The starting point
The team was technically mature — infrastructure as code, CI/CD with daily deployments, sound development practices — but the entire security governance lived in the CTO's head. No formal security policy, no risk analysis, no system categorisation. And one detail that complicated the file: the product included AI functionality processing customer information, something the certification body would examine closely.
The CTO's fear was the classic one tech companies have about the ENS: that bureaucracy would kill the team's velocity. The project was designed with that limit as a hard requirement — no control could break the continuous-deployment flow.
How we approached it
- Categorisation and profiling — analysis of the services to be provided to public administrations and of the information handled. The resulting category was medium, and we worked with the applicable compliance profile, avoiding oversized measures.
- Risk analysis and Statement of Applicability — a lightweight but traceable methodology aligned with how the company actually operates: cloud assets, the CI/CD pipeline, third-party dependencies, and the AI component treated as a distinct asset with risks of its own (training data, output traceability, model providers).
- Controls inside the pipeline, not on top of it — access control with MFA and quarterly reviews, signed and reviewed deployments, centralised logging with defined retention, encryption in transit and at rest, and vulnerability management wired into the development cycle. Evidence generates itself: the pipeline is the record.
- Documentation sized to the company — a documentation body that forty people can genuinely maintain: policy, usage rules, operating procedures and a continuity plan proven with a real recovery exercise.
- Certification audit — support throughout the audit with an accredited body, including defending the approach applied to the AI component. Certified at the first attempt.
Results
6 months
from first meeting to ENS medium-level certification
2
public tenders submitted in the same quarter as certification
0
deployments blocked by the ISMS: release pace untouched
Certification opened the door the company was after — bidding for public contracts — and produced a side effect nobody expected: two large private clients accelerated their supplier-onboarding processes on seeing the ENS seal and the security documentation already prepared.
What made it work
- The ENS and continuous deployment are not at odds: if the control lives inside the pipeline, the evidence produces itself.
- Treating AI as an asset with its own risks from the initial analysis avoided objections at audit.
- Categorising properly at the start (medium, not high out of misplaced caution) saved months and unnecessary measures.
Related services
Need the ENS to bid for public contracts?
Hard2bit is ENS-certified at high level — we know the framework from the inside. We help you categorise correctly, implement just enough and arrive at the audit with evidence.