Annex II of Royal Decree 311/2022, which governs the Esquema Nacional de Seguridad, sets out the security measures that must be applied by information systems subject to the ENS, grouped into three frameworks: organisational (policies, roles and responsibilities), operational (planning, access control, exploitation, external services, incident management and continuity) and protection measures (facilities, systems, communications, information media, applications and users). Each measure is applied according to the system's category — basic, medium or high — and is detailed in the CCN-STIC 800 series guides, particularly CCN-STIC 808 for measure compliance verification. Implementing these measures effectively and demonstrably requires technical knowledge of the Spanish regulatory framework, experience with the systems most commonly used in public-procurement environments, and proficiency in the tools the CCN itself provides to facilitate the process.
Summum Sistemas applies MAGERIT v3 — the Risk Analysis and Management Methodology for Public Administration Information Systems, maintained by Spain's Ministry of Finance — and the PILAR tool (Procedimiento Informático Lógico para el Análisis de Riesgos), developed and distributed by the CCN, to carry out the risk analysis that underpins Annex II measure selection. The analysis begins with an asset inventory, assesses interdependencies among assets, and determines the impact that a materialised threat would have on the five CIDAT security dimensions. The output — the risk map and its treatment plan — justifies which Annex II measures must be applied, at what reinforcement level and by when, and is one of the documents conformity auditors scrutinise most closely.
For basic-category systems, the CCN provides the INES tool (Índice Nacional de Evaluación de la Seguridad), which guides the self-assessment required for the declaration of conformity and generates the results report. For medium and high categories, the AMPARO tool facilitates continuous management of the security system once implemented. For preparing the conformity audit — both the prior internal audit and the process with the ENAC-accredited body — the CCN provides CLARA (CHECKlist-based Lightweight Assessments for Reviewing Administration), which structures the auditor's verification checklists. Summum Sistemas has hands-on experience with all these tools and integrates them into its workflow so that the compliance process is traceable, efficient and directly usable in the conformity audit.