Spain Esquema Nacional de Seguridad (ENS) High Level Security Measures
In 2007, the Spanish government enacted Law 11/2007, which established a legal framework to give citizens electronic access to government and public services. This law is the basis for Esquema Nacional de Seguridad (National Security Framework), which is governed by Royal Decree (RD) 3/2010. The goal of the framework is to build trust in the provision of electronic services, and ensure the access, integrity, availability, authenticity, confidentiality, traceability, and preservation of data, information, and services.
The framework applies to all public organizations and government agencies in Spain that purchase cloud services, as well as to providers of information and communications technologies (ICT). It guides these agencies and companies in implementing effective controls for security in the cloud and on premises, in compliance with Spanish and EU security and privacy standards.
The framework establishes core policies and mandatory requirements that both government agencies and their service providers must meet. It defines a set of specific security controls— (many of which align directly with ISO/IEC 27001) —relating to availability, authenticity, integrity, confidentiality, and traceability. The sensitivity of the information—low, intermediate, or high—determines the security measures that must be applied to protect it.
Each government agency is required to adopt a risk-management approach to security, whereby they identify and assess risks, and then apply security controls appropriate to those risks. Service providers, too, must comply with the stringent framework requirements to help ensure that their procedures, technical capacities, and operations are secure and enable agencies to comply with the regulations.
The framework prescribes an accreditation process that is voluntary for systems handling information of low sensitivity, but mandatory for systems handling information at an intermediate or high level of sensitivity. An audit is performed by an accredited independent auditor; the report is then reviewed in a process of certification before risk-management controls are accepted in the final step of accreditation.
Microsoft Azure and Microsoft Office 365 have gone through a rigorous assessment by BDO, an independent auditor, which issued an official statement of their compliance. BDO reports that the security measures in both services, as well as their information systems and data processing facilities, comply at the high level with RD 3/2010 without requiring any corrective measures. Microsoft was the first hyperscale cloud service provider to receive this certification in Spain.
Frequently asked questions
The Service Trust Portal provides the audit reports and certifications in both Spanish and English. Your auditors can use them to compare Microsoft cloud services results with your own legal and regulatory requirements.
If your organization is using Azure or Office 365, you can use ENS Microsoft audit reports and accreditation as part of your own accreditation process. However, you are responsible for engaging an auditor to evaluate your implementation for compliance, and for ensuring that the controls and processes within your own organization align with the framework.
Audit reports and certificates
The certification is valid for two years, with an annual surveillance audit.
- Azure National Security Framework ENS certificate
- Azure Spanish National Security Framework (ENS) Audit Report
Microsoft in-scope cloud services
Virtual Machines, Cloud Services, Batch, Web Apps, Mobile Services, Notification Hub, Storage, Virtual Network, Traffic Manager, Service Bus, Active Directory, Multi-Factor Authentication, Rights Management Services, Media Services, Scheduler, Azure Management Portal, API Management, Redis Cache, ExpressRoute, Automation, HDInsight, Storage Premium, SQL Database, Sync Fabric (Azure AD), Self-Service Group Management (Azure AD), Event Hubs, and Operational Insights
- Office 365: Exchange Online, Exchange Online Archiving, Exchange Online Protection, SharePoint Online, OneDrive for Business, Office Applications, Project Online, and Skype for Business Online