The Experience at the Helm
Led by Susana Calvo Ramírez, CEO and Chief Auditor, our company is proud to have a renowned expert in standards such as ISO 9001, ISO 27001 and ENS. Her experience is essential to guide our clients toward excellence.
Innovative Collaboration with MILLENIALS CONSULTING
We are pleased to announce our alliance with ASB FACILITIES, a strategic step to expand our service offering in ZOHO solutions. This collaboration synergizes our knowledge and strengthens our commitment to providing complete and personalized solutions to our clients.
Our Commitment: Your Success
At ASB FACILITIES, S.L., we are dedicated to equipping companies with the tools and advice necessary to achieve excellence in management. As your trusted partner, we are committed to your path to success.
Cybersecurity
In today's business world, where quality, sustainability and information security are more crucial than ever, ASB FACILITIES, S.L. emerges as an undisputed leader in these areas. The company specializes in implementation, internal audits, training and certification audits on a wide range of quality and safety standards.
National Security Scheme
Law 40/2015, of October 1, on the Legal Regime of the Public Sector, includes security among the principles of action of public administrations and includes the National Security Scheme (ENS), applicable to the entire Public Sector, which offers a common approach of basic principles, minimum requirements and security measures.
For its part, Royal Decree 203/2021, of March 30, which approves the Regulations for the action and operation of the public sector by electronic means, specifies in different precepts the obligation to comply with the security measures provided for in the ENS. .
The National Security Scheme, which has undergone a process of continuous evolution since its first development in 2010 (RD 3/2010, of January 8, RD 951/2015 and RD 311/2022), establishes the security policy for the protection appropriateness of the information processed and the services provided through a common approach of basic principles, minimum requirements, protection measures and compliance and monitoring mechanisms for the public sector, as well as private sector technology providers that collaborate with the Administration.
1. What is the National Security Scheme for?
The National Security Scheme (ENS) is a set of regulations that makes it possible to create and maintain the necessary security conditions in the use of electronic media, through measures that guarantee the security of systems, data, communications and services. electronic, to facilitate the exercise of rights and compliance with duties through these means.
For public entities within its scope of application, the provisions of the ENS allow them to satisfy the principles of action and the security requirements of Public Administrations that allow them to achieve their objectives.
For citizens, the ultimate recipients of the public service, it means the guarantee that the public entities with which they interact meet the security conditions necessary to safeguard their information and their rights.
2. What is the scope of application of the ENS?
Since the entry into force of Law 39/2015, on Common Administrative Procedure of Public Administrations, and Law 40/2015, on the Legal Regime of the Public Sector, both of October 1, (which repealed Law 11/2007, of Access of citizens to Public Services), the subjective scope of application of Royal Decree 3/2010, of January 8, which regulates the National Security Scheme (ENS), is coincident with that indicated in Law 40 /2015: the Public Sector, as defined in art. 2 of said standard.
Thus, the scope of application of the ENS extends, in general, to all those activities that Public Sector entities can develop in accordance with Public Law, either because they are entities of Public Administrations or activities of entities that exercise powers. administrative, either because they develop their functions based on Public Law. All of this is included in the CCN-STIC Guide 830: Scope of application of the ENS.
3. Who can certify a system in the ENS?
In accordance with the provisions of the Resolution of October 13, 2016, of the Secretary of State for Public Administrations, which approves the Technical Security Instruction in accordance with the National Security Scheme, developing Royal Decree 3/ 2010 (ENS), the Certification Entities of the systems must be accredited by the National Accreditation Entity (ENAC) for the certification of systems within the scope of application of the National Security Scheme in accordance with the UNE-EN ISO/IEC 17065 standard: 2012 Conformity assessment. Requirements for organizations that certify products, processes and services.
Those entities, bodies, agencies and units linked to or dependent on Public Administrations whose powers include the development of information systems audits will be exempt from compliance with the requirements indicated above, whether stated in their creation regulations or structural decrees and guaranteed. due impartiality.
4. How often should an audit be carried out to renew conformity/certification in the ENS?
As stated in RD 3/2010 (ENS), information systems must be subject to a regular audit, at least every two years, to verify compliance with the requirements of the ENS.
Furthermore, on an extraordinary basis, said audit must be carried out whenever substantial modifications occur in the information system, which may impact the required security measures. The completion of this extraordinary audit will determine the calculation date for the calculation of the two years, established for the completion of the next regular ordinary audit, indicated in the previous paragraph.
On the other hand, as stated in the Resolution of October 13, 2016, of the Secretary of State for Public Administrations, which approves the Technical Safety Instruction in accordance with the National Safety Scheme, the Certification of Conformity with the ENS of information systems with MEDIUM or HIGH categories will be carried out through a formal audit procedure that, on an ordinary basis, verifies compliance with the requirements contemplated in the Scheme, at least every two years. Said audit will be carried out in accordance with the provisions of article 34 and Annex III of Royal Decree 3/2010, of January 8.
This same Technical Safety Instruction states that the Certification of Conformity with the ENS will be based on the result of the aforementioned audit, having an effective validity of two years, provided that, as indicated, it is not necessary to undertake an extraordinary audit beforehand. .
For all the above, the “Date of renewal of the certification of conformity” that appears in the Certification of Conformity may never exceed two calendar years from the “Date of initial certification of conformity” (which should be understood as the date on which the certification body of the entity decides to grant said Certification), and may be lower if the circumstances so require.
For all these reasons, the audit must be appropriately planned so that the subsequent certification decision can be made within the validity period of the preceding certification.
ISO 27001: 2022
This International Standard has been prepared to provide requirements for the establishment, implementation, maintenance and continuous improvement of an information security management system. Adopting an information security management system is a strategic decision for an organization. The establishment and implementation of an information security management system by an organization is conditioned by its needs and objectives, its security requirements, the organizational processes used and its agenda and structure. What is foreseeable is that all these conditioning factors will change over time.
The information security management system preserves the confidentiality, integrity and availability of information through the application of a risk management process and gives interested parties confidence in the appropriate management of risks.
It is important that the information security management system is part of and integrated with the organization's processes and with the global management structure, and that information security is considered during the design of processes, security systems, information and controls. It is expected that the implementation of the information security management system fits the needs of the organization.
This international standard can be used by internal and external parties to evaluate the organization's ability to meet its own security requirements.
The order in which this International Standard presents the requirements is not a reflection of their importance nor does it imply the order in which they should be implemented. The different items in each listing are listed for reference only.
ISO/IEC 27000 describes the overview and vocabulary of information security management systems, referring to the family of information security management systems standards (including ISO/IEC 27003 Standards [ 2], ISO/IEC 27004 [3] and ISO/IEC 27005 [4]), together with related terms and definitions.
TISAX VDA ISA
TISAX is a way to accredit compliance with the Module of the ISA family of standards called VDA related to information security required by the main automotive manufacturers of German origin: Volkswagen Group, Mercedes-Benz and BMW.
In this direction, the ENX organization (Association of European Vehicle Manufacturers, Suppliers and Organizations), which brings together the main players in the European automotive sector, has a control tool to determine the level of compliance with the safety requirements of the information.
This is the TISAX platform.
What are the TISAX requirements?
The requirements to evaluate are found in the VDA module that contains the information security requirements in companies in the automotive industry. The VDA requirements contemplate compliance with three blocks of controls:
- 43 controls for Information Security.
- 22 controls for the protection of prototypes.
- 4 controls on RGPD Protection of personal data.
The VDA ISA assessment includes a generic information security questionnaire and three additional topic-specific modules.
To begin with, VDA is focused on establishing an information security management system basically following the requirements set out in the ISO 27001 standard.
In any case, the management system promulgated by VDA has, in summary, fewer requirements than the international standard, so those who have already implemented an ISO 27001 system should have almost complete certainty of being able to pass the TISAX certification, carrying out a small compliance analysis to verify any additional TISAX requirements that need to be added to the system.
ISO 22301: 2019
Business Continuity is a comprehensive management process that identifies the possible impacts that threaten an organization and offers a framework to provide robustness and have an effective response that safeguards the interests of the main suppliers, customers, employees, shareholders and other parties. stakeholders, reputation, brand and valuable activities.
Business Continuity describes the processes and procedures that an organization performs to ensure that its essential functions can continue during and after a disaster. The objective is to prepare the organization for the recovery of its critical processes after a serious interruption of its activities, so that these are restored within a reasonable and previously defined period of time.
The Continuity Plan must generate and maintain the trust, image and reputation of the organization towards customers, suppliers, shareholders, public and private organizations, etc. “81 percent of managers whose organizations activated their business continuity mechanisms in the last 12 months say it was effective in reducing disruptions. In short: business continuity works”
Natural disasters, outages in information technologies or strikes are the interruptions that we find in the foreground. However, disruption also includes employee illnesses or some events that affect the supply chain.
Business continuity provides you with a framework that allows you to identify potential threats to your organization and strengthen its capacity. This means you can respond to threats and safeguard stakeholder interests, reputation, brand and value-added activities.
ISO 22301 provides a formal business continuity framework and will help develop a business continuity plan that will keep your organization running during and after disruption. This will also minimize the impact so you can resume service as quickly as possible, ensuring key services and products are delivered. If disruption is not an option in your business, adopting the international business continuity standard, ISO 22301, is the first step towards a best practice approach.
Why choose ISO 22301?
To demonstrate that your organization can continue working, even in the face of disruption. A business continuity management system aligned with ISO 22301 is suitable for any organization of any size and in all sectors, from the public to the private sector, or from manufacturing companies to service companies. And it provides a common language to global organizations, especially those with a long and complex supply chain.
The standard is particularly important in those organizations working in high-risk environments where the ability to continue working is of utmost importance to businesses, customers and stakeholders – this includes utilities, financial, telecommunications, transport and the public sector.
Other quality standards
ISO 9001: 2015
ISO 9001 allows any organization to meet and respond to the demands of clients who, increasingly, require approved suppliers. Before, quality was the best option to differentiate yourself from the competition. Today it turns out to be a strategic requirement for any company that wants to be recognized in the market, and a factor on which the survival of any organization depends.
At ASB FACILITIES we believe that the implementation of a Quality Management System is a long-term project, which requires exhaustive knowledge of the organization, the involvement of all the organization's staff, the ability to lead the project and the involvement of suppliers. of goods and services.
Due to the change of version to ISO 9001:2015 with a focus on risks, it is necessary to update the management systems so that they adapt to the new requirements of the reference standard.
ISO 14001: 2015
14001 is synonymous with an environmentally friendly company.
The more impact the organization's activity has on the environment, the greater the challenge and the faster the results. The involvement of the organization and the commitment of Management to reduce the environmental impact give the organization a greater degree of responsibility.
If, on the other hand, the company has less impact on the environment, because it is a less “aggressive” activity with it, the effort to achieve the results is less, and, in both cases, the reputational image of the organization is affected. reinforced.
It will also help you understand the life cycle of products and services. Seeing which part of the supply chain, from start to finish, has the most impact on the environment, you will be able to know where your organization can try to reduce this impact and where not.
In all cases, the organization may request its suppliers, its collaborators, partners, and their own workers, to think green and provide the service in an increasingly environmentally friendly way.