Cybersecurity for Mid-Market Companies: ENS + ISO 27001 + SOC 2
Three frameworks, one security system
A European tech company selling into public sector, continental clients, and American enterprises faces a compliance trilemma: ENS for Spanish government contracts, ISO 27001 because European procurement demands it, and SOC 2 because US buyers won’t sign without it. Three certifications. Three audits. Three evidence packages. Or so it seems.
The overlap between these three frameworks runs 60-70%. Access management, encryption, incident response, business continuity, internal audits — all three require them with slightly different vocabulary. The company that treats each certification as a standalone project triples its effort. The one that builds a unified security management system and maps controls once works 40% less.
This whitepaper is the guide we wished we had when we started helping mid-market companies (50-300 employees) navigate this maze. It comes from real certification projects, not theory.
Spain’s ENS: the prescriptive baseline
The ENS (Esquema Nacional de Seguridad, regulated under Royal Decree 311/2022) is mandatory for any entity providing services to or handling data for the Spanish public sector. Since the 2022 update, it also applies to private-sector technology vendors working with government agencies. If your company builds software for a Spanish municipality, ENS applies to you.
System categories
ENS classifies systems into three tiers based on incident impact:
- Basic: Limited impact. 36 controls.
- Medium: Serious impact. 55 controls.
- High: Very serious impact. 73 controls.
Most mid-market tech companies acting as vendors land in the medium category. Those handling especially sensitive data (healthcare, defense, critical infrastructure) need high.
Key ENS controls
The ENS organizes controls into organizational, operational, and protection measures. The ones that consume the most effort in practice:
Access management (op.acc): Unique identification, strong authentication, least privilege. ENS is particularly strict about segregation of duties at medium and high levels. RBAC alone isn’t enough; you must demonstrate that roles follow business functions and undergo periodic review.
Incident management (op.mon): Detection, response, and notification. Since the NIS2 directive (transposed in Spain as Royal Decree-Law 7/2024), notification deadlines have tightened: 24 hours for an early warning, 72 hours for a full report to CCN-CERT.
Communications protection (mp.com): Mandatory encryption in transit. For medium and high categories, ENS specifies concrete algorithms and minimum key lengths aligned with CCN-STIC guides.
Service continuity (mp.cont): Documented, tested, and updated continuity plan. Annual testing is a requirement, not a suggestion.
The certification process
- Gap analysis: Inventory what exists and what’s missing. Typically 2-4 weeks.
- Compliance plan: Define corrective actions, owners, and deadlines. Requires management sign-off.
- Implementation: Deploy technical controls and procedures. This is where the bulk of time goes (3-8 months depending on starting point).
- Internal audit: Mandatory before certification. Must be conducted by someone independent of the implementation team.
- Certification: An ENAC-accredited body performs the formal audit. For medium category, certification is valid for 2 years.
A detail many miss: for the basic category, ENS allows self-assessment (a declaration of conformity). No external auditor required. This dramatically reduces costs for companies that only need the basic level. For a deeper look at ENS requirements for cloud vendors, see our ENS 2025 cloud provider guide.
ISO 27001: the international standard
ISO 27001 is the international reference for information security management systems (ISMS). The current version is ISO 27001:2022, which restructured the Annex A controls from 114 to 93, organized into 4 themes instead of 14 domains.
ISMS structure
ISO 27001 follows the PDCA cycle (Plan-Do-Check-Act) and requires:
- Context of the organization: Understanding stakeholder needs and expectations. The ISMS scope determines what gets certified.
- Leadership: Management must demonstrate commitment. Signing a policy isn’t enough; the auditor will verify active participation in management reviews and resource allocation.
- Risk assessment: The heart of ISO 27001. Identify assets, threats, vulnerabilities, and calculate residual risk. The methodology is flexible (MAGERIT, OCTAVE, your own), but must be systematic and repeatable.
- Risk treatment: For each unacceptable risk, define a plan: mitigate, transfer, accept, or avoid. Annex A controls are the reference, but only those applicable per your risk assessment are mandatory.
The 93 Annex A controls (2022)
| Theme | Controls | Key examples |
|---|---|---|
| Organizational | 37 | Security policies, asset management, supplier relationships |
| People | 8 | Screening, training, termination responsibilities |
| Physical | 14 | Security perimeters, equipment protection, clear desk |
| Technological | 34 | Access management, cryptography, secure development, backup |
New controls in the 2022 version worth noting:
- A.5.7 Threat intelligence: Collect and analyze threat information. Doesn’t require a dedicated SOC; subscribing to CCN-CERT or CISA feeds and reviewing weekly qualifies.
- A.8.9 Configuration management: If you already use Terraform or infrastructure as code tools, you have a head start.
- A.8.11 Data masking: Mask data in dev and test environments. Something most companies should do and few actually do.
- A.8.16 Monitoring activities: Monitor anomalous activities. A basic SIEM like Wazuh covers this.
Certification process
- Stage 1 (document review): The auditor reviews ISMS documentation, risk assessment, Statement of Applicability (SoA), and key procedures.
- Stage 2 (on-site audit): The auditor verifies controls are implemented and functioning. Interviews staff, reviews evidence, tests technical controls.
- Surveillance: Annual audits during the 3-year cycle.
- Recertification: Full audit every 3 years.
Ballpark cost for a 100-person company: EUR 15,000-30,000 for initial certification (external auditor), plus internal implementation costs that vary enormously based on starting maturity.
SOC 2: the American passport
SOC 2 (Service Organization Control 2) is an audit report developed by the AICPA. It’s not a certification in the strict sense; it’s a report issued by a CPA firm evaluating an organization’s controls against one or more Trust Services Criteria (TSC):
- Security (mandatory): Protection against unauthorized access.
- Availability: System uptime per commitments.
- Processing integrity: Complete and accurate processing.
- Confidentiality: Protection of confidential information.
- Privacy: Management of personal information.
Most companies choose Security + Availability for the first report. Adding Privacy is relevant if you handle US citizens’ personal data.
Report types
- Type I: Evaluates control design at a point in time. Faster and cheaper. Useful as a first step.
- Type II: Evaluates design AND operational effectiveness over a period (typically 6-12 months). This is what serious buyers require. Controls must have been operating throughout the observation period.
Typical SOC 2 controls
Unlike ENS or ISO 27001 Annex A, SOC 2 doesn’t prescribe specific controls. It defines criteria, and the organization designs its own controls. The most common:
- Access management with MFA and periodic review
- Encryption in transit and at rest
- Incident detection and response
- Change management
- Backup and recovery
- Security awareness training
- Vulnerability management (scanning, patching)
- Secure development lifecycle (SDLC)
The overlap map
This is where the unified certification strategy delivers real value. Here are the control mappings across frameworks:
Access management
| Control | ENS | ISO 27001 | SOC 2 |
|---|---|---|---|
| Unique identification | op.acc.1 | A.5.16 | CC6.1 |
| Strong authentication | op.acc.5 | A.8.5 | CC6.1 |
| Least privilege | op.acc.4 | A.8.2 | CC6.3 |
| Access review | op.acc.4 | A.5.18 | CC6.2 |
| MFA | op.acc.5 (medium/high) | A.8.5 | CC6.1 |
A single IAM system (Okta, Azure AD, Google Workspace with advanced rules) covers all three. The difference is in evidence format: ENS wants documentation in Spanish, ISO 27001 wants formal ISMS inclusion, SOC 2 wants access review logs throughout the observation period.
Incident management
| Control | ENS | ISO 27001 | SOC 2 |
|---|---|---|---|
| Response procedure | op.mon.1 | A.5.24/A.5.26 | CC7.3/CC7.4 |
| Logging and classification | op.mon.2 | A.5.25 | CC7.3 |
| Notification | op.mon.3 | A.5.24 | CC7.4 |
| Post-incident analysis | op.mon.3 | A.5.27 | CC7.5 |
One incident response procedure serves all three. ENS adds specific notification requirements to CCN-CERT. ISO 27001 demands post-incident learning. SOC 2 wants proof controls worked during the audit period.
The overlap in numbers
After detailed control mapping across multiple projects:
- ENS <-> ISO 27001: ~65% direct overlap in technical and organizational controls.
- ISO 27001 <-> SOC 2: ~60% overlap. SOC 2 is less prescriptive but covers the same domains.
- ENS <-> SOC 2: ~50% direct overlap. ENS has public-sector-specific controls that SOC 2 doesn’t address.
- Triple overlap: ~45% of controls are covered by all three simultaneously.
That 45% is the foundation. Implement once, document three times (adapting language to each framework), reuse evidence. That’s efficiency.
The unified roadmap
Based on real projects with 50-300 employee companies, this sequence works best:
Phase 1: Foundations (Months 1-3)
Goal: Build the base security management system that serves all three frameworks.
- Information security policy: One document, management-approved, covering requirements for all three.
- Asset inventory: All systems, data, people, and processes in scope. Without this, risk assessment is fiction.
- Risk assessment: Use a methodology that satisfies all three. MAGERIT is the natural choice if starting with ENS (recommended by Spain’s CCN), and its asset-threat approach maps well to ISO 27001.
- Statement of Applicability (SoA): Which controls apply and which don’t, with justification. Mandatory for ISO 27001, best practice for the other two.
- Access management: Centralize IAM, implement MFA, define access policy. Highest overlap, highest audit visibility.
Tooling: Vanta or Drata for automated evidence collection (covers SOC 2 and ISO 27001; for ENS you’ll need to complement with PILAR or CCN tools). For identity management, Okta, Azure AD, or Google Workspace with advanced configuration.
Phase 2: ENS first (Months 4-8)
Why ENS first? Because it’s the most prescriptive. If you pass ENS at medium category, you already have 65% of ISO 27001 covered. And if you sell to Spanish public sector, it’s the one that opens market immediately.
- Implement ENS operational controls: Configuration management, malware protection, vulnerability management, activity logging.
- Implement protection measures: Encryption, backups, network segmentation, communications protection.
- CCN documentation: ENS requires documentation aligned with CCN-STIC guides.
- ENS internal audit: Before certification. Identify and correct non-conformities.
- ENS certification: ENAC-accredited entity.
Phase 3: ISO 27001 as extension (Months 9-14)
With ENS certified, the transition to ISO 27001 is shorter than it appears:
- Gap analysis ENS -> ISO 27001: Identify ISO controls that ENS doesn’t cover. Typically: supplier management (stricter in ISO), third-party risk analysis, people controls (screening, offboarding).
- Complete the ISMS: Adapt documentation to ISO format. Ensure the PDCA cycle is complete.
- Mature the risk assessment: ISO 27001 expects a more mature methodology. Move from point-in-time to continuous process.
- Stage 1 and Stage 2: The ISO auditor will appreciate the existing ENS certification. It doesn’t eliminate the audit, but it smooths it.
Estimated savings: 30-40% compared to starting ISO 27001 from scratch.
Phase 4: SOC 2 as complement (Months 12-20)
SOC 2 Type II requires an observation period (6-12 months). The strategy is to start observation in parallel with Phase 3:
- Define SOC 2 controls: Map TSC criteria to existing ENS and ISO controls. Identify gaps (typically few at this point).
- Implement monitoring controls: SOC 2 emphasizes continuous evidence. Access logs, change records, availability metrics. If you already have an observability stack, most of this is covered.
- Observation period: 6-12 months during which the auditor evaluates control effectiveness.
- SOC 2 Type II report: A CPA issues the report. American clients receive it and stop asking questions.
If you’ve passed ENS and ISO, the additional effort for SOC 2 Type I is marginal. Type II only adds wait time (the observation period), not significant work.
Common mistakes we’ve seen
Treating each certification as a separate project. The most expensive mistake. Three teams, three consultancies, three documentation sets. The result: inconsistencies, duplicated effort, and team burnout.
Underestimating documentation. Technical controls are the easy part. Documentation is where engineering teams stall. Procedures, records, evidence, management review minutes. Automating evidence collection (Vanta, Drata, or custom scripts) reduces this pain significantly.
Not involving leadership. All three frameworks require top management commitment. Without an executive sponsor who allocates budget, team time, and attends management reviews, the project stalls in Phase 2.
Seeking perfection in the first cycle. All three certifications work on continuous improvement cycles. You don’t need perfect controls at the first audit. You need functional, documented controls with a credible improvement plan. Auditors value process maturity, not absence of findings.
Ignoring suppliers. ISO 27001 and SOC 2 are particularly strict about supply chain security. If your cloud provider doesn’t have SOC 2, your auditor will notice. Map critical suppliers and obtain their compliance reports early.
Budget estimates
For a technology company of 100-200 employees, cloud-based infrastructure, and medium security maturity:
| Item | Estimated cost |
|---|---|
| Unified consultancy (3 frameworks) | EUR 40,000-80,000 |
| Compliance tooling (Vanta/Drata) | EUR 15,000-25,000/year |
| ENS certification (auditor) | EUR 8,000-15,000 |
| ISO 27001 certification (auditor) | EUR 12,000-25,000 |
| SOC 2 Type II report (CPA) | EUR 20,000-40,000 |
| Technical tooling (SIEM, IAM, etc.) | EUR 10,000-30,000/year |
| Total first year | EUR 105,000-215,000 |
| Annual maintenance thereafter | EUR 40,000-80,000 |
Compared to running each certification independently (1.5-2x multiplier), the unified route saves 30-40%.
An important nuance: many of these tools and controls should exist regardless of any certification. If your company lacks MFA, vulnerability management, or tested backups, the cost isn’t “compliance overhead.” It’s basic security you’ve been postponing.
Evidence automation
Evidence collection is where the unified strategy succeeds or fails. Without automation, maintaining three evidence packages is unsustainable.
Compliance platforms like Vanta, Drata, or Secureframe connect to your infrastructure (AWS, GCP, Azure, GitHub, Okta, Jira) and collect evidence automatically: security configurations, access logs, patch status, training completion. Vanta has native SOC 2 and ISO 27001 support. For ENS, you’ll need manual control mapping, but the underlying evidence is the same.
Custom compliance scripts: For controls that platforms don’t cover automatically (access reviews, backup tests, vulnerability scans), a set of scripts generating periodic reports and archiving them as evidence. A weekly cron job running Trivy against Docker images, exporting results in JSON, and archiving them qualifies as vulnerability management evidence for all three frameworks.
Evidence as code: Treat compliance like infrastructure. Policies in Git, security configurations in Terraform, scans in CI/CD. Every commit is evidence. Every pipeline running a security control is evidence. This approach scales and is auditor-friendly.
Practical takeaways
Mid-market cybersecurity isn’t a framework problem. It’s a systematic execution problem. ENS, ISO 27001, and SOC 2 are different lenses on the same objective: protect information and prove you’re doing it.
The roadmap that works is progressive: shared foundations, ENS first (most prescriptive, opens public-sector market), ISO 27001 as natural extension, SOC 2 as international complement. Each step reuses prior work.
The numbers are clear: 45% triple control overlap, 30-40% savings with the unified route, and a team building one security system instead of maintaining three. For a mid-market company with limited consulting resources, that difference is what separates successful certification from an abandoned project.
About the author
abemon engineering
Engineering team
Multidisciplinary engineering, data and AI team headquartered in the Canary Islands. We build, deploy and operate custom software solutions for companies at any scale.
