Following an intensive assessment CEDAT85 is delighted to announce that it has been granted an official statement of compliance for the Esquema Nacional de Seguridad (the Spanish National Security Framework) effective from 5 November 2021. CEDAT85 continues to be the pioneer in the market by being the only Italian company obtaining this certificate.
Compliance with this scheme declares that the security measures of both CEDAT85’s services and respective system information and data processing facilities comply with the highest standards necessary in order to obtain ENS certificate. Certification is for a period of two years with the next audit scheduled for November 2023. ‘It has been a long, complicated and arduous process and I would like to say congratulations to all involved.’ noted Enrico Giannotti the Managing Director of CEDAT85.
General information about the Esquema Nacional de Seguridad – ENS
In 2007, the Spanish Government enacted Law 11/2007, a regulatory framework to grant citizens electronic access to government and public services. This law is the basis for the Esquema Nacional de Seguridad regulated by Royal Decree (RD) 3/2010. The objective of the regulatory framework is to consolidate trust in the provision of electronic services and ensure access, integrity, availability, authenticity, confidentiality, traceability and preservation of data, information and services. It applies to all Spanish government agencies and public entities that purchase cloud services, as well as ICT (Information and Communications Technologies) providers. It assists agencies and entities in implementing effective security controls in the cloud and on-premises, in compliance with Spanish and European privacy and security standards.
The framework establishes key criteria and mandatory requirements that government agencies and their service providers must adopt. It defines a set of specific security controls, many of which are directly aligned with the ISO/IEC 27001 standard, for availability, authenticity, integrity, confidentiality and traceability. The low, intermediate or high level of confidentiality of information determines the security measures that must be taken to protect it. With respect to security, each government agency must adopt a risk management approach whereby risks are identified and assessed, then appropriate security controls are applied. Service providers must also comply with the stringent requirements of the regulatory framework to ensure that procedures, technical expertise and operations are secure and to enable agencies to comply with regulations.
The framework provides for an optional accreditation process for systems handling information with a low level of confidentiality, but mandatory for those handling information with a medium or high level of confidentiality. The audit is carried out by an independent accredited auditor. The report is then reviewed during a certification process before acceptance of the risk management controls in the final accreditation phase.