knowledge of the risks that surround cyberspace must be used to implement procedural, technical and organizational measures that allow a safe and reliable environment.

Law 11/2002, of 6 May, regulating the Spanish National Intelligence Centre (CNI),

entrusts the Spanish National Intelligence Centre with functions related to information technology security and to the protection of classified information, also gives its Secretary of State-Director the responsibility of managing the National Cryptologic Centre (CCN).

Based on the CNI's knowledge and experience of threats and vulnerabilities in emerging risks, the Centre, through its National Cryptologic Centre, which is regulated by Royal Decree 421/2004, of 12 March, carries out various activities directly related to ICT security aimed at training expert staff on the uses of appropriate security technology and the implementation of security policies and procedures . This series of CCN-STIC documents is a clear example of the work that is being done by the agency carries out in terms of security implementation, allowing the application of policies and procedures, since the guides have been prepared with a clear objective: to improve the degree of cybersecurity in organizations, aware of the importance of establishing a reference framework in this area that will support government personnel in performing the difficult task of ensuring the security of the ICT systems under their responsibility.

With this series of documents, the National Cryptologic Centre, in compliance with its tasks and with what is reflected in the Royal Decree 3/2010 which regulates the National Scheme in the field of Electronic administration, contributes to improve the Spanish cybersecurity and to preserve the infrastructures and the information systems of all the public administrations with optimal security levels. All of this, in the aim of generating confidence and guarantees in the use of these technologies, protecting the confidentiality of the data and guaranteeing their authenticity, integrity and availability.

May 2020

Paz Esteban López Secretary of State



National Cryptologic Centre Director

CONTENTS

1. INTRODUCTION...................................................................................................... 7

2. PURPOSE................................................................................................................ 7

3. SCOPE .................................................................................................................... 7

4. INFORMATION SECURITY STANDARDS ................................................................... 8

4.1 ISO/IEC 27001........................................................................................................... 8

4.2 ISO/IEC 27002........................................................................................................... 8

5. PAYING AGENCIES WITH EXPENDITURE OF LESS THAN OR MORE THAN €400 MILLION ..................................................................................................................... 9

5.1 EXPENDITURE OF LESS THAN €400 MILLION ........................................................... 9

5.2 EXPENDITURE OF MORE THAN €400 MILLION ........................................................ 9

6. SUMMARY TABLE OF ISO 27001 COMPLIANCE VIA THE ENS ................................. 11

6.1 ISO 27001 REGULATORY BODY/ENS ARTICLES ...................................................... 11

6.2 ANNEX A OF ISO 27001/ANNEX II OF ENS ............................................................. 14

7. COMPLIANCE WITH THE ISO 27001 REGULATORY BODY THROUGH THE ENS ....... 27

7.1 4 – CONTEXT OF THE ORGANISATION ................................................................... 27

7.1.1 4.1 UNDERSTANDING THE ORGANISATION AND ITS CONTEXT ........................ 27

7.1.2 4.2 UNDERSTANDING THE NEEDS AND EXPECTATIONS OF INTERESTED PARTIES ........................................................................................................................ 27

7.1.3 4.3 SCOPE .......................................................................................................... 28

7.1.4 4.4 INFORMATION SECURITY MANAGEMENT SYSTEM ..................................... 28

7.2 5 – LEADERSHIP ...................................................................................................... 29

7.2.1 5.1 LEADERSHIP AND COMMITMENT ............................................................... 29

7.2.2 5.2 POLICY.......................................................................................................... 29

7.2.3 5.3 ORGANIZATIONAL ROLES, RESPONSIBILITIES AND AUTHORITIES .............. 30

7.3 6 – PLANNING ......................................................................................................... 30

7.3.1 6.1 ACTIONS TO ADDRESS RISKS AND OPPORTUNITIES .................................... 30

7.3.2 6.2 INFORMATION SECURITY OBJECTIVES ........................................................ 31

7.4 7 – SUPPORT ........................................................................................................... 32

7.4.1 7.1 RESOURCES .................................................................................................. 32

7.4.2 7.2 COMPETENCE .............................................................................................. 33

7.4.3 7.3 AWARENESS ................................................................................................ 33

7.4.4 7.4 COMMUNICATION ....................................................................................... 34

7.4.5 7.5 DOCUMENTED INFORMATION .................................................................... 34

7.5 8 – OPERATION....................................................................................................... 35

7.5.1 8.1 OPERATIONAL PLANNING AND CONTROL .................................................. 35

7.5.2 8.2 INFORMATION SECURITY RISK ASSESSMENT .............................................. 35

7.5.3 8.3 INFORMATION SECURITY RISK TREATMENT ............................................... 36

7.6 9 – PERFORMANCE EVALUATION .......................................................................... 36

7.6.1 9.1 MONITORING, MEASUREMENT, ANALYSIS AND EVALUATION ................... 36

7.6.2 9.2 INTERNAL AUDIT .......................................................................................... 36

7.6.3 9.3 MANAGEMENT REVIEW .............................................................................. 37



7.7 10 – IMPROVEMENT .............................................................................................. 38

7.7.1 10.1 NON-CONFORMITY AND CORRECTIVE ACTION......................................... 38

7.7.2 10.2 CONTINUAL IMPROVEMENT ..................................................................... 38

8. COMPLIANCE WITH ISO 27001 ANNEX A (ISO 27002) VIA ENS .............................. 40

8.1 5 – INFORMATION SECURITY POLICIES .................................................................. 40

8.1.1 5.1 MANAGEMENT DIRECTION FOR INFORMATION SECURITY ........................ 40

8.2 6 – ORGANIZATION OF INFORMATION SECURITY ................................................. 41

8.2.1 6.1 INTERNAL ORGANIZATION .......................................................................... 41

8.2.2 6.2 MOBILE DEVICES AND TELEWORKING ........................................................ 42

8.3 7 – HUMAN RESOURCE SECURITY .......................................................................... 43

8.3.1 7.1 PRIOR TO EMPLOYMENT ............................................................................. 43

8.3.2 7.2 DURING EMPLOYMENT ............................................................................... 44

8.3.3 7.3 TERMINATION OR CHANGE OF EMPLOYMENT ........................................... 44

8.4 8 – ASSET MANAGEMENT ...................................................................................... 45

8.4.1 8.1 RESPONSIBILITY FOR ASSETS ....................................................................... 45

8.4.2 8.2 INFORMATION CLASSIFICATION ................................................................. 45

8.4.3 8.3 MEDIA HANDLING ....................................................................................... 46

8.5 9 – ACCESS CONTROL ............................................................................................. 47

8.5.1 9.1 BUSINESS REQUIREMENTS OF ACCESS CONTROL ....................................... 47

8.5.2 9.2 USER ACCESS MANAGEMENT ..................................................................... 47

8.5.3 9.3 USER RESPONSIBILITIES ............................................................................... 49

8.5.4 9.4 SYSTEM AND APPLICATION ACCESS CONTROL ........................................... 49

8.6 10 – CRYPTOGRAPHY ............................................................................................. 50

8.6.1 10.1 CRYPTOGRAPHIC CONTROLS ..................................................................... 50

8.7 11 – PHYSICAL AND ENVIRONMENTAL SECURITY .................................................. 51

8.7.1 11.1 SECURE AREAS ........................................................................................... 51

8.7.2 11.2 EQUIPMENT SECURITY .............................................................................. 53

8.8 12 – OPERATIONS SECURITY .................................................................................. 55

8.8.1 12.1 OPERATIONAL PROCEDURES AND RESPONSIBILITIES ............................... 55

8.8.2 12.2 PROTECTION MALWARE ............................................................................ 56

8.8.3 12.3 BACKUPS .................................................................................................... 56

8.8.4 12.4 LOGGING AND MONITORING .................................................................... 56

8.8.5 12.5 CONTROL OF OPERATIONAL SOFTWARE .................................................. 57

8.8.6 12.6 TECHNICAL VULNERABILITY MANAGEMENT ............................................. 58

8.8.7 12.7 INFORMATION SYSTEMS AUDIT CONSIDERATIONS .................................. 58

8.9 13 – COMMUNICATIONS SECURITY ....................................................................... 58

8.9.1 13.1 NETWORK SECURITY MANAGEMENT ........................................................ 58

8.9.2 13.2 INFORMATION TRANSFER ......................................................................... 59

8.10 14 – SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE ....................... 60

8.10.1 14.1 SECURITY REQUIREMENTS OF INFORMATION SYSTEMS .......................... 60

8.10.2 14.2 SECURITY IN DEVELOPMENT AND SUPPORT PROCESSES ......................... 61

8.10.3 14.3 TEST DATA ................................................................................................. 63

8.11 15 – SUPPLIER RELATIONSHIPS .............................................................................. 63

8.11.1 15.1 INFORMATION SECURITY IN SUPPLIER RELATIONS ................................... 63

8.11.2 15.2 SUPPLIER SERVICE DELIVERY MANAGEMENT ........................................... 64

8.12 16 – INFORMATION SECURITY INCIDENT MANAGEMENT ..................................... 65



8.12.1 16.1 MANAGEMENT OF INFORMATION SECURITY INCIDENTS AND IMPROVEMENTS .......................................................................................................... 65

8.13 17 – INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT .............................................................................................................. 67

8.13.1 17.1 INFORMATION SECURITY CONTINUITY ..................................................... 67

8.13.2 17.2 REDUNDANCIES ......................................................................................... 68

8.14 18 – COMPLIANCE .................................................................................................. 69

8.14.1 18.1 COMPLIANCE WITH LEGAL AND CONTRACTUAL REQUIREMENTS ........... 69

8.14.2 18.2 INFORMATION SECURITY REVIEWS ........................................................... 70

9. GUIDE UPDATE .................................................................................................... 72

ANNEX A. SUMMARY OF EFFORT FOR COMPLIANCE WITH ISO 27001 THROUGH THE ENS ........................................................................................................................... 73

ANNEX A.1. ISO 27001 REGULATORY BODY/ENS ARTICLES .......................................... 73

ANNEX A.2. ANNEX A OF ISO 27001/ANNEX II OF ENS ................................................. 76

A.2.1 BASIC-LEVEL INFORMATION SYSTEMS ............................................................... 77

A.2.2 MEDIUM-LEVEL INFORMATION SYSTEMS .......................................................... 86

A.2.3 HIGH-LEVEL INFORMATION SYSTEMS ................................................................ 89



1. INTRODUCTION

In accordance with Delegated Regulation (EU) 907/2014 of the European Commission, of 11 March 2014, supplementing Regulation (EU) 1306/2013 of the European Parliament and of the Council, the information systems of paying agencies and the coordination of European agricultural funds must be certified in accordance with ISO/IEC 27001 standard.

In addition, this Delegated Regulation establishes that the Commission may authorise member states to certify the security of their information systems in accordance with other accepted standards, provided that they ensure a security level equivalent, at least, to that established in ISO/IEC 27001.

In this respect, the paying agencies in Spain are also subject to Royal Decree 3/2010, of 8 January, Regulating the Spanish National Security Scheme (hereinafter, ENS) in the field of Electronic Administration.

The purpose of this guide is to identify the equivalence between the requirements of the ENS and those of ISO 27001/27002, as well as the additional measures necessary to apply so that the ENS, within the scope of the paying agencies, can be considered as an alternative accepted by the Commission under Delegated Regulation 907/2014, and thus avoid the excess workload and resources involved in maintaining both regulations.

In this way, the Spanish paying agencies that would like to do so may have the ENS as the sole security scheme without affecting other national paying agencies that make the decision to maintain the duality of complying with ISO/IEC 27001 and the ENS.

2. PURPOSE

The purpose of this guide is to compare the ENS with the ISO/IEC 27001 and ISO/IEC 27002 Information Security Management Standards, ensuring that the ENS meets the security requirements set forth in these standards.

In the event that the ENS does not cover all aspects defined in ISO/IEC 27001 and 27002, this guide provides the additional safeguards that must be implemented with the aim of obtaining equivalence between the ENS and ISO 27001/27002.

In other words, if the agency has an ENS certification, incorporating these additional measures in accordance with the category of its system, it can be considered to be equivalent to the certification of an information security management system based on ISO/IEC 27001.

3. SCOPE

This guide sets out standards of equivalence between the ENS and ISO 27001/27002 standards in terms of the security of information systems, which apply to paying and coordinating bodies of European agricultural funds, in accordance with Section 3(B) (ii) of Annex I to Delegated Regulation (EU) 907/2014 of the European Commission, of 11 March 2014, supplementing Regulation (EU) 1306/2013 of the



European Parliament and of the Council, with regard to paying agencies and other bodies, financial management, clearance of accounts, securities and use of the Euro.

In particular, this section sets forth that:

“As of 16 October 2016, the security of information systems must be certified in accordance with ISO 27001: Information Security management systems – Requirements.

The Commission may authorise the member States to certify the security of their information systems in accordance with other accepted standards if these standards guarantee a security level equivalent, at least, to that established in ISO 27001.

In the case of paying agencies responsible for managing and controlling an annual Union expenditure of no more than €400 million, the member state may decide not to apply the provisions of the first paragraph. These member states shall continue to apply the provisions of subparagraph i). They shall inform the Commission of their decision.”

4. INFORMATION SECURITY STANDARDS

4.1 ISO/IEC 27001

The ISO/IEC 27001:2013 standard is a voluntary and certifiable international standard for the management of information security. It provides requirements for establishing, implementing, maintaining, and improving an information security management system (ISMS).

It consists of a regulatory body in its Clauses 4 to 10, which must be complied with for certification, and an Annex A describing the control objectives and reference controls, which correspond directly to those contained in ISO/IEC 27002:2013.

4.2 ISO/IEC 27002

The ISO/IEC 27002:2013 standard is a code of good information security practices containing the implementation guide for each of the controls in Annex A of ISO/IEC 27001:2013.

It is organised into 14 security domains, each of which presents one or more security objectives, with a total of 35 objectives. For each of the objectives, one or more security controls are defined, with a total of 114 controls.

This standard is not certifiable, but the degree of implementation of the controls is taken into account during the certification process in ISO/IEC 27001, according to the Statement of Applicability and risk management of each organisation.

These controls shall be referred to in this document interchangeably as controls in Annex A of ISO/IEC 27001 or as controls of ISO/IEC 27002.



5. PAYING AGENCIES WITH EXPENDITURE OF LESS THAN OR MORE THAN €400 MILLION

5.1 EXPENDITURE OF LESS THAN €400 MILLION

The Delegated Regulation (EU) 907/2014 establishes that, for paying agencies not exceeding an annual Union expenditure of €400 million, the member state may decide that they do not need to be certified in accordance with ISO/IEC 27001.

In this case, although it is not mandatory to obtain ISO 27001 certification, the Regulation provides that the security of the information systems of the paying agencies must be based on one of these standards: ISO/IEC 27002, IT Baseline Protection Catalogs (BSI), or COBIT.

This guide includes an equivalence between the ENS and the ISO/IEC 27002 standard, so paying agencies that do not exceed the expenditure of €400 million can justify that by complying with the relevant articles and security measures in Annex II of the ENS, they are applying a code of good practice in information security equivalent to the ISO/IEC 27002.

In particular, paying agencies that do not exceed the annual expenditure of €400 million must:

1. Refer to the table of equivalences between the ISO 27002 and the ENS controls, located in Section 6.2 of this document.

2. Apply the additional ISO 27002 security measures required, i.e., those that require additional effort according to the table above and based on the categorisation of the information system. For this purpose, Section 8 contains more detail about the implementation of the necessary controls. Also, “ANNEX A.2. ANNEX A OF ISO 27001/ANNEX II OF ENS” summarises in a table the additional measures to be implemented according to the category of the information system: basic, medium or high.

5.2 EXPENDITURE OF MORE THAN €400 MILLION

According to Delegated Regulation (EU) 907/2014, the information systems of paying agencies with annual expenditure of more than €400 million must be certified in ISO/IEC 27001.

This guide includes an equivalence between the ENS and the ISO/IEC 27001 standard, so paying agencies that exceed the cost of €400 million can justify that, by complying with this guide and the ENS, they can be certified in ISO/IEC 27001 at the same time.

In particular, paying agencies that exceed the annual expenditure of €400 million must:

1. Refer to the table of equivalences between the requirements of the regulatory body of ISO 27001 and the ENS, located in Section 6.1 of this document.



2. Meet the requirements of the ISO 27001 regulatory body, based on the effort estimated in the table above. For this purpose, Section 7 contains more detail on compliance with regulatory requirements. In addition, “ANNEX A.1. ISO 27001 REGULATORY BODY/ENS ARTICLES” summarises additional measures to be applied.

3. Refer to the table of equivalences between the ISO 27002 and the ENS controls, located in Section 6.2 of this document.

4. Apply the additional ISO 27002 security measures required, i.e., those that require additional effort according to the table above and based on the categorisation of the information system. For this purpose, Section 8 contains more detail about the implementation of the necessary controls. Also, “ANNEX A.2. ANNEX A OF ISO 27001/ANNEX II OF ENS” summarises in a table the additional security measures to be implemented based on the category of the information system: basic, medium or high.

5. Be subject to a regular formal audit, at least every 2 years, by a certification body accredited in the ENS by the National Accreditation Body (hereinafter ENAC), which verifies compliance with the requirements of the ENS and those of this guide, depending on the category of the information system (basic, medium or high).



6. SUMMARY TABLE OF ISO 27001 COMPLIANCE VIA THE ENS

The following sections relate, on the one hand, to the mandatory requirements of the regulatory body of the ISO 27001 standard to obtain certification with the ENS articles, which are also mandatory. On the other hand, they relate to the controls in Annex A of ISO 27001 standard to the security measures in Annex II of the ENS.

These tables can be used as a justification for ISO 27001/27002 standards compliance via the ENS, indicating in the effort column whether ISO 27001 requires additional measures to those indicated in the ENS.

6.1 ISO 27001 REGULATORY BODY/ENS ARTICLES

The table below shows, for each of the requirements of the regulatory body of ISO/IEC 27001 (Clauses 4 to 10), if it is covered, and to what extent, by any of the articles and/or security measures in Annex II of the ENS.

The last column assesses the additional effort that may be necessary for completing the ISO/IEC 27001 standard requirements. The following levels are used for this purpose:

Clause ISO/IEC 27001 Requirement ENS Article/Measure Effort

4 Context of the organisation

4.1 Understanding the organisation and its context

Article 43 Annex I

1

4.2 Understanding the needs and expectations of interested parties

Article 43 Annex I

1

4.3 Determining the scope of the information security management system

Law 40/2015 Article 1 Article 3

0

Level Comments

0 Covered. The requirements referred to in the regulatory body of ISO/IEC 27001 are covered in the ENS.

1

Partially covered. The requirements referred to in the regulatory body of ISO/IEC 27001 are partially covered in the ENS. An additional effort should be made to implement some additional measures to meet the corresponding requirement.

2

Not covered. The aspects referred to in the ISO/IEC 27001 regulatory body are not covered in the articles or security measures in Annex II of the ENS. All additional measures necessary to comply with the relevant requirement must be implemented.




4.4 Information security management system (ISMS)

Article 5 [org.1] [org.2] [org.3] [op.pl.2] Annex III

1

5 Leadership

5.1 Leadership and commitment Article 12 0

5.2 Policy

Article 10 Article 11 Article 12 [org.1]

0

5.3 Organizational roles, responsibilities and authorities

Article 10 [org.1]

0

6 Planning

6.1 Actions to address risks and opportunities

Article 6 Article 7 Article 13 [op.pl.1]

1

Statement of Applicability Article 27 Annex II

0

6.2 Information security objectives and planning to achieve them

Article 4 [org.1]

1

7 Support

7.1 Resources [op.pl.2] [op.mon.2]

1

7.2 Competence Article 14 Article 15 [mp.per.4]

1

7.3 Awareness Article 5 [mp.per.3]

0

7.4 Communication Article 24 [op.exp.7]

1

7.5 Documented information

[org.1] [org.2] [org.3] [op.pl.2]

1

8 Operation

8.1 Operational planning and control Article 5 Article 7 Article 40

0

8.2 Information security risk assessment Article 13 [op.pl.1]

0




8.3 Information security risk treatment Article 13 1

9 Performance evaluation

9.1 Monitoring, measurement, analysis and evaluation

Article 9 Article 20 [op.mon.2]

0

9.2 Internal audit Article 34 Annex III

1

9.3 Management review Annex III 1

10 Improvement

10.1 Nonconformity and corrective action Article 7 Article 34 Annex III

1

10.2 Continual improvement Article 24 Article 26

0



6.2 ANNEX A OF ISO 27001/ANNEX II OF ENS

In turn, it is determined if each of the 114 controls in Annex A of the ISO/IEC 27001 standard developed in ISO/IEC 27002 is covered, and to what extent, by any of the 75 security measures in Annex II of the ENS depending on the categorisation of the information system, and/or in any ENS article where applicable.

In this respect, 3 different scenarios are distinguished depending on the category of the information system: basic, medium and high. The table includes a column that assesses the additional effort that may be required to complete each of the

requirements of ISO/IEC 27002, using the following levels:

Level Comments

0 Covered. The aspects referred to in the ISO/IEC 27002 control are covered in the ENS for the required system category.

1

Partially covered. The aspects referred to in the ISO/IEC 27002 control are partially covered in the ENS for the required system category. An additional effort should be made to implement a security measure, either in Annex II of the ENS itself aimed at a higher level of security, or in the case of a compensatory security measure based on good information security practices, to cover what is indicated by the control.

2

Not covered. The aspects referred to in the ISO/IEC 27002 control are not covered in the articles or security measures in Annex II of the ENS. All necessary security measures, both Annex II of the ENS aimed at a higher level of security, and other compensatory security measures, must be implemented to cover the control.



Clause ISO/IEC 27001 Control ENS Article/Measure

Basic

Effort

Category

Medium

Effort

Category

High

Effort

Category

A.5 Information security policies

A.5.1.1 Policies for information security

Article 10 Article 11 Article 12 [org.1] [org.2]

0 0 0

A.5.1.2 Review of the policies for information security Article 9 [org.1] [org.2]

1 1 0

A.6 Organisation of information security

A.6.1.1 Information security roles and responsibilities [org.1] 0 0 0

A.6.1.2 Segregation of duties

Article 10 Article 14 Article 16 Article 19 [org.4] [op.acc.3]

1 0 0

A.6.1.3 Contact with authorities Article 36 [org.3] [op.exp.7]

1 0 0

A.6.1.4 Contact with special interest groups Article 20 Article 36 [op.exp.7]

0 0 0

A.6.1.5 Information security in project management [mp.sw.1] 2 1 1




Basic

Effort

Category

Medium

Effort

Category

High

Effort

Category

A.6.2.1 Mobile device policy Article 21 [org.4] [mp.eq.3]

0 0 0

A.6.2.2 Teleworking Article 21 [org.2]

1 1 1

A.7 Human resource security

A.7.1.1 Screening [mp.per.1] 2 0 0

A.7.1.2 Terms and conditions of employment [mp.per.2] 0 0 0

A.7.2.1 Management responsibilities Article 14 [mp.per.2]

0 0 0

A.7.2.2 Information security awareness, education and training

Article 5 Article 14 Article 15 [mp.per.3] [mp.per.4] [mp.s.1]

0 0 0

A.7.2.3 Disciplinary process [mp.per.2] 0 0 0

A.7.3.1 Termination or change of employment responsibilities [mp.per.2] 0 0 0

A.8 Asset management

A.8.1.1 Inventory of assets [op.exp.1] [op.pl.2]

0 0 0

A.8.1.2 Ownership of assets [op.exp.1] 0 0 0

A.8.1.3 Acceptable use of assets [org.2] 0 0 0




Basic

Effort

Category

Medium

Effort

Category

High

Effort

Category

A.8.1.4 Return of assets [mp.per.2] 1 1 1

A.8.2.1 Classification of information [mp.info.2] 0 0 0

A.8.2.2 Labelling of information [mp.info.2] [mp.si.1]

1 0 0

A.8.2.3 Handling of information [mp.info.2] 1 0 0

A.8.3.1 Management of removable media

[org.4] [mp.si.1] [mp.si.2] [mp.si.3]

0 0 0

A.8.3.2 Disposal of media [mp.si.5] 0 0 0

A.8.3.3 Physical media transfer Article 21 [mp.si.4]

0 0 0

A.9 Access control

A.9.1.1 Access control policy Article 16 [op.acc.2]

1 0 0

A.9.1.2 Access to networks and network services [op.acc.2] [op.acc.7]

1 0 0

A.9.2.1 User registration and de-registration [op.acc.1] [op.acc.5]

0 0 0

A.9.2.2 User access provisioning [op.acc.2] [op.acc.4] [op.acc.5]

0 0 0

A.9.2.3 Management of privileged access rights [op.acc.1] [op.acc.4]

0 0 0




Basic

Effort

Category

Medium

Effort

Category

High

Effort

Category

A.9.2.4 Management of secret authentication information of users [op.acc.5] 0 0 0

A.9.2.5 Review of user access rights [op.acc.4] 1 1 1

A.9.2.6 Removal or adjustment of access rights [op.acc.1] [op.acc.4] [op.acc.5]

0 0 0

A.9.3.1 Use of secret authentication information [op.acc.5] 0 0 0

A.9.4.1 Information access restriction [op.acc.2] [op.acc.4]

0 0 0

A.9.4.2 Secure log-on procedures [op.acc.5] [op.acc.6] [op.acc.7]

0 0 0

A.9.4.3 Password management system [op.acc.5] 1 0 0

A.9.4.4 Use of privileged utility programs Article 19 [op.acc.2]

0 0 0

A.9.4.5 Access control to program source code [op.acc.2] [mp.sw.1]

2 0 0

A.10 Cryptography

A.10.1.1 Policy on the use of cryptographic controls

Article 33 [mp.si.2] [mp.info.3] [mp.info.4] [op.acc.7] [mp.com.2] [mp.com.3]

1 0 0




Basic

Effort

Category

Medium

Effort

Category

High

Effort

Category

A.10.1.2 Key management [op.exp.11] 0 0 0

A.11 Physical and environmental security

A.11.1.1 Physical security perimeter Article 17 [mp.if.1]

0 0 0

A.11.1.2 Physical entry controls Article 17 [mp.if.1] [mp.if.2]

0 0 0

A.11.1.3 Securing offices, rooms and facilities Article 21 [mp.if.1]

0 0 0

A.11.1.4 Protecting against external and environmental threats [mp.if.3] [mp.if.5] [mp.if.6]

1 0 0

A.11.1.5 Working in secure areas [mp.if.1] [op.pl.2]

0 0 0

A.11.1.6 Delivery and loading areas [mp.if.1] [op.pl.2]

1 1 1

A.11.2.1 Equipment siting and protection

[mp.if.1] [mp.if.3] [mp.if.5] [mp.if.6]

1 0 0

A.11.2.2 Supporting utilities [mp.if.3] [mp.if.4]

1 0 0

A.11.2.3 Cabling security [mp.if.3] 0 0 0

A.11.2.4 Equipment maintenance [op.exp.4] 0 0 0




Basic

Effort

Category

Medium

Effort

Category

High

Effort

Category

A.11.2.5 Removal of assets [org.4] [mp.if.7] [mp.si.4]

0 0 0

A.11.2.6 Security of equipment and assets off-premises

Article 21 [org.4] [mp.if.7] [mp.eq.3]

0 0 0

A.11.2.7 Secure disposal or re-use of equipment [mp.si.5] 1 0 0

A.11.2.8 Unattended user equipment [mp.eq.2] 2 0 0

A.11.2.9 Clear desk and clear screen policy [mp.eq.1] 1 0 0

A.12 Operations security

A.12.1.1 Documented operating procedures [org.3] [mp.per.3]

0 0 0

A.12.1.2 Change management [op.exp.5] 2 0 0

A.12.1.3 Capacity management [op.pl.4] 2 0 0

A.12.1.4 Separation of development, testing and operational environments [mp.sw.1] [mp.sw.2]

1 0 0

A.12.2.1 Controls against malware [op.exp.6] 0 0 0

A.12.3.1 Information backup Article 7 Article 25 [mp.info.9]

1 1 1

A.12.4.1 Event logging Article 23 [op.exp.8]

1 1 1




Basic

Effort

Category

Medium

Effort

Category

High

Effort

Category

A.12.4.2 Protection of log information [op.exp.10] 2 2 0

A.12.4.3 Administrator and operator logs [op.exp.8] 0 0 0

A.12.4.4 Clock synchronisation Article 31 [op.exp.8] [op.exp.10]

1 1 1

A.12.5.1 Installation of software on operational systems

Article 20 [op.exp.2] [org.4] [mp.sw.2]

0 0 0

A.12.6.1 Management of technical vulnerabilities Article 20 [op.exp.4] [mp.sw.2]

1 0 0

A.12.6.2 Restrictions on software installation Article 20 [org.4] [op.acc.4]

0 0 0

A.12.7.1 Information systems audit controls Article 34 Annex III

1 1 1

A.13 Communications security

A.13.1.1 Network controls

[org.4] [op.pl.2] [op.acc.7] [mp.com.2] [mp.com.3]

1 0 0




Basic

Effort

Category

Medium

Effort

Category

High

Effort

Category

A.13.1.2 Security of network services

[org.4] [op.acc.7] [op.mon.1] [mp.com.1] [mp.com.2] [mp.com.3]

1 0 0

A.13.1.3 Segregation in networks [mp.com.4] 2 2 0

A.13.2.1 Information transfer policies and procedures [org.2] [org.3] [mp.com.3]

0 0 0

A.13.2.2 Agreements on information transfer [op.ext.1] 2 0 0

A.13.2.3 Electronic messaging [mp.s.1] 0 0 0

A.13.2.4 Confidentiality or non-disclosure agreements [mp.per.2] 0 0 0

A.14 System acquisition, development and maintenance

A.14.1.1 Information security requirements analysis and specification Article 39 [op.pl.3]

0 0 0

A.14.1.2 Securing application services on public networks Article 22 [mp.com.2] [mp.com.3]

0 0 0

A.14.1.3 Protecting application service transactions [mp.info.4] [mp.info.5]

2 1 0

A.14.2.1 Secure development policy [mp.sw.1] 2 0 0

A.14.2.2 System change control procedures [op.exp.5] [mp.sw.1]

2 0 0




Basic

Effort

Category

Medium

Effort

Category

High

Effort

Category

A.14.2.3 Technical review of applications after operating platform changes [op.exp.5] 2 0 0

A.14.2.4 Restrictions on changes to software packages [org.4] [op.exp.5]

1 0 0

A.14.2.5 Secure system engineering principles [op.pl.2] [mp.sw.1]

0 0 0

A.14.2.6 Secure development environment [mp.sw.1] 2 0 0

A.14.2.7 Outsourced development

[mp.sw.1] [mp.sw.2] [op.ext.1] [op.ext.2]

1 0 0

A.14.2.8 System security testing [mp.sw.1] [mp.sw.2]

1 0 0

A.14.2.9 System acceptance testing [mp.sw.2] 0 0 0

A.14.3.1 Protection of test data [mp.sw.1] [mp.sw.2]

1 0 0

A.15 Supplier relationships

A.15.1.1 Information security policy for supplier relationships [org.2] [org.4] [op.ext.1]

1 0 0

A.15.1.2 Addressing security within supplier agreements [op.ext.1] 2 0 0

A.15.1.3 Information and communication technology supply chain [op.ext.1] 2 0 0

A.15.2.1 Monitoring and review of supplier services [op.ext.2] 2 0 0




Basic

Effort

Category

Medium

Effort

Category

High

Effort

Category

A.15.2.2 Managing changes to supplier services [op.exp.5] [op.ext.2]

2 0 0

A.16 Information security incident management

A.16.1.1 Responsibilities and procedures

Article 24 [org.2] [org.3] [op.exp.7]

1 0 0

A.16.1.2 Reporting information security events Article 24 [op.exp.7]

1 0 0

A.16.1.3 Reporting information security weaknesses Article 24 [op.exp.7]

1 0 0

A.16.1.4 Assessment of and decision on information security events Article 24 [op.exp.7]

1 0 0

A.16.1.5 Response to information security incidents

Article 7 Article 24 [op.exp.7] [op.exp.9]

1 0 0

A.16.1.6 Learning from information security incidents Article 24 [op.exp.7]

1 0 0

A.16.1.7 Collection of evidence [op.exp.7] [op.exp.9]

2 0 0

A.17 Information security aspects for business continuity management

A.17.1.1 Planning information security continuity [op.cont.1] 2 0 0

A.17.1.2 Implementing information security continuity [op.cont.2] 2 2 0




Basic

Effort

Category

Medium

Effort

Category

High

Effort

Category

A.17.1.3 Verify, review and evaluate information security continuity

[op.cont.3] 2 2 0

A.17.2.1 Availability of information processing facilities

Article 7 Article 25 [mp.if.9] [mp.per.9] [mp.eq.9] [mp.com.9] [mp.s.9]

1 1 0

A.18 Compliance

A.18.1.1 Identification of applicable legislation and contractual requirements

[org.1] 0 0 0

A.18.1.2 Intellectual Property Rights (IPR) [org.2] [org.3]

1 1 1

A.18.1.3 Protection of records

Article 7 Article 21 Article 43 Annex I

0 0 0

A.18.1.4 Privacy and protection of personally identifiable information [mp.info.1] 0 0 0

A.18.1.5 Regulation of cryptographic controls

[op.acc.7] [mp.com.2] [mp.info.3] [mp.info.4]

0 0 0

A.18.2.1 Independent review of information security Article 34 Annex III

0 0 0




Basic

Effort

Category

Medium

Effort

Category

High

Effort

Category

A.18.2.2 Compliance with security policies and standards Article 14 [org.2]

0 0 0

A.18.2.3 Technical compliance review Article 20 [org.3] [mp.sw.2]

1 0 0



7. COMPLIANCE WITH THE ISO 27001 REGULATORY BODY THROUGH THE ENS

For each of the requirements of the ISO/IEC 27001 regulatory body, its correspondence with the ENS articles and/or with the security measures in Annex II is detailed below, together with the additional effort, if any, to achieve compliance with ISO/IEC 27001 from the ENS.

7.1 4 – Context of the organisation

7.1.1 4.1 Understanding the organisation and its context

ENS:

o Article 43

o Annex I

ISO 27001 requires organisations to determine the external and internal aspects that are relevant to their purpose and that condition the achievement of the expected results of their ISMS. Some of these issues may include the political and economic situation, the existing regulation, the state of technology, relations with citizens and suppliers, the area or department functions affected by the ISMS, the mission, vision and functions of the organisation, and in general, any factors that have an impact on its objectives and functioning.

In the ENS, the category of the whole information system is determined by the evaluation of a negative impact on the security of information and systems, based on their effect on the organisation’s capacity to achieve its objectives, the protection of its assets, compliance with its service obligations, respect for the law and the rights of citizens.

These consequences may cause damage to the organisation in terms of failure to comply with a law, regulation or contractual obligation, damage to its assets, reputational loss, economic loss, reduced ability to meet its obligations and direct harm to citizens.

Therefore, by assessing this potential damage in the categorisation phase of the systems, organisations are conducting an understanding exercise of its context. This categorisation is mandatory for all information systems within the scope of the ENS.

However, the organisation should review if it has a strategy that regularly reviews internal and external issues relevant to the ISMS in order to fulfil its mission and objectives and achieve greater alignment with the ISO 27001 standard.

7.1.2 4.2 Understanding the needs and expectations of interested parties

ENS:

o Article 43

o Annex I



In relation to the above clause, ISO 27001 requires that the requirements of interested parties (citizens, suppliers, staff, other public administrations, etc.) that are relevant to information security be determined: legal and regulatory requirements, contractual obligations, etc.

In the ENS, similar to the above case, the assessment of the information in question and the services provided and the subsequent categorisation of the systems allows an organisation to determine the security requirements in each of its dimensions (confidentiality, integrity, availability, authenticity and traceability), which are related to the relevant interested parties referred to in this clause.

The organisation should review if it has a list of internal and external stakeholders relevant to the ISMS and those that depend on its proper operation.

7.1.3 4.3 Scope

Law 40/2015:

o Article 2

o Article 156

ENS:

o Article 1

o Article 3

The standard ISO 27001 provides freedom to choose the scope of the ISMS. It specifies that external and internal issues and stakeholder requirements should be considered and should be available as documented information…, etc.

In the ENS, the scope is limited to the electronic means used and managed by the public sector for the provision of services to citizens in the exercise of their powers and in their relationship with other Public Administrations, all within the scope of Law 40/2015.

Therefore, the scope of the ISMS in the case of the ENS is determined and limited by the legislative framework itself, which is mandatory for all Public Administration and private entities that provide services to the public sector.

7.1.4 4.4 Information security management system

ENS:

o Article 5

o Annex III

ENS Annex II:

o [org.1] o [org.2] o [org.3] o [op.pl.2] Security architecture



The purpose of ISO 27001 is the establishment, implementation, maintenance and continual improvement of an ISMS, which includes documented information such as policies, procedures, plans and programmes, etc.

In the ENS, the establishment of the organisational framework ([org]) is mandatory for all information systems and is constituted by a set of measures related to the overall organisation of security, including the security policy, the security regulations and the necessary security procedures, similar to ISO 27001.

One of the basic principles of the ENS is that security is understood as an integral process consisting of all the technical, human, material and organisational elements related to the system.

In addition, Annex III of the ENS specifies that the security audit should include an analysis of the existence of an information security management system, documented and with a regular approval process by management. However, auditing is only mandatory for medium- or high-level systems, with a self-assessment sufficient for basic-level systems.

In addition, for systems categorised as medium-level, the security measure [op.pl.2] requires the existence of an information security management system.

Finally, it should be noted that the purpose of the ENS is not only to establish an ISMS, but also to ensure the security itself of the information systems being covered since the security measures in Annex II of the ENS are mandatory. In this regard, a control from that Annex cannot be excluded without implementing compensatory security measures.

7.2 5 – Leadership

7.2.1 5.1 Leadership and commitment

ENS:

o Article 12

ISO 27001 requires evidence of management's commitment to the ISMS, ensuring that the information security policy and objectives are established, and communicating the importance of effective information security management, among other aspects.

Similarly, Article 12 of the ENS requires that security should involve all members of the organisation, and that the security policy should identify clear responsibility for ensuring compliance and awareness among all members of the administrative organisation.

7.2.2 5.2 Policy

ENS:

o Article 10

o Article 11



o Article 12

ENS Annex II:

o [org.1] Security policy

This clause of ISO 27001 requires that management establish an information security policy, which must be available as documented information.

In the ENS, the establishment and definition of the mandatory content of an information security policy is a basic principle and a minimum requirement that is contained in several articles, as well as specifically in the security measure [org.1], which applies to all information systems within the scope of the ENS.

7.2.3 5.3 Organizational roles, responsibilities and authorities

ENS:

o Article 10

ENS Annex II:


ISO 27001 states that management must ensure that the responsibilities for information security roles are assigned and communicated within the organisation.

The ENS is more specific in this sense, establishing the obligation to have several distinct roles: information manager, service manager, security manager, system manager.

In addition, the ENS requires the security policy to detail security roles or functions, defining the duties and responsibilities of the office for each, as well as the procedure for their appointment and renewal, and the mechanisms for coordination and conflict resolution.

7.3 6 – Planning

7.3.1 6.1 Actions to address risks and opportunities

7.3.1.1 Processes for assessing and treating information security risks

ENS:

o Article 6

o Article 7

o Article 13

ENS Annex II:

o [op.pl.1] Risk analysis

One of the most important requirements of ISO 27001 is the definition and application of processes for the assessment and treatment of information security risks, including the definition of risk criteria, the identification of risks, their analysis and their evaluation.



Risk-based security management is also a mandatory and fundamental part of the ENS, as it is part of the basic principles and the minimum requirements of the ENS at the same time.

Article 6 states that this is an essential part of the security process that must be kept permanently up to date, meaning a controlled environment can be maintained by minimising risks to acceptable levels by deploying security measures. This deployment will define a balance between the nature of the data and the processing’s, the risks to which they are exposed and the security measures in Annex II of the ENS.

Article 13 states that this management will be done by analysing and treating the risks to which the system is exposed. To do this, some internationally recognised methodology, such as MAGERIT, which is widely used in the Spanish public sector, must be used.

The security measure [op.pl.1] details that, for such risk analysis, at least the most valuable assets in the system, the most likely threats, the safeguards that protect against such threats, and the main residual risks must be identified. However, it does not explicitly refer to the risk treatment process.

As for the owners of the risks, they are identified in the ENS through the roles of information manager and service manager, who are responsible for accepting residual risks.

Hence, it should be reviewed that the paying agencies have a formally approved information security risk treatment plan, as required by ISO 27001.

7.3.1.2 Statement of Applicability

ENS:

o Article 27

o Annex II (Section 2.1.3)

Another important requirement of ISO 27001 is a Statement of Applicability containing the relevant and applicable security controls for the ISMS which can be traced to risk assessments and treatments, and as required by laws, regulations or good information security practices.

Similarly, the ENS requires a Statement of Applicability to be drawn up. In particular, Article 27 provides that the relationship of the security measures selected in Annex II shall be formalised in a document called Statement of Applicability, which shall be formally approved by the person responsible for the security of the system.

Annex II of the ENS re-emphasises the need for a Statement of Applicability signed by the security manager.

7.3.2 6.2 Information security objectives

ENS:

o Article 4

ENS Annex II:




According to ISO 27001, organisations must establish information security objectives, which must be documented, consistent with the security policy, measurable, communicated, up to date, and must take into account applicable security requirements and results of the risk assessment and treatment.

In the ENS, this requirement is not completely equivalent to that of ISO 27001. Article 4 of the ENS states that the ultimate objective of information security is to ensure that a government organisation can comply with its objectives in using information systems. In turn, the control [org.1] states that the security policy must specify the objectives or mission of the organisation.

However, it is not specified that information security objectives must be documented, measurable, communicated and updated at regular intervals.

Therefore, paying agencies must have documented information on the security objectives of the information derived from the objectives of the organisation and supported by security controls and metrics, and also comply with the other aspects indicated in this requirement of ISO 27001.

7.4 7 – Support

7.4.1 7.1 Resources

ENS Annex II:

o [op.pl.2] Security architecture

o [op.mon.2] Metrics system

This ISO 27001 clause stipulates that organisations must determine and provide the necessary resources (staff and economic resources, generally) for the ISMS.

This requirement is not specifically detailed in the ENS articles, although in the security measure [op.Mon.2] data collection is required to understand the efficiency of the ICT security system in terms of consumed resources (hours and budget). However, this is a measure applicable only to high-level information systems.

Measure [op.pl.2] requires that the management system, relating to planning, organisation and control of information security resources, be outlined. This measure applies to medium- and high-level systems.

In order to achieve greater alignment with ISO 27001, paying agencies must demonstrate that they provide sufficient resources to operate, maintain and improve the ISMS. To verify that this requirement is met, a solution is to apply to all systems within the scope of the ENS the high-level security measure [op.mon.2], consisting of data collection for the efficiency of the ISMS.

Paying agencies should also review the implementation of the security measure [op.pl.2], initially at medium level, for all ENS systems.



7.4.2 7.2 Competence

ENS:

o Article 14

o Article 15

ENS Annex II:

o [mp.per.4] Training

According to this ISO 27001 requirement, organisations must ensure that persons performing work that affects their performance in information security are competent, based on appropriate education, training or experience.

In the ENS, the management and professionalism of staff are minimum security requirements, requiring information and system staff to exercise and apply the security principles in carrying out their duties, and to receive the specific training necessary to ensure the security of information technology.

Article 14 specifies that all staff related to information and systems shall be trained and informed of their security duties and obligations, and that their actions must be monitored to verify that procedures are followed. The latter may correspond to the evaluation of the effectiveness of the actions carried out, which is required in this ISO 27001 clause.

It should be noted that the staff qualification is not only required at an internal level, but also for the staff of the organisation’s security service providers.

The security measure [mp.per.4] focuses on the need for periodic training and indicates some mandatory training subjects for staff, and it is applicable to all information systems within the scope of the ENS.

However, paying agencies should verify that they have documented information as evidence of the competence of their staff, including the evaluation of the effectiveness of training actions carried out, for full compliance with this ISO 27001 requirement.

7.4.3 7.3 Awareness

ENS:

o Article 5

ENS Annex II:

o [mp.per.3] Awareness

This ISO 27001 clause indicates that people must be aware of the information security policy, of their contribution to the effectiveness of the ISMS, as well as of the implications of not complying with the ISMS requirements.

In the ENS, awareness is a basic security principle, as set out in Article 5: “Maximum attention will be paid to raising awareness among the persons involved in the process and their superiors in rank, so that neither ignorance nor a lack of



organisation and coordination or inappropriate instructions are a source of security risk.”

In addition, the security measure [mp.per.3] again requires periodic actions to raise awareness, in particular of security regulations and the identification and reporting of security incidents, and it applies to all information systems within the scope of the ENS.

7.4.4 7.4 Communication

ENS:

o Article 24

ENS Annex II:

o [op.exp.7] Incident management

This clause of ISO 27001 specifies that organisations should determine the need for internal and external communications related to the ISMS.

In this regard, the ENS only explicitly establishes the need to communicate to internal and external stakeholders when security incidents are detected.

Therefore, for effective compliance with this ISO 27001 standard clause, paying agencies must have an internal and external communications management process, as well as maintain the necessary evidence on communications made concerning the ISMS.

7.4.5 7.5 Documented information

ENS Annex II:

o [org.1] Security policies

o [org.2] Security standards

o [org.3] Security procedures


For this point, the standard ISO 27001 states that the ISMS must include the documented information required by the standard, and the information that is deemed necessary for the effectiveness of the ISMS. There must also be control over such documentation.

In this regard, and as noted above, the security measures [org] in Annex II of the ENS refer to the overall organisation of security and include the need for documented information such as security policy, regulations and procedures.

In turn, measure [op.pl.2] states that documentation of facilities and information systems (equipment, internal networks and external connections, access points, defence lines, etc.) should be carried out. In addition, the medium- and high-level sections of this measure refer to the ISMS itself.

However, the ENS does not explicitly develop the requirements for the creating, updating and controlling documented information.



Therefore, as required in this clause of ISO 27001, paying agencies must verify that they have documentation control processes, as with the existence of change and version control records including information on revisions, approvals, accesses and distribution, the existence of approved document formats and templates, the existence of official documentation repositories, etc.

7.5 8 – Operation

7.5.1 8.1 Operational planning and control

ENS:

o Article 5

o Article 7

o Article 40

This ISO 27001 clause requires, at a general level, that control information on the ISMS be available to a sufficient degree to ensure that processes are carried out as planned.

This implies the existence of policies, procedures and good practices in information security, risk management, incident management, security objective tracking metrics, outsourcing management, etc.

All of this is incorporated in the various security measures in Annex II of the ENS and detailed in this guide, which support, among others, the basic principle of the ENS that security must be understood as an integral process consisting of all the technical, human, material and organisational elements related to the information system.

It also relates to planning and operational control of the basic security principle of the ENS concerning the prevention, reaction and recovery of the information handled and the services provided.

Finally, Article 40 of the ENS states that each organisation shall establish its control mechanisms to ensure real and effective compliance with the ENS, in line with the requirements of this ISO 27001 standard clause.

7.5.2 8.2 Information security risk assessment

ENS:

o Article 13

ENS Annex II:

o [op.pl.1] Risk analysis

For this point, the ISO 27001 standard requires documented information on the results of the assessments of information security risks.

As indicated in the section of Clause 6.1 of ISO 27001 of this document, the ENS requirements for risk analysis are equivalent to those of ISO 27001.



7.5.3 8.3 Information security risk treatment

ENS:

o Article 13

Like the previous clause, this section calls for documented information on the results of the treatment of information security risks.

Likewise, the ENS requirements for the treatment of risks are equivalent to those of ISO 27001.

However, and like that recommended in Clause 6.1 of ISO 27001, it is appropriate to verify that paying agencies have documented information on the results of risk treatment, as required by the standard.

7.6 9 – Performance evaluation

7.6.1 9.1 Monitoring, measurement, analysis and evaluation

ENS:

o Article 9

o Article 20

ENS Annex II:

o [op.mon.2] Metrics system

This clause refers to the organisation's assessment of the performance of information security and the effectiveness of the ISMS by implementing security metrics, and documented evidence of the results of such monitoring and measurement should be available.

In the ENS, this corresponds to the basic principle of regular re-evaluation, which states that the security measures will be re-evaluated and updated regularly to adapt their efficacy to the ongoing evolution of the risks and protective systems, to the point of re-considering security, if necessary.

In turn, the minimum requirement of system integrity and modernity requires that the security status of the systems with regard to the manufacturers’ specifications, vulnerable aspects and updates that affect them be known at all times, and diligent action will be taken to control the risk in view of their security status.

Furthermore, the security measure [op.mon.2] requires all information systems within the scope of the ENS to collect the necessary data, taking into account the system category in order to ascertain the degree of implementation of the security measures they apply from details given in Annex II and, where appropriate, to provide the annual report required by Article 35.

7.6.2 9.2 Internal Audit

ENS:

o Article 34



o Annex III

This requirement of ISO 27001 involves conducting internal audits at planned intervals in order to ascertain if the ISMS meets the requirements of the organisations for its ISMS and those of the standard itself, if it is implemented, and is maintained effectively.

In practice, in order to renew ISO 27001 certification, this involves conducting a follow-up audit annually in the first two years, and a renew audit the third year.

The ENS establishes that information systems will be subject to regular audit, at least every two years, which verifies compliance with the requirements of this legislative framework. On an extraordinary basis, it also specifies that an audit will be performed whenever substantial changes are made to the information system that could affect the required security measures.

Therefore, for complete ISMS audits, the ENS is more restrictive than ISO 27001, in that complete audits should be performed every two years and not every three years. However, the ENS does not explicitly specify that internal audits should be carried out at least every year.

Another important requirement of the ENS with respect to audits is that recognised criteria, working methods and conduct, as well as national and international standardisation applicable to this type of audit for information systems, such as the ISO 27001 standard itself, should be used.

Finally, Annex III of the ENS details the different aspects to be reviewed in the audits, including the existence of an information security management system, documented and with a regular approval process by management.

With all of the above, and in order to achieve complete equivalence between the ENS and ISO 27001 in this clause, the paying agencies must carry out a follow-up an internal audit of the security measures in Annex II of the ENS on an annual basis, apart from the biennial audit certifying compliance with the ENS, ensuring that each follow-up audit covers the analysis of the at least 50% of the measures applying to it in Annex II, and that between the two internal audits of the two-year cycle are covered 100% of these measures.

Paying agencies should also verify that they have a documented and up-to-date audit program and that the role of internal auditor is defined.

7.6.3 9.3 Management review

ENS:

o Annex III

In this clause, the ISO 27001 states that management should review the ISMS at planned intervals to ensure its suitability, adequacy and continued effectiveness. In practice, this involves conducting reviews by management at least on an annual basis.

The ENS explicitly provides details of these ISMS reviews by management only in Annex III, which mentions that audits should verify that there is a documented ISMS and a regular approval process by management.



Therefore, the managements of the paying agencies should carry out regular formal reviews of the ISMS. The contents of the reviews must include the sections of this ISO 27001 standard clause, as well as documented information, as evidence of the results of the reviews by management, in the form of a record or similar document.

7.7 10 – Improvement

7.7.1 10.1 Non-conformity and corrective action

ENS:

o Article 7

o Article 34

o Annex III

According to this requirement of the ISO 27001, when a non-conformity occurs, organisations must react to it, carry out actions to control it, correct it and eliminate its causes, and review the effectiveness of such actions, keeping documented information on it.

One of the basic principles of the ENS is that the security of information systems must consider the aspects of prevention, detection and correction, the latter in order to ensure that the threats do not occur again.

Another section of the ENS that refers to non-conformities and subsequent corrective actions concerns security audits. It indicates that the audit reports shall rule on the degree of compliance with this royal decree, identify its deficiencies and suggest possible corrective or complementary measures that may be necessary. These reports must be analysed by the competent security manager, who will submit their conclusions to the system manager so the appropriate corrective measures can be taken.

However, the ENS does not explicitly detail the content that should include a similar non-conformity record or document and the management of associated corrective actions, so it is recommended that paying agencies apply the requirements of this ISO 27001 standard clause for full equivalence.

7.7.2 10.2 Continual Improvement

ENS:

o Article 24

o Article 26

The last clause of the ISO 27001 regulatory body states that organisations should continually improve the suitability, adequacy and effectiveness of the ISMS.

The ENS complies with this requirement in its Article 26, which provides that the overall security process implemented must be continually updated and improved. For this purpose, the criteria and methods established in national and international practice in relation to information technologies will be applied.



In addition, Article 24 states that the recording of proceedings against security incidents will be used for the continual improvement of the security of the system.



8. COMPLIANCE WITH ISO 27001 ANNEX A (ISO 27002) VIA ENS

Similar to the previous section, details are given for each of the controls in Annex A of ISO 27001 developed in ISO 27002 and ordered by domains and by control objectives, of their correspondence to the ENS security measures, together with the additional effort, if any, to achieve compliance with ISO 27001 from the ENS.

8.1 5 – Information security policies

8.1.1 5.1 Management direction for information security

8.1.1.1 5.1.1 Policies for information security

ENS:

o Article 10

o Article 11

o Article 12

ENS Annex II:



This control corresponds to the articles listed in the ENS and to the security measures [org.1] and [org.2] in its Annex II, applicable to all information systems.

8.1.1.2 5.1.2 - Review of the policies for information security

ENS:

o Article 9

ENS Annex II:




The ENS only explicitly indicates in measure [op.pl.2] for high-level systems that the ISMS should be updated and approved on a regular basis, which should include the review of the security policy and regulations.

Therefore, paying agencies must verify that this control is included in their ISMS for all systems within the scope of the ENS, in order to obtain a direct equivalence with ISO 27001/27002.



8.2 6 – Organization of information security

8.2.1 6.1 Internal organization

8.2.1.1 6.1.1 Information security roles and responsibilities

ENS Annex II:


This control corresponds to the security measure [org.1] in Annex II of the ENS, which is applicable to all information systems: the security policy shall specify the security roles or functions, defining the duties and responsibilities for each position, as well as the procedure for their designation and renewal.

8.2.1.2 6.1.2 Segregation of duties

ENS:

o Article 10

o Article 14

o Article 16

o Article 19

ENS Annex II:

o [org.4] Authorisation process

o [op.acc.3] Separation of functions and tasks

This control of ISO 27001 requires that functions and areas of responsibility be separated to reduce the possibility of unauthorised modifications or improper use of assets.

The ENS complies through Articles 10 (security as a differentiated function), 14 (staff management), 16 (authorisation and access control) and 19 (security by default), and the authorisation process is established in security measure [org.4], which covers all elements of the information system.

In addition, the requirements for segregation of duties in the medium- and high-level affected security dimensions is expanded upon in measure [op.acc.3].

8.2.1.3 6.1.3 Contact with authorities

ENS:

o Article 36

ENS Annex II:



This control refers to the need to maintain appropriate contacts with the relevant authorities, especially when security incidents occur.



The ENS states in Article 36 that organisations shall notify the National Cryptologic Centre of incidents that have a significant impact on the security of information handled and services provided in relation to the categorisation of systems, which is detailed in the Technical Security Instruction for Reporting Security Incidents.

In addition, the security measure [org.3] includes the need to document how to identify and report abnormal behaviour.

Measure [op.exp.7] also states the need to inform interested parties, both internal and external, of the incidents detected for the medium- and high-level systems.

8.2.1.4 6.1.4 Contact with special-interest groups

ENS:

o Article 20

o Article 36

ENS Annex II:


Article 20 of the ENS, applicable to all information systems, states that the security status of the systems regarding manufacturers' specifications, vulnerable aspects and updates affecting them should be known at all times. This means keeping in touch with specialised security groups as a means of receiving early warnings of alerts, patches, system updates, etc.

In addition, and as noted above, measure [op.exp.7] specifies that interested parties, both internal and external, should be informed of the incidents detected for the medium- and high-level systems.

8.2.1.5 6.1.5 Information security in project management

ENS Annex II:

o [mp.sw.1] Development

The ENS does not make a direct reference to the fact that information security must be addressed in project management. Only in the measure [mp.sw.1], applicable to medium- and high-level systems, is it specified that a development methodology should be applied that considers security aspects throughout the life cycle.

Therefore, paying agencies must integrate information security into project management processes to ensure that security risks are identified and considered within a project, so that: security objectives are included in the project objectives, a security risk assessment is carried out at an early stage of the project, and information security is part of all phases of the methodology applied in the project.

8.2.2 6.2 Mobile devices and teleworking

8.2.2.1 6.2.1 Mobile device policy

ENS:



o Article 21

ENS Annex II:


o [mp.eq.3] Protection of portable devices

This control corresponds to Article 21 of the ENS (protection of stored and transferred information) and the security measures [org.4] and [mp.eq.3] in Annex II of the ENS, applicable to all information systems.

8.2.2.2 6.2.2 Teleworking

ENS:

o Article 21

ENS Annex II:


Although the ENS states that special attention will be paid to information stored or in transit through insecure environments, teleworking is not explicitly mentioned.

Therefore, paying agencies should verify that appropriate measures to protect information accessed, processed or stored at teleworking sites have been defined in their security regulations, where permitted.

8.3 7 – Human resource security

8.3.1 7.1 Prior to employment

8.3.1.1 7.1.1 Screening

ENS Annex II:

o [mp.per.1] Job description

In the ENS, the security measure [mp.per.1] includes the verification of work history in staff selection processes.

However, this requirement is only applicable to medium- and high-level systems, and therefore paying agencies must also apply this control to systems that have been categorised as basic, for alignment with ISO 27001/27002.

8.3.1.2 7.1.2 Terms and conditions of employment

ENS:

o Article 14

ENS Annex II:

o [mp.per.2] Duties and obligations

This control corresponds to Article 14 (staff management) and to the security measure [mp.per.2] in Annex II of the ENS, applicable to all information systems.



8.3.2 7.2 During employment

8.3.2.1 7.2.1 Management responsibilities

ENS:

o Article 14

ENS Annex II:


This control corresponds to Article 14 (staff management) and to the security measure [mp.per.2] in Annex II of the ENS, applicable to all information systems.

8.3.2.2 7.2.2 Information security awareness, education and training

ENS:

o Article 5

o Article 14

o Article 15

ENS Annex II:

o [mp.per.3]

o [mp.per.4]

o [mp.s.1]

In the ENS, the awareness and professionalism of individuals in the field of information security are essential aspects, and so this control is covered by the indicated articles and security measures of Annex II of the ENS.

8.3.2.3 7.2.3 Disciplinary process

ENS Annex II:


One of the requirements included in the ENS measure [mp.per.2] is that disciplinary action will be specified.

8.3.3 7.3 Termination or change of employment

8.3.3.1 7.3.1 Termination or change of employment responsibilities

ENS Annex II:


This control is included in the security measure [mp.per.2] in Annex II of the ENS.



8.4 8 – Asset Management

8.4.1 8.1 Responsibility for assets

8.4.1.1 8.1.1 Inventory of assets

ENS Annex II:

o [op.exp.1] Inventory of assets


This control corresponds to the security measure [op.exp.1] in Annex II of the ENS, applicable to all systems, and includes similar requirements to measure [op.pl.2].

8.4.1.2 8.1.2 Ownership of assets

ENS Annex II:

o [op.exp.1] Inventory of assets

o [mp.info.2] Classification of information

This control is included in the security measure [op.exp.1] in Annex II of the ENS.

8.4.1.3 8.1.3 Acceptable use of assets

ENS Annex II:


This control is included in the security measure [org.2] in Annex II of the ENS.

8.4.1.4 8.1.4 Return of assets

ENS Annex II:


The ENS provides that the duties and obligations of staff and third parties shall remain in the event of termination of the relationship, however, the obligation to return the assets of the organisation is not explicitly mentioned.

Therefore, the paying agencies must verify that this asset return control is included in their security regulations and show that it is carried out.

8.4.2 8.2 Information classification

8.4.2.1 8.2.1 Classification of information

ENS Annex II:


This control corresponds to the security measure [mp.info.2] in Annex II of the ENS.

8.4.2.2 8.2.2 Labelling of information

ENS Annex II:




o [mp.si.1] Labelling

This control corresponds to the security measure [mp.si.1] in Annex II of the ENS.

In addition, measure [mp.info.2] reinforces this control for the medium- and high-level confidentiality dimension in drafting the necessary procedures that describe in detail how information is to be labelled and processed in consideration of the level of security it requires.

8.4.2.3 8.2.3 Handling of information

ENS Annex II:


This control requires the development of procedures for managing, processing, storing and communicating information.

This requirement is provided for in measure [mp.info.2], although it only applies to the medium and high levels, so paying agencies with systems with the basic-level confidentiality dimension must also implement this measure for its correct alignment with ISO 27001/27002.

8.4.3 8.3 Media handling

8.4.3.1 8.3.1 Management of removable media

ENS Annex II:


o [mp.si.1] Labelling

o [mp.si.2] Cryptography

o [mp.si.3] Custody

This control is included in the security measures in Annex II of the ENS relating to the protection of information media.

8.4.3.2 8.3.2 Disposal of media

ENS Annex II:

o [mp.si.5] Erasure and destruction


8.4.3.3 8.3.3 Physical media transfer

ENS:

o Article 21

ENS Annex II:

o [mp.si.4] Transport



This control corresponds to the security measure [mp.si.4] in Annex II of the ENS. In addition, the protection of stored and in-transit information is part of the minimum requirements of the ENS.

8.5 9 – Access control

8.5.1 9.1 Business requirements of access control

8.5.1.1 9.1.1 Access control policy

ENS:

o Article 16

ENS Annex II:

o [op.acc.2] Access requirements

This control is covered in the ENS through Article 16, which states that access to the system must be controlled and limited to authorised resources, restricting access to permitted functions. The measure [op.acc.2] details that the access rights of each resource will be established according to the decisions of the resource manager, in accordance with the security policy and regulations.

Since this control is an explicit requirement of ISO 27001/27002, paying agencies must verify that they have a documented access control policy or regulation.

8.5.1.2 9.1.2 Access to networks and network services

ENS Annex II:


o [op.acc.7] Remote access (remote login)

This control is included in the measures [op.acc.2] and [op.acc.7] in Annex II of the ENS.

8.5.2 9.2 User access management

8.5.2.1 9.2.1. User registration and de-registration

ENS Annex II:

o [op.acc.1] Identification

o [op.acc.5] Authentication mechanism

This control is included in the measures [op.acc.1], regarding ID management, and [op.acc.5], regarding user account registration and de-registration.

8.5.2.2 9.2.2 User access provisioning

ENS Annex II:


o [op.acc.4] Access rights management process




This control is covered in the ENS through various security measures. The measure [op.acc.2] states the responsibility for establishing access rights for each resource. The measure [op.acc.4] defines the security principles in the assignment of access rights.

Finally, the measure [op.acc.5] details how users must be identified and registered before providing access credentials, and requires those credentials to be removed and disabled when the authenticating entity terminates its relationship with the system.

8.5.2.3 9.2.3 Management of privileged access rights

ENS Annex II:



This control is covered in the ENS through two different security measures. The measure [op.acc.1] specifies that, when a user has different roles, including the system administrator, they should receive unique identifiers for each case, so that privileges and activity records are always delimited.

The measure [op.acc.4] defines the principles of minimum privilege, the need to know and the ability to authorise.

8.5.2.4 9.2.4. Management of secret authentication information of users

ENS Annex II:


This control corresponds to the security measure [op.acc.5] in Annex II of the ENS.

8.5.2.5 9.2.5 Review of user access rights

ENS Annex II:


The ENS measure [op.acc.4] defines the requirements for managing user access privileges. However, it does not explicitly mention that asset owners should review user access rights at regular intervals.

Therefore, for correct equivalence with ISO 27001/27002, paying agencies must expressly define in their security regulations the criteria for asset managers to periodically review user access rights.

8.5.2.6 9.2.6 Removal or adjustment of access rights

ENS Annex II:






This control is covered in the ENS through three different security measures. The measure [op.acc.1] states that user accounts must be disabled when the user leaves the organisation or when the function for which the account was required ceases.

The measure [op.acc.4] stresses that only staff competent to do so may alter or void access authorisations to resources in accordance with the criteria of the appropriate manager.

Finally, the measure [op.acc.5] defines that credentials must be removed and disabled when the authenticating entity terminates its relationship with the system.

8.5.3 9.3 User responsibilities

8.5.3.1 9.3.1 Use of secret authentication information

ENS Annex II:


This control is included in the security measure [op.acc.5] in Annex II of the ENS. When the user receives the credentials, they shall acknowledge that they have received them and that they know and accept the obligations involved in their possession, in particular the duty of diligent custody, protection of their confidentiality and immediate information in the event of loss.

8.5.4 9.4 System and application access control

8.5.4.1 9.4.1 Information access restriction

ENS Annex II:



Limitations on user access to systems are defined in the ENS by means of the measures [op.acc.2] and [op.acc.4].

8.5.4.2 9.4.2 Secure log-on procedures

ENS Annex II:


o [op.acc.6] Local access (local logon)


This control is included in the measure [op.acc.5], regarding the use of authentication factors according to the security level of the system, and [op.acc.6] and [op.acc.7] regarding local and remote access, respectively.

8.5.4.3 9.4.3 Password management system

ENS Annex II:




This control is included in the security measure [op.acc.5] in Annex II.

8.5.4.4 9.4.4 Use of privileged utility programmes

ENS:

o Article 19

ENS Annex II:


This control is covered by the ENS's own regulations and the security measure [op.acc.2] in Annex II.

The ENS establishes as a minimum requirement that the system will provide the minimum functionality required for the organisation to achieve its objectives. The operating, administration and activity recording functions will be the minimum necessary and it will be ensured that they can only be accessed by authorised persons or from authorised sites or equipment.

In turn, the measure [op.acc.2] states that, in particular, access to system components and its files or configuration records will be controlled.

8.5.4.5 9.4.5 Access control to program source code

ENS Annex II:



As noted in the previous control, measure [op.acc.2] in Annex II of the ENS, applicable to all information systems, requires that access to system components and their files or configuration records be controlled.

In this regard, paying agencies should verify that this includes controlling access to the source code of the programs.

In addition, the measure [mp.sw.1] states the need to develop applications using a different system and separate from production, with no tools or development data in the production area.

However, this measure is only applicable to medium- and high-level systems, so for greater alignment with ISO 27001/27002, it is recommended that paying agencies apply this control regardless of the category of the information system.

8.6 10 – Cryptography

8.6.1 10.1 Cryptographic controls

8.6.1.1 10.1.1 Policy on use of cryptographic controls

ENS:

o Article 33



ENS Annex II:

o [mp.si.2] Cryptography

o [mp.info.3] Ciphering

o [mp.info.4] Electronic signature


o [mp.com.2] Confidentiality protection

o [mp.com.3] Protection of authenticity and integrity

The ENS is particularly concerned with the protection of information through the use of cryptographic controls and electronic signatures to grant due guarantees to the administrative process, which causes its requirements to be more demanding in this respect than those of ISO 27001/27002, with various security measures in place.

Article 33 of the ENS establishes that the electronic signature and certificates policy will specify the processes for generating, validating and keeping record of electronic signatures and the characteristics and requirements governing the electronic signature, certificates, time stamping systems and other supporting elements for signatures.

8.6.1.2 10.1.2 Key management

ENS Annex II:

o [op.exp.11] Protection of cryptographic keys

This control corresponds to the security measure [op.exp.11] in Annex II.

8.7 11 – Physical and environmental security

8.7.1 11.1 Secure areas

8.7.1.1 11.1.1 Physical security perimeter

ENS:

o Article 17

ENS Annex II:

o [mp.if.1] Separate areas with access control

One of the minimum requirements of the ENS is the protection of the facilities, so the systems must be installed in separate areas specific to their function and equipped with an access control procedure. This is specified by the security measure [mp.if.1] in Annex II.

8.7.1.2 11.1.2 Physical entry controls

ENS:

o Article 17

ENS Annex II:




o [mp.if.2] Identification of individuals

This control is covered by Article 17 above and the security measures [mp.if.1] and [mp.if.2] in Annex II. In particular, the latter establishes the recording of staff entry and exit at the premises.

8.7.1.3 11.1.3 Securing offices, rooms and facilities

ENS:

o Article 21

ENS Annex II:


As part of the minimum requirements, the ENS stipulates that all information on non-electronic devices shall be protected to the same degree of security as electronic information, applying the measures corresponding to the nature of the device on which they are located.

8.7.1.4 11.1.4 Protecting against external and environmental threats

ENS Annex II:

o [mp.if.3] Outfitting of sites

o [mp.if.5] Fire protection

o [mp.if.6] Flood protection

This control is covered by the security measures in Annex II of the ENS mentioned above.

8.7.1.5 11.1.5 Working in secure areas

ENS Annex II:



In addition to the specifications in measure [mp.if.1] above, measure [op.pl.2] requires organisations to document the different areas and their physical access points for all information systems within the scope of the ENS.

8.7.1.6 11.1.6 Delivery and loading areas

ENS Annex II:



As indicated above, the measures outlined define the physical security requirements for areas hosting information systems.



However, the ENS does not make an explicit reference to the delivery and loading areas, so paying agencies must verify that access points such as delivery and loading areas where unauthorised staff can access are controlled in their physical access control processes.

8.7.2 11.2 Equipment security

8.7.2.1 11.2.1 Equipment siting and protection

ENS Annex II:



o [mp.if.5] Fire protection

o [mp.if.6] Flood protection

This control is covered by the ENS security measures listed and referred to in previous points. In particular, the measure [mp.if.3] contains the protection of the equipment against the threats identified in the risk analysis.

8.7.2.2 11.2.2 Supporting utilities

ENS Annex II:


o [mp.if.4] Electrical power

This control is included in the ENS security measures indicated, and in particular in measure [mp.if.4], which states that the supply of electrical power must be guaranteed in the premises where the information systems and their components are located.

However, the measure for providing power to systems in the event of failure of the general supply by ensuring sufficient time for a process termination only applies to medium- and high-level systems.

Therefore, for greater alignment with ISO 27001/27002, paying agencies must verify that they incorporate this protection in the event of a power failure in all systems within the scope of the ENS.

8.7.2.3 11.2.3 Cabling security

ENS Annex II:


This control is included in measure [mp.if.3], which includes protection of cabling from accidental or deliberate incidents.

8.7.2.4 11.2.4 Equipment maintenance

ENS Annex II:

o [op.exp.4] Maintenance



This control corresponds to the security measure [op.exp.4] in Annex II of the ENS.

8.7.2.5 11.2.5 Removal of assets

ENS Annex II:


o [mp.if.7] Logs of equipment entry and exit

o [mp.si.4] Transport

This control, which requires authorisation prior to the removal of materials, is included in the above security measures.

8.7.2.6 11.2.6 Security of equipment and assets off-premises

ENS:

o Article 21

ENS Annex II:


o [mp.if.7] Logs of equipment entry and exit

o [mp.eq.3] Protection of laptops

This control is included in the security measures indicated, as well as in the minimum requirement of the ENS for the protection of information in transit.

8.7.2.7 11.2.7 Secure disposal or re-use of equipment

ENS Annex II:

o [mp.si.5] Erasure and destruction


8.7.2.8 11.2.8 Unattended user equipment

ENS Annex II:

o [mp.eq.2] Blocking of work stations

This control corresponds to the security measure [mp.eq.2] in Annex II of the ENS.

However, this measure only applies to the dimension of authenticity for medium and high levels of security, so paying agencies should verify that it is also being applied at the low level to achieve full equivalence with ISO 27001/27002 on this point.

8.7.2.9 11.2.9 Clear desk and screen policy

ENS Annex II:

o [mp.eq.1] Tidy work station



This control corresponds to the security measure [mp.eq.1] in Annex II of the ENS.

8.8 12 – Operations security

8.8.1 12.1 Operational procedures and responsibilities

8.8.1.1 12.1.1 Documented operating procedures

ENS Annex II:


o [mp.per.3] Awareness

This control corresponds to the security measure [org.3] in Annex II of the ENS, as regards the documentation of security procedures, and with the measure [mp.per.3] as regards its dissemination to interested parties, both applicable to all information systems.

8.8.1.2 12.1.2 Change management

ENS Annex II:

o [op.exp.5] Change management


However, this measure only applies to medium- and high-level systems, so paying agencies must verify that changes in basic-level systems are also controlled and managed in order to achieve full equivalence with ISO 27001/27002 on this point.

8.8.1.3 12.1.3 Capacity management

ENS Annex II:

o [op.pl.4] Dimensioning / Capacity management

This control corresponds to the security measure [op.pl.4] in Annex II of the ENS.

However, this measure only applies to the availability dimension at medium and high security levels, so paying agencies should verify that resource needs are also monitored and planned at the low level in order to achieve alignment with ISO 27001/27002 in this control.

8.8.1.4 12.1.4 Separation of development, testing and operational environments

ENS Annex II:


o [mp.sw.2] Acceptance and commissioning

Measure [mp.sw.2], applicable to all systems, establishes that the tests must be carried out in an isolated and different environment to the production environment, avoiding carrying out tests with real data unless the corresponding security level is assured.



However, the need to separate development resources from production resources is only established in the ENS for medium- and high-level systems through measure [mp.sw.1]. Therefore, the paying agencies should also apply this control for basic-level systems in order to align their measures with those of ISO 27001/27002.

8.8.2 12.2 Protection malware

8.8.2.1 12.2.1 Controls against malware

ENS Annex II:

o [op.exp.6] Protection against malicious code

This control corresponds to the security measure [op.exp.6] in Annex II of the ENS, for all information systems.

8.8.3 12.3 Backups

8.8.3.1 12.3.1 Information backups

ENS:

o Article 7

o Article 25

ENS Annex II:

o [mp.info.9] Backup copies

This control corresponds to the security measure [mp.info.9] in Annex II of the ENS. Making backups is a fundamental element of information security, and as such in the ENS it is a basic principle of information retrieval, as well as a minimum requirement.

8.8.4 12.4 Logging and monitoring

8.8.4.1 12.4.1 Event logging

ENS:

o Article 23

ENS Annex II:

o [op.exp.8] Log of user activity

This control corresponds to the security measure [op.exp.8] in Annex II of the ENS. In addition, this is a minimum requirement of the ENS.

8.8.4.2 12.4.2 Protection of log information

ENS Annex II:

o [op.exp.10] Activity log protection




However, it is only applicable to the traceability dimension at the high level of security, so paying agencies must verify that the control is also implemented at the low and medium levels.

8.8.4.3 12.4.3 Administrator and operator logs

ENS Annex II:



8.8.4.4 12.4.4 Clock synchronisation

ENS:

o Article 31

ENS Annex II:

o [op.exp.8] Log of user activity


The ENS defines the technical security conditions for electronic communications, which require the date and time to be recorded, among other things. It also requires, as a security measure, the recording of user activities in the system, including who performs the activity, and when.

However, it does not explicitly mention that the clocks of all systems be synchronised with a single accurate and agreed source of time, so the paying agencies must verify that this control is being applied regardless of the system level.

8.8.5 12.5 Control of operational software

8.8.5.1 12.5.1 Installation of software on operational systems

ENS:

o Article 20

ENS Annex II:


o [op.exp.2] Security configuration


It is a minimum requirement of the ENS for all elements to require formal authorisation prior to installation in the system. Authorisation processes are defined in measure [org.4]. In turn, the measures indicated control the configuration, acceptance and installation of the applications.



8.8.6 12.6 Technical vulnerability management

8.8.6.1 12.6.1 Management of technical vulnerabilities

ENS:

o Article 20

ENS Annex II:

o [op.exp.4] Maintenance


The ENS has a minimum requirement that the security status of the systems with regard to the manufacturers’ specifications, vulnerable aspects and updates that affect them be known at all times, and diligent action will be taken to control the risk in view of their security status.

8.8.6.2 12.6.2 Restrictions on software installation

ENS:

o Article 20

ENS Annex II:



This control is especially covered by the ENS security measure [op.acc.4], which determines that the privileges of each user must be lowered to the minimum strictly necessary to fulfil their obligations.

8.8.7 12.7 Information systems audit considerations

8.8.7.1 12.7.1 Information systems audit controls

ENS:

o Article 34

o Annex III

The security audit requirements are detailed in the ENS through Article 34 and Annex III.

However, it is not explicitly stated that audit activities involving checks on operating systems should be planned and agreed, so paying agencies must review that this control is implemented to achieve equivalence with ISO 27001/27002.

8.9 13 – Communications security

8.9.1 13.1 Network security management

8.9.1.1 13.1.1 Network controls

ENS Annex II:








This control is included in the various security measures referred to in the ENS.

For greater compliance with this control, it is recommended that the protection of confidentiality in communications and the establishment of a specific policy of what can be done remotely, apply not only to medium- and high-level systems, but also to basic systems.

8.9.1.2 13.1.2 Security of network services

ENS Annex II:



o [op.mon.1] Detection of intruders

o [mp.com.1] Safe perimeter



This control is included in the various security measures referred to in the ENS.

For greater compliance with this control, it is recommended that the protection of confidentiality in communications, the implementation of intrusion detection tools, and the establishment of a specific policy of what can be done remotely, apply not only to medium- and high-level systems, but also to basic systems.

8.9.1.3 13.1.3 Segregation in networks

ENS Annex II:

o [mp.com.4] Separation of networks

This control corresponds to the security measure [mp.com.4] in Annex II of the ENS.

However, network segregation is only applicable to high-level information systems, so paying agencies must also implement the control in basic- and medium-level systems.

8.9.2 13.2 Information transfer

8.9.2.1 13.2.1 Information transfer policies and procedures

ENS Annex II:






This control is mainly covered by measure [mp.com.3], whose requirement applicable to all systems states that the authenticity of the other end of a communication channel must be ensured before information is exchanged. In addition, the need for formal policies, procedures and controls is defined in the organisational security measures of the ENS.

8.9.2.2 13.2.2 Agreements on information transfer

ENS Annex II:

o [op.ext.1] Contracting and service-level agreements

This control is included in measure [op.ext.1] in Annex II of the ENS, however, agreements are only applicable to medium- and high-level information systems, so paying agencies must also implement the control in basic-level systems.

8.9.2.3 13.2.3 Electronic messaging

ENS Annex II:

o [mp.s.1] Email protection

This control corresponds to the security measure [mp.s.1] in Annex II of the ENS, applicable to all systems.

8.9.2.4 13.2.4 Confidentiality or non-disclosure agreements

ENS Annex II:


This control corresponds to the security measure [mp.per.2] in Annex II of the ENS, applicable to all systems.

8.10 14 – System acquisition, development and maintenance

8.10.1 14.1 Security requirements of information systems

8.10.1.1 14.1.1 Information security requirements analysis and specification

ENS:

o Article 39

Annex II:

o [op.pl.3] Acquisition of new components

This control is covered by Article 39, which indicates that the security specifications will be included in the life cycle of the services and systems, accompanied by the corresponding control procedures, as well as by the security measure indicated.



8.10.1.2 14.1.2 Securing application services on public networks

ENS:

o Article 22

Annex II:



This control is covered by Article 22, which states that the system is to protect the perimeter and in particular if it is connected to public networks, as well as through the security measures indicated above.

8.10.1.3 14.1.3 Protecting application service transactions

Annex II:


o [mp.info.5] Time stamping

This control is carried out in the ENS mainly through the security measures relating to the electronic signature, with the aim of applying the guarantees due in the administrative process.

To align ISO 27001 with the ENS, the high level measurement of the time stamp must be implemented for all systems.

8.10.2 14.2 Security in development and support processes

8.10.2.1 14.2.1 Secure development policy

ENS Annex II:


This control corresponds to the measure [mp.sw.1], but only applies to medium- and high-level systems, so paying agencies must also implement it in basic-level systems.

8.10.2.2 14.2.2 System change control procedures

ENS Annex II:



This control corresponds to the measures [op.exp.5] and [mp.sw.1] for security throughout the life cycle of the system, but only applies to changes in medium- and high-level systems, so paying agencies must also implement it in basic-level systems.

8.10.2.3 14.2.3 Technical review of applications after operating platform changes

ENS Annex II:




This control corresponds to the measure [op.exp.5], but only applies to changes in medium- and high-level systems, so paying agencies must also implement it in basic-level systems.

8.10.2.4 14.2.4 Restrictions on changes to software packages

ENS Annex II:



The measure [org.4] defines the authorisations in the input of applications in production. This control is also included in the measure [op.exp.5], but only applies to changes in medium- and high-level systems, so paying agencies must verify that it is also implemented in basic-level systems.

8.10.2.5 14.2.5 Secure system engineering principles

ENS Annex II:



This control is essentially covered through the development of the system security architecture required in the measure [op.pl.2].

8.10.2.6 14.2.6 Secure development environment

ENS Annex II:


This control corresponds to the measure [mp.sw.1], but only applies to the development of medium- and high-level systems, so paying agencies must also implement it in basic-level systems to achieve full equivalence with ISO 27001/27002.

8.10.2.7 14.2.7 Outsourced development

ENS Annex II:




o [op.ext.2] Daily management

This control is distributed among the ENS security measures identified.

However, since security measures relating to the secure development and contracting of services with third parties only apply to medium- and high-level systems, paying agencies must also implement it in basic-level systems to obtain full equivalence with ISO 27001/27002.



8.10.2.8 14.2.8 System security testing

ENS Annex II:



This control refers to carrying out functional security tests during development. It is covered in the ENS by the security measures indicated, although in the specific case of the functionality tests in the development phase, the control corresponds especially to the measure [mp.sw.1], which applies to the medium- and high-level information systems.

Therefore, paying agencies should verify that functional security tests during development are also applied to basic-level systems, in order to achieve full equivalence with ISO 27001/27002.

8.10.2.9 14.2.9 System acceptance testing

ENS Annex II:


This control corresponds to the security measure [mp.sw.2], applicable to all systems: before going into production, the correct functioning of the application will be checked.

8.10.3 14.3 Test Data

8.10.3.1 14.3.1 Protection of test data

ENS Annex II:



This control is especially covered by the measure [mp.sw.2], which applies to all systems within the ENS scope, as well as being extended by the measure [mp.sw.1] for medium- and high-level systems.

8.11 15 – Supplier relationships

8.11.1 15.1 Information security in supplier relations

8.11.1.1 15.1.1 Information security policy for supplier relationships

ENS Annex II:




The ENS includes the management of contracts with suppliers, as is the case with the security measure [org.4], which calls for the establishment of a formal



authorisation process covering the use of third-party services under contract or agreement. The relevant regulations must also be in place.

The measure [op.ext.1] defines that the characteristics of the service provided, and the responsibilities of the parties should be established contractually. However, this measure is applicable to medium- and high-level systems, so paying agencies should also implement this control in basic-level systems for direct equivalence with ISO 27001/27002 standards.

8.11.1.2 15.1.2 Addressing security within supplier agreements

ENS Annex II:


As indicated in the previous control, this ENS security measure is applicable to medium- and high-level information systems, so paying agencies should also verify its implementation for basic-level systems.

8.11.1.3 15.1.3 Information and communication technology supply chain

ENS Annex II:


This ENS security measure is applicable to medium- and high-level information systems, so paying agencies should also verify its implementation for basic-level systems.

8.11.2 15.2 Supplier service delivery management

8.11.2.1 15.2.1 Monitoring and review of supplier services

ENS Annex II:


This control corresponds to the measure [op.ext.2] in the ENS.

However, this ENS security measure is applicable to medium- and high-level security information systems, so paying agencies should also verify its implementation for basic-level systems.

8.11.2.2 15.2.2 Managing changes to supplier services

ENS Annex II:



This control is included in the measures [op.ext.2] and [op.exp.5] in the ENS.

However, these measures are applicable to medium- and high-level information systems, so paying agencies must also verify their implementation for basic-level systems in order to achieve direct equivalence with ISO 27001/27002.



8.12 16 – Information security incident management

8.12.1 16.1 Management of information security incidents and improvements

8.12.1.1 16.1.1 Responsibilities and procedures

ENS:

o Article 24

Annex II:




One of the minimum requirements of the ENS is the management of security incidents, so procedures for managing security incidents and weaknesses detected in the elements of the information system must be available.

In addition, among the security measures in Annex II, the ENS specifically requires that documents be available that clearly and accurately detail how to identify and report anomalous behaviour for all systems.

8.12.1.2 16.1.2 Reporting information security events

ENS:

o Article 24

Annex II:



As a minimum requirement, the ENS requires procedures for the detection and communication of security events. This is also detailed in the Technical Security Instruction for Reporting Security Incidents.

In addition, among the security measures in Annex II, the ENS specifically requires that documents be available that clearly and accurately detail how to identify and report anomalous behaviour for all systems.

8.12.1.3 16.1.3 Reporting information security weaknesses

ENS:

o Article 24

Annex II:





As part of its minimum incident management requirement, the ENS includes the definition of procedures for communicating security incidents with interested parties, whether internal or external.

However, as a precautionary measure, it is recommended that the paying agencies review their incident management processes for reporting these incidents to and from service providers, as this express requirement is also mentioned in the measure [op.exp.7], but this is only applicable to medium- and high-level systems.

8.12.1.4 16.1.4 Assessment of and decision on information security events

ENS:

o Article 24

Annex II:


As part of its minimum incident management requirement, the ENS includes procedures covering the analysis and classification criteria of security incidents.

In turn, the measure [op.exp.7] develops this requirement in greater depth, although it only applies to medium- and high-level systems, so it is recommended that paying agencies verify that they are complying with this control on all systems when the ENS minimum incident management requirement is applied.

8.12.1.5 16.1.5 Response to information security incidents

ENS:

o Article 7

o Article 24

Annex II:


o [op.exp.9] Incident management log

One of the basic principles of the ENS is to have response measures to security incidents, so that they can be addressed promptly.

In addition, the minimum incident management requirement of the ENS includes procedures covering the resolution of security incidents, the recording of the actions performed and the channels of communication to interested parties.

In turn, the measures [op.exp.7] and [op.exp.9] develop this requirement in greater depth, although it only applies to medium- and high-level systems, so it is recommended that paying agencies review that they are effectively complying with this control in all systems by applying the ENS minimum incident management requirement.

8.12.1.6 16.1.6 Learning from information security incidents

ENS:



o Article 24

Annex II:


The ENS, in its minimum incident management requirement, details that recording actions performed to resolve incidents should be used for the continuous improvement of the system security.

In turn, the measure [op.exp.7] develops this requirement in greater depth, although it only applies to medium- and high-level systems, so it is recommended that paying agencies verify that they are complying with this control on all systems when the ENS minimum incident management requirement is applied.

8.12.1.7 16.1.7 Collection of evidence

Annex II:


o [op.exp.9] Incident management log

This control of ISO 27001/27002 is covered by the measures [op.exp.7] and [op.exp.9].

However, these measures apply only to medium- and high-level information systems, so paying agencies must also implement this control for basic-level systems in order to achieve full alignment with ISO 27001/27002.

8.13 17 – Information security aspects of business continuity management

8.13.1 17.1 Information security continuity

8.13.1.1 17.1.1 Planning information security continuity

Annex II:

o [Op.cont.1] Impact analysis

This control corresponds to the measure [op.cont.1] in Annex II of the ENS.

However, this measure applies only to medium- and high-level information systems, so paying agencies must also implement this control for basic-level systems in order to achieve full alignment with ISO 27001/27002.

8.13.1.2 17.1.2 Implementing information security continuity

Annex II:

o [Op.cont.2] Continuity plan


However, this measure applies only to high-level information systems, so paying agencies must also implement this control for medium- and basic-level systems in order to achieve full alignment with ISO 27001/27002 on this point.



8.13.1.3 17.1.3 Verify, review and evaluate information security continuity

Annex II:

o [Op.cont.3] Regular tests


However, this measure applies only to high-level information systems, so paying agencies must also implement this control for medium- and basic-level systems in order to achieve full alignment with ISO 27001/27002 on this point.

8.13.2 17.2 Redundancies

8.13.2.1 17.2.1 Availability of information processing facilities

ENS:

o Article 7

o Article 25

Annex II:

o [mp.if.9] Alternative facilities

o [mp.per.9] Alternative personnel

o [mp.eq.9] Alternative means

o [mp.com.9] Alternative means

o [mp.s.9] Alternative means

The ENS establishes as a basic principle that the recovery measures must allow the information and the services to be restored, so that situations in which a security incident disables the habitual methods can be corrected. Similarly, the system should keep services available throughout the life cycle of digital information.

In turn, one of the minimum requirements of the ENS is the continuity of the activity, so the necessary mechanisms must be established to ensure the continuity of operations in the event of loss of the usual means of working.

This existence of redundant elements is developed in the ENS through the measures indicated in Annex II. Since most of these measures apply only to high-level systems, paying agencies should review that they are also implemented for medium- and basic-level systems to achieve full compliance with this ISO 27001/27002 control.

It is all supported by an impact analysis that determines the availability requirements of each service, as well as the elements that are critical for providing each service.



8.14 18 – Compliance

8.14.1 18.1 Compliance with legal and contractual requirements

8.14.1.1 18.1.1 Identification of applicable legislation and contractual requirements

Annex II:


This control is included in the security measure [org.1] of Annex II of the ENS, which requires that the security policy specify the legal and regulatory framework within which the activities are carried out.

8.14.1.2 18.1.2 Intellectual Property Rights (IPR)

Annex II:



ENS measures [org.2] and [org.3] define the existence of documents describing the correct use of equipment and what is considered misuse, and clearly and accurately detail, among other things, how to identify and report anomalous behaviour.

This could include enforcement of intellectual property rights, although, as not explicitly mentioned in the ENS, paying agencies should verify that they have implemented this control to achieve direct equivalence with ISO 27001/27002.

8.14.1.3 18.1.3 Protection of records

ENS:

o Article 7

o Article 21

o Article 43

o Annex I

This control is covered by the ENS's own regulations. On the one hand, as a basic principle, the ENS provides that the system shall ensure the preservation of the organisation's data and information in electronic form.

On the other hand, it is a minimum requirement that the procedures that ensure the long-term recovery and preservation of electronic documents produced by public administrations in the field of their competences, within the scope of Law 40/2015, form part of security.

Finally, and as noted in previous sections, the category of an information system, in the field of security, is assessed based on the impact of an incident on the organisation's ability to protect its assets, among other aspects.



8.14.1.4 18.1.4 Privacy and protection of personally identifiable information

Annex II:

o [mp.info.1] Personal data

This control corresponds to the measure [mp.info.1] in Annex II of the ENS, applicable to all information systems within the scope of the ENS.

8.14.1.5 18.1.5 Regulation of cryptographic controls

Annex II:



o [mp.info.3] Ciphering


In the ENS, the regulation of cryptographic controls is directly related to the guarantees of the administrative process (laws 39/2015 and 40/2015) and the legislation on electronic signatures.

In particular, measure [mp.info.4] establishes that the electronic signature must be used as an instrument capable of allowing verification of the authenticity of the provenance and integrity of the information, providing the basis for avoiding repudiation. Therefore, any kind of electronic signature from among those provided for in current legislation may be used.

8.14.2 18.2 Information security reviews

8.14.2.1 18.2.1 Independent review of information security

ENS:

o Article 34

o Annex III

The requirements for the audit of information security are defined in the ENS through Article 34 and Annex III, as well as in the Technical Instruction for Security Audit of the Information Systems Security.

8.14.2.2 18.2.2 Compliance with security policies and standards

ENS:

o Article 14

Annex II:

o [org.2] Security regulations

The ENS incorporates as a minimum security requirement that the actions of staff related to information and systems must be monitored to verify that established procedures are followed, covering what is required by this control.



8.14.2.3 18.2.3 Technical compliance review

ENS:

o Article 20

Annex II:



For ISO 27002 standard, this control includes intrusion testing and vulnerability scanning.

In this respect, one of the minimum requirements of the ENS is that the security status of the systems regarding manufacturers' specifications, vulnerable aspects and updates affecting them should be known at all times.

The measure [mp.sw.2] also requires technical inspections, but only for medium- and high-level systems. Therefore, although this is a minimum requirement of the ENS, in order to ensure alignment with ISO 27001/27002, the paying agencies must verify that these technical inspections are carried out periodically and for all systems within the scope of the ENS.



9. GUIDE UPDATE

This equivalence guide between ISO 27001/27002 standard and ENS for paying agencies will be reviewed and updated each time a new version of the aforementioned standards is released, in order to ensure that future updates are reflected in the guide, safeguarding an equivalent level of security in the future.

Similarly, the guide will be reviewed and updated, where appropriate, whenever changes are made to the Spanish legislation regulating the ENS.

Similarly, the guide will be reviewed in the event of a change in the legislation relating to paying agencies and other bodies, financial management, clearance of accounts, guarantees and use of the euro, as far as the security of information systems is concerned.



ANNEX A. SUMMARY OF EFFORT FOR COMPLIANCE WITH ISO 27001 THROUGH THE ENS

The following sections indicate, on the one hand, those requirements of the ISO 27001 regulatory body that are required to obtain certification and that are not covered or partially covered by the ENS articles (and security measures, if any).

On the other hand, those controls in Annex A of ISO 27001 standard which are not covered or partially covered by the security measures in Annex II and/or by the ENS articles are detailed.

In both cases, the additional effort that may be necessary to complete the requirements of the ISO/IEC 27001 standard is indicated, as well as the additional measure to be implemented in each case. The following levels are used for this purpose:

ANNEX A.1. ISO 27001 REGULATORY BODY/ENS ARTICLES

The table below highlights each of the requirements of the regulatory body of ISO/IEC 27001 not covered or partially covered by the articles and/or security measures in Annex II of the ENS, and suggests additional measures to be applied.

Level Comments

0 Covered. The requirements referred to in the ISO/IEC 27001 standard are covered in the ENS.

1

Partially covered. The requirements referred to in the ISO/IEC 27001 standard are partially covered in the ENS. An additional effort should be made to implement some additional measures to meet the corresponding requirement.

2

Not covered. The aspects referred to in the ISO/IEC 27001 standard are not covered in the articles or security measures in Annex II of the ENS. All additional measures necessary to comply with the relevant requirement must be implemented.



Clause ISO/IEC 27001 Requirement ENS Article/Measure Effort Additional measure

4 Context of organization

4.1 Understanding the organization and its context

Article 43 Annex I

1 It should be reviewed whether there is a strategy in place to regularly analyse internal and external issues relevant to the ISMS in order to fulfil its mission and objectives

4.2 Understanding the needs and expectations of interested parties

Article 43 Annex I

1 A list of internal and external stakeholders relevant to the ISMS and those dependent on its proper operation should be reviewed.

4.4 Information security management system

Article 5 [org.1] [org.2] [org.3] [op.pl.2] Annex II

1

The security measure [op.pl.2] requires the existence of an information security management system, therefore the paying agencies must comply with this medium category measure also in basic category information systems.

6 Planning

6.1 Actions to address risks and opportunities

Article 6 Article 7 Article 13 [op.pl.1]

1

It should be reviewed that paying agencies have documentation of the process of dealing with information security risks, as well as a formally approved risk treatment plan.

6.2 Information security objectives and planning to achieve them

Article 4 [org.1]

1

Have documented information on information security objectives, which must be consistent with the information security policy, measurable, communicated, updated, and reflect information security requirements and risk management outcomes, among other aspects.

7 Support

7.1 Resources [op.pl.2] [op.mon.2]

1

Demonstrate that the organisation determines and provides sufficient resources to operate, maintain and improve the ISMS. To this end, apply the following measures from Annex II of the ENS for all information systems:

[op.pl.2]: detail the management system, relating to planning, organisation and control of information security resources.

[op.mon.2]: have efficiency metrics that measure whether the security resources of the information systems are adequate, especially in terms of human resources (hours) and economic endowment (budget).



Clause ISO/IEC 27001 Requirement ENS Article/Measure Effort Additional measure

7.4 Communication Article 24 [op.exp.7]

1 Have a process of managing internal and external communications, as well as maintain the necessary evidence on the communications made concerning the ISMS.

7.5 Documented information

[org.1] [org.2] [org.3] [op.pl.2]

1

Have documentation control processes that define the requirements for its management: control of changes and versions of documents, approvals, accesses and distribution, formats and templates, repositories for storage and preservation, etc.

8 Operation

8.3 Information security risk treatment

Article 23 1 As recommended in clause 6.1 of ISO 27001, it is important to verify that information is available documented on the results of risk treatment, such as required by the standard.

9 Performance evaluation

9.2 Internal audit Article 34 Annex III

1

In addition to the biennial audit certifying compliance with the ENS, conduct an annual follow-up audit of the security measures in Annex II of the ENS.

Have a documented and up-to-date audit programme, and verify that the role of internal auditor has been defined in the responsibilities and functions process.

9.3 Management review Annex III 1 Carry out a review of the ISMS by management at least annually, drawing up a statement containing the considerations set out in Clause 9.3 of the ISO/IEC 27001 standard.

10 Improvement

10.1 Nonconformity and corrective action

Article 7 Article 34 Annex III

1

Define a process for managing of non-conformities and corrective actions, which must include the maintenance of a similar record or documented information that includes all aspects specified in Clause 10.1 of ISO/IEC 27001.



ANNEX A.2. ANNEX A OF ISO 27001/ANNEX II OF ENS

Each control in Annex A of ISO/IEC 27001, developed in ISO/IEC 27002, which is not covered or partially covered by any of the security measures in Annex II of the ENS or its articles, is shown below, depending on the categorisation of the information system. In addition, additional security measures to be applied are suggested.

In this sense, three different scenarios are distinguished, which correspond to the security requirements for the basic-, medium- and high-level information systems.



A.2.1 Basic-level information systems

Clause ISO/IEC 27001 Control ENS Article/Measure Effort Additional measure


A.5.1.2 Review of the policies for information security

Article 9 [org.1] [org.2]

1 Review information security policy and regulations at planned intervals or whenever significant changes occur.

A.6 Organization of information security

A.6.1.2 Segregation of duties

Article 10 Article 14 Article 15 Article 19 [org.4] [org.exp.8]

1

Measure [op.acc.3] extends the requirements for the segregation of tasks in the affected safety dimensions of medium and high level, so that basic category systems would have to apply this measure.

A.6.1.3 Contact with authorities Article 36 [org.3]

1

The measure [op.exp.7] again emphasizes the need to inform internal and external stakeholders about incidents detected for medium and high category systems. basic category systems would have to apply this measure.

A.6.1.5 Information security in project management

- 2

Integrate information security into project management processes so that:

Information security objectives are included in the project objectives.

Security risks are identified and considered within a project, including an early project risk assessment to identify the necessary controls.

Information security is part of all phases of the methodology applied in the project.


1 In the event that you apply this control in your organisation, define in the security regulations the appropriate measures to protect the information accessed, processed or stored at teleworking sites.

A.7 Human resource security

A.7.1.1 Screening - 2 Implement the following security measure from Annex II of the ENS:




[mp.per.1]: verify work history of candidates in staff selection processes.


A.8.1.4 Return of assets [mp.per.2] 1

Include in the security policy the management of the return of assets by employees and third parties once their relationship with the organisation ends. Demonstrate that these returns are carried out through a form or similar that must be signed by the interested party when the asset is returned.

A.8.2.2 Information Tagging [mp.si.1] [mp.info.2]

1

Measure [mp.info.2] reinforces this control for the dimension of confidentiality at the medium and high level in terms of drafting the necessary procedures that describe, in detail, how the information is to be labelled and treated in consideration of the level security systems, which therefore require basic category must apply the measure.

A.8.2.3 Handling of information [mp.info.2] 1

Implement the following measure from Annex II of the ENS, corresponding to the confidentiality dimension for medium and high levels of security:

[mp.info.2]: create the necessary procedures that describe in detail how the information is to be labelled and processed.

A.9 Access control

A.9.1.1 Access control policy Article 16 [org.acc.2]

1 As this control is explicitly required by ISO 27001/27002, paying agencies must verify that they have a documented access control policy or regulation.

A.9.1.2 Access to networks and network services

[op.acc.2] [op.acc.7]

1 The security measures of [op.acc.7] medium category should also be applied for basic category systems.

A.9.2.5 Review of user access rights [op.acc.4] 1 Define in the security regulations the revision of users' access rights to the systems by the owners of the assets, including the frequency of those revisions, and to show that they are carried out.

A.9.4.3 Password Management system [op.acc.5] 1

The need to use a quality system for passwords should be emphasised, highlighting the following criteria:

Password complexity

Use of history




Periodicity of changes

A.9.4.5 Access control to program source code

[op.acc.2] 2

Restrict access to program source code. This can be achieved by implementing measure [mp.sw.1] from Annex II of the ENS, and in particular:

Prevent development tools or data from being present in the production environment.

Inspect the source code.

Apply mechanisms for identification and authentication, protection of processed information, and generation and treatment of audit trails.

A.10 Cryptography

A.10.1.1 Policy on the use of Cryptographic controls

Article 33 [mp.info.4] [op.acc.7] [mp.com.3]

1

Some of the measures such as cryptography ([mp.si.2]), encryption ([mp.info.3]) or protection of confidentiality ([mp.com.2]) must apply also in basic category for alignment with ISO 27001/27002.


A.11.1.4 Protecting against external and environmental threats

[mp.if.3] [mp.if.5]

1

The measure Flood protection [mp.if.6] is only applicable to medium and high category systems, therefore, for further alignment with ISO 27001/27002, it is recommended that paying agencies apply this control for all categories of information systems.


1

Identify in physical access control processes the access points such as delivery and loading areas where unauthorised staff can access, and isolate those points from information systems to prevent unauthorised access to them.

A.11.2.1 Equipment siting and protection [mp.if.3] [mp.if.5]

1

The measure Flood protection [mp.if.6] is only applicable to medium and high category systems, therefore, for further alignment with ISO 27001/27002, it is recommended that paying agencies apply this control for all categories of information systems.

A.11.2.2 Supporting utilities [mp.if.3] 1

Implement the following measure from Annex II of the ENS, corresponding to the availability dimension for medium and high levels of security:

[mp.if.4]: an electricity supply will be guaranteed for the systems in the event of a failure in the mains supply, ensuring sufficient time




for an orderly completion of the processes.

A.11.2.8 Unattended user equipment - 2

Implement the following measure from Annex II of the ENS:

[mp.eq.2]: block the work stations after a certain time of inactivity, and a new user authentication will be necessary to resume the activity in progress.

A.11.2.9 Clear desk and clear screen policy

[mp.eq.1] 1 The policy of clean desks and information backup should be apply to all categories, not just medium and high.


A.12.1.2 Change management - 2 Implement the following measure from Annex II of the ENS:

[op.exp.5]: maintain constant control of changes made to the system.

A.12.1.3 Capacity management - 2 Implement the following measure from Annex II of the ENS:

[op.pl.4]: capacity measurement/management.

A.12.1.4 Separation of development, testing and operational environments

[mp.sw.2] 1


[mp.sw.1]: develop the applications using a different system and separate from production, with no tools or development data in the production area.


1 The backups should be checked periodically to ensure that the data has been stored correctly.

A.12.4.1 Event logging - 1 Not only user events, but also system failures, exceptions and other security events must be logged.

A.12.4.2 Protection of log information - 2 Implement the following measure from Annex II of the ENS:

[op.exp.10]: protection of activity logs.

A.12.4.4 Clock synchronisation Article 31 [op.exp.8]

1 Synchronise the clocks of all the information systems that are within the scope of the ENS with a single accurate and agreed source of time.

A.12.6.1 Management of technical vulnerabilities

[mp.sw.2] 1 The acceptance and commissioning measure should be applied by the paying agencies at basic category for the analysis of vulnerabilities.

A.12.7.1 Information systems audit controls

Article 34 Annex III

1 Include in the process of auditing information systems appropriate guidelines so the audit activities involving checks on operating systems can be agreed, identified, planned, controlled and monitored.





A.13.1.1 Network controls

[org.4] [op.pl.2] [op.acc.7] [mp.com.3]

1

Manage and control networks to protect information in systems and applications. To do this, implement the following security measures from Annex II of the ENS:

[op.acc.7]: establish a specific policy of everything that can be done remotely, and positive authorisation will be required.

[mp.com.2] and [mp.com.3]: use virtual private networks if the communication runs through networks outside the security domain.

A.13.1.2 Security of network services

[org.4] [op.acc.7] [mp.com.1] [mp.com.3]

1

Identify security mechanisms, service levels, and management requirements for network services. To do this, implement the following security measures from Annex II of the ENS:

[op.acc.7]: establish a specific policy of everything that can be done remotely, and positive authorisation will be required.

[op.mon.1]: have tools to detect or prevent intruders.

[mp.com.2] and [mp.com.3]: use virtual private networks if the communication runs through networks outside the security domain.

A.13.1.3 Segregation in networks - 2 Implement the following measure from Annex II of the ENS:

[mp.com.4]: separation of networks.

A.13.2.2 Agreements on information transfer

- 2

Establish agreements for the secure transfer of information between the organisation and third parties. To do this, implement the following measure from Annex II of the ENS:

[op.ext.1]: contracting and service-level agreements.

A.14 System acquisition, development and maintenance

A.14.1.3 Protection of application service transactions

[mp.info.4] 2 To implement the high level measurement of the time stamp [mp.info.5], for all systems as as indicated in ISO 27001

A.14.2.1 Secure development policy - 2 Implement the following measure from Annex II of the ENS:

[mp.sw.1]: apply a recognised development method.

A.14.2.2 System change control procedures

- 2

Implement the following measures from Annex II of the ENS:

[op.exp.5]: maintain constant control of changes made to the system.

[mp.sw.1]: apply a recognised development methodology that considers security aspects throughout the development life cycle.




A.14.2.3 Technical review of applications after operating platform changes

- 2

Apply the following measure from Annex II of the ENS, both in application and operating system modifications:

[op.exp.5]: before producing a new release or patched release, check on a computer not used for production to ensure that the new installation functions properly and does not impair the effectiveness of the functions that are necessary for daily operations.

A.14.2.4 Restrictions on changes to software packages

[org.4] 1

Apply the following measure from Annex II of the ENS:

[op.exp.5]: analyse all changes announced by the manufacturer or supplier to determine their appropriateness in order to decide whether they will be incorporated. Carry out a risk analysis to determine whether the changes are relevant for the security of the system.

A.14.2.6 Secure development environment

- 2 Implement the following measure from Annex II of the ENS:

[mp.sw.1]: application development.

A.14.2.7 Outsourced development [mp.sw.2] 1

Monitor and control outsourced software development. To do this, implement the following measures from Annex II of the ENS:


[op.ext.1]: before using external resources, establish the characteristics of the services provided and the responsibilities of each party through a contract.

[op.ext.2]: daily management of fulfilment of service obligations.

A.14.2.8 System security testing [mp.sw.2] 1 Carry out functional security tests during development. This can be accomplished by applying the measure from Annex II of the ENS:


A.14.3.1 Protection of test data [mp.sw.2] 1 The measure [mp.sw.1] only applies to medium and high category systems. Basic category systems must include it.

A.15 Supplier relationships

A.15.1.1 Information security policy for supplier relationships

[org.2] [org.4]

1 Implement the following measure from Annex II of the ENS:


A.15.1.2 Addressing security within supplier agreements






A.15.1.3 Information and communication technology supply chain



A.15.2.1 Monitoring and review of supplier services


[op.ext.2]: daily management.

A.15.2.2 Managing changes to supplier services

- 2

Implement the following measures from Annex II of the ENS:

[op.exp.5]: change management.

[op.ext.2]: daily management.

A.16 Information security incident management

A.16.1.1 Responsibilities and procedures

Article 24 [org.2] [org.3]

1

The measure [op.exp.7] Incident Management is applicable to medium and high category information, therefore, for further alignment with ISO 27001/27002, it is recommended that paying agencies apply this control low category of information systems.

A.16.1.2 Reporting information security events

Article 24 1


A.16.1.3 Reporting information security weaknesses

Article 24 [org.3]

1

Paying agencies should review in their incident management processes that notification of incidents are provided to and from service providers, as this requirement is mentioned in the measure [op.exp.7], but this is only applicable to medium and high category systems.

A.16.1.4 Assessment of and decision on information security events

Article 24 1


A.16.1.5 Response to information security incidents

Article 7 Article 24

1

The [op.exp.7] and [op.exp.9] incident management measures are applicable to medium- and high-end information systems, therefore, for further alignment with ISO 27001/27002, it is recommended that paying agencies apply this control low category of information systems.

A.16.1.6 Learning from information security incidents

Article 24 1


A.16.1.7 Collection of evidence - 2 Implement procedures for the identification, collection, acquisition and




preservation of information that can serve as evidence. This can be achieved by implementing the following security measures from Annex II of the ENS:

[op.exp.7]: record user activities in the system.

[op.exp.9]: record evidence that could subsequently be used in a lawsuit or to oppose that lawsuit if the incident could lead to disciplinary actions being taken against internal staff, external suppliers or the prosecution of offences.


A.17.1.1 Planning information security continuity

- 2


[op.cont.1]: carry out an impact analysis that determines the availability requirements of each service, including the information security management itself.

A.17.1.2 Implementing information security continuity


[op.cont.2]: develop a continuity plan, establishing the actions to be executed in the event that the services are interrupted.


- 2


[op.cont.3]: carry out regular tests to locate and correct any errors or faults that might exist in the continuity plan.



1

Add redundancy to resources by implementing the following measures from Annex II of the ENS:

[mp.if.9]: alternative facilities.

[mp.per.9]: alternative personnel.

[mp.eq.9]: alternative means of processing information.

[mp.com.9]: alternative means of communications.

[mp.s.9]: alternative means for the provision of services.

A.18 Compliance


1 Implement appropriate regulations and procedures to ensure legal compliance with materials on which intellectual property rights may exist, as is the case with proprietary software.

A.18.2.3 Technical compliance review Article 20 [org.3]

1 Implement the following measure from Annex II of the ENS:

[mp.sw.2]: carry out vulnerability analysis and penetration tests




before the information system enters service.



A.2.2 Medium-level information systems



A.5.1.2 Review of the information security policies

Article 9 [org.1] [op.pl.2]

1 Review information security policy and regulations at planned intervals or whenever significant changes occur.



[mp.sw.1] 1


Information security objectives are included in the project objectives.

Security risks are identified and considered within a project, including an early project risk assessment to identify the necessary controls.



1

In the event that you apply this control in your organisation, define in the security regulations the appropriate measures to protect the information accessed, processed or stored at teleworking sites.



Include in the security policy the management of the return of assets by employees and third parties once their relationship with the organisation ends, and show that such returns are carried out through a form or similar.

A.9 Access control

A.9.2.5 Review of user access rights [op.acc.4] 1

Define in the security regulations the revision of users' access rights to the systems by the owners of the assets, including the frequency of those revisions, and to show that they are carried out.






1




1 The backups made should be checked periodically to ensure that the data have been stored correctly.

A.12.4.1 Event Logging [op.exp.8] 1 Not only user events, but also system failures, exceptions and other security events must be recorded

A.12.4.2 Protection of log information - 2 Implement the following measure from Annex II of the ENS:

[op.exp.10]: protection of activity logs.

A.12.4.4 Clock synchronisation Article 31 [op.exp.8]




1

Include in the process of auditing information systems appropriate guidelines so the audit activities involving checks on operating systems can be agreed, identified, planned, controlled and monitored.


A.13.1.3 Segregation in networks - 2 Implement the following measure from Annex II of the ENS:

[mp.com.4]: separation of networks.

A.14 Acquisition, development and maintenance of information systems.

A.14.1.3 Protecting application services transactions

[mp.info.4] 1 Implement the high level measurement of the time stamp [mp.info.5] as indicated in ISO 27001, for all systems.


A.17.1.2 Implementing information security continuity


[op.cont.2]: Continuity plan.



[op.cont.3]: periodic tests.



1 Add redundancy to resources by implementing the following measures from Annex II of the ENS:




[mp.eq.9] [mp.if.9]: alternative facilities.

[mp.per.9]: alternative personnel.

[mp.com.9]: alternative means of communications.

[mp.s.9]: alternative means for the provision of services.

A.18 Compliance





A.2.3 High-level information systems




[mp.sw.1] 1


The security objectives are included in the project objectives.

Security risks are identified and considered within a project, including an early project risk assessment.



1 In the event that you apply this control, define in the security regulations the appropriate measures to protect the information accessed, processed or stored at teleworking sites.



Include in the security policy the management of the return of assets by employees and third parties once their relationship with the organisation ends, and show that such returns are carried out through a form or similar.

A.9 Access control

A.9.2.5 Review of user access rights [op.acc.4] 1 Define in the security regulations the revision of users' access rights to the systems by the owners of the assets, including the frequency of those revisions, and to show that they are carried out.



1



A.12.3.1 Information backup Article 7 The backups made should be checked periodically,




Article 25 [mp.info.9]

to check that the data has been saved correctly.

A.12.4.1 Event logging - Not only user events, but also the system failures, exceptions and other security events need to be logged

A.12.4.4 Clock synchronisation Article 31 [op.exp.8] [op.exp.10]




1

Include in the process of auditing information systems appropriate guidelines so the audit activities involving checks on operating systems can be agreed, identified, planned, controlled and monitored.

A.18 Compliance

A.18.1.2 Intellectual Property Rights (IPR)

[org.2] [org.3]


Documents

ICT Security Guide CCN-STIC 852 Application of the ENS in