The Technical safety instruction security audit sets the conditions for conducting audits, ordinary or extraordinary, under Article 34 Real Decreto 3/2010, de 8 de enero, por el que se regula el Esquema Nacional de Seguridad en el ámbito de la Administración Electrónica (ENS)
The audits should be conducted in order to determine the degree in accordance with ENS and must allow responsible take appropriate measures to fill the gaps and, in its case, enabling obtaining the certification of conformity.
Cabe recordar que para obtener esta Certificación, los sistemas de información de categoría MEDIA o ALTA precisarán superar una Auditoría de Seguridad, al menos cada dos años. Asimismo, los informes de auditoría emitidos podrán ser requeridos por el CCN-CERT before any aggression received in information systems of public administrations (Article 37 of ENS).
For the development of audits, the resolution now published notes that should be carried out according to their own ITS and, where appropriate, to national and international standards on audits, including the guides CCN-STIC 802 audit guide , CCN-STIC 804 Guide of implantation and CCN-STIC 808 Verificación del cumplimiento de las medidas en el ENS .
In this ITS, after the object and scope, addresses issues such as the purpose of the audit of safety, dutifully and regulations; the definition of the scope and purpose of audit of safety; the execution of the audit of security; the audit report; entities of public Sector Auditing; and in an additional provision, questions relating to personal data.
The ENS expected, in his article 29 (2) the instructions security techniques as essential elements to achieve an appropriate, uniform and consistent implementation of the requirements and measures contained therein. These instructions security techniques specific aspects that regulate the daily reality has been particularly significant, such as: report of the State of security; Notification of security incidents; Audit of safety; Line with the National security Scheme; acquisition of Security products; Cryptology of employment in the National security Scheme; Interconnection Scheme in the National security and Safety requirements outsourced environments.