Hard2bit
ENS · Spain RD 311/2022 · Audit-ready Pre-audit · Mock audit · ACCM/ENAC accompaniment

Walk into your ENS audit ready — with ACCM/ENAC accompaniment

The official audit is run by an ENAC-accredited body. We are on the other side of the table: pre-audit, mock audits with real questions, gap closure plan and on-site support during the audit. Hard2bit is not your auditor — and that's exactly what you need on your side.

ENS HIGH category badge We pass this audit ourselves ENS HIGH category RD 311/2022 · cert. ENS_2.026.061 · ACCM · ENAC 48/C-PR503
Request diagnostic View methodology +34 910 139 827
  • Pre-audit with real sample
  • Mock audit with auditor questions
  • In-room accompaniment
  • Non-conformity closure
  • 2-year renewal cycle

Categories

Basic · Medium · High

Modality

Full cycle or stand-alone modules

Outcome

Clean certification, no surprises

Verifiable qualification

We pass the ENS HIGH audit ourselves every 2 years — we know how it feels from the other side

We are certified at ENS HIGH category (Royal Decree 311/2022) and ISO/IEC 27001:2022. We've been through categorization, evidence, real sample, findings and closure ourselves. When we prepare a client, we do it from lived experience — not from a manual.

Download ENS certificate (PDF, in Spanish) View all certifications →
ENS HIGH category certification compliant with Spain's RD 311/2022 — certificate no. ENS_2.026.061
ENS HIGH category
ISO/IEC 27001:2022 certification
ISO/IEC 27001:2022
ENS certificate no.
ENS_2.026.061
Certification body
ACCM · ENAC 48/C-PR503
Validity
Apr 2026 — Apr 2028

Executive summary

What this service includes

For CISOs, IT Managers, compliance leads and internal audit.
When to engage What's included Methodology FAQ

The right consultant role

Hard2bit is not the ACCM/ENAC auditor — and that's precisely why you hire us

The official ENS audit is performed by a certification body accredited by ENAC. In Spain, the most common one for RD 311/2022 certification is ACCM, accredited under no. 48/C-PR503. They issue the certificate of conformity. Mixing the certifier and the consultant in the same company is not how the market works — that would be a conflict of interest.

Hard2bit sits on the client's side: we prepare you for the audit, simulate real questions, organize evidence, accompany you in the room during the official audit and help close non-conformities. The separation is the right one — and it's what serious buyers expect.

An additional layer: we pass the ENS HIGH audit ourselves every 2 years. What we teach your team is not manual theory — it's what we live when an accredited auditor audits us.

Service scope

What ENS audit readiness includes — exactly

Six blocks covering everything from initial pre-audit through non-conformity closure. Engaged as a full cycle or as stand-alone modules, depending on starting point and timeline.

Pre-audit / internal audit dry run

A thorough review of the system in scope before the official audit. We identify the spots where an ACCM/ENAC auditor would raise findings. Not the official audit — your safety net before it.

Documentation review and evidence map

Walkthrough of policy and procedure set, risk assessment, statement of applicability and the full evidence dossier. Each Annex II measure of RD 311/2022 mapped to its evidence and its owner.

Mock audit with real questions

Guided session with the actual question set ACCM/ENAC auditors use. We rehearse responses with your technical and compliance teams. We surface knowledge gaps before the real audit.

Prioritized gap closure plan

Actionable backlog with owner, target date, priority and dependencies to close before the audit. We separate what blocks certification from what is optional.

Audit accompaniment during ACCM/ENAC sessions

We sit alongside you during the official audit: handle auditor requests, organize evidence on the fly, contextualize findings and help clarify technical or scope questions in real time.

Non-conformity closure post-audit

If findings appear, we translate each one into a concrete action plan with closure evidence. We coordinate verification with the auditor to reach a clean certification.

Hard2bit methodology

How we work, step by step

Six phases that cover the full cycle, from initial diagnosis to formal certificate issuance with the auditor.

  1. 01 Kick-off

    Initial diagnosis and scope alignment

    We validate which system enters audit, the target category (Basic, Medium, High) and the timeline. We review the state of the adequacy project and where the real risk of findings lies.

  2. 02 Pre-audit

    Full pre-audit with real sample

    We apply the same lens an ACCM/ENAC auditor would: asset sampling, documentation review, evidence per control, owner interviews. The output is equivalent to the auditor's report — without certification consequences.

  3. 03 Plan

    Prioritized gap closure plan

    We turn pre-audit findings into actionable backlog at three levels: blocking (no certification without these), recommended (raise quality) and optional (future improvements).

  4. 04 Mock

    Mock audit and team training

    Role-play sessions with your owners: the auditor asks, they answer, we calibrate. We surface points where the discourse breaks down and reinforce them before the real day.

  5. 05 On-audit

    Accompaniment during ACCM/ENAC audit

    We attend the official audit sessions. We handle auditor requests in real time, contextualize evidence, help clarify scope and technical aspects. The audit itself is run by ACCM/ENAC; we are on the client's side.

  6. 06 Closure

    Non-conformity closure and verification

    If findings appear, we translate them into action plans with owner, date and evidence. We accompany the final verification with the auditor up to the formal lifting of every non-conformity and certificate issuance.

What you get

Service deliverables

A set of artifacts that defend the official audit — from pre-audit report to the final corrective action plan.

  • Pre-audit report with classified findings

    A document equivalent to what an auditor would deliver: control audited, evidence reviewed, finding (if any) and severity. Your roadmap to a clean audit.

  • Requirement → control → evidence → owner map

    End-to-end traceability for each Annex II measure of RD 311/2022 in scope. The piece ACCM/ENAC scrutinizes most in real sample.

  • Prioritized gap closure plan

    Backlog classified as blocking / recommended / optional, with owner, target date and expected closure evidence.

  • Mock-audit kit: question bank + response playbook

    Real auditor questions paired with technically validated responses, ready to train the team in short sessions.

  • On-site accompaniment during the official audit

    Active presence during ACCM/ENAC audit sessions: on-demand evidence organization, owner support, technical clarification to the auditor.

  • Corrective action plan for non-conformities

    Each non-conformity raised by the auditor turned into a concrete action with owner, date, expected evidence and final validation with the certifier.

  • Lessons learned and ENS sustainment plan

    Post-audit document with what worked, what didn't, what to reinforce for the next renewal and how to industrialize what we learned.

Why Hard2bit

Differentiation that shows up when the auditor arrives

We pass the ENS HIGH audit ourselves — we know how it feels from the other side

Hard2bit is certified at ENS HIGH category (certificate no. ENS_2.026.061, issued by ACCM under ENAC accreditation no. 48/C-PR503), with 73 measures in place and HIGH level across all five DICAT dimensions. We've been through categorization, evidence, real sample, findings and closure ourselves. When we prepare a client, we do it from lived experience, not from a manual.

View verifiable ENS HIGH certificate →

An ENS Lead Auditor on the team — not a generic consultant

Irene Ocando leads the practice with 30+ years in GRC and audit work in ISO 27001, ENS, NIS2 and ISO 22301. Thilina Manana is a CQI IRCA ISO/IEC 27001:2022 Lead Auditor. We know what an auditor will ask before they walk in the room.

View Compliance & GRC pillar →

We are NOT the ACCM/ENAC auditor — and that's the point

The separation matters: the official audit is performed by an accredited body (ACCM in our case). We are on the client's side: we prepare you, we accompany you, we help close non-conformities. This independence avoids the conflict of interest a certifier would have.

View full ENS service →

Reuse with ISO 27001, NIS2 and DORA

When the system also lives under ISO 27001, NIS2 or DORA, we reuse evidence packages. A well-designed ENS pre-audit can leave the foundation ready for upcoming audits in other frameworks.

ENS vs ISO 27001 vs NIS2 vs DORA →

Specialist team

Who leads the service

Auditors with real experience in ENS projects and the ACCM/ENAC certification body. The people who sign decisions your organization will defend before the auditor.

IO

Irene Ocando Abreu

Head of Cybersecurity Projects

Senior GRC and compliance specialist with over 30 years of experience. Auditor in ISO 27001, ENS, NIS2, ISO 22301, ISO 20000-1 and ISO 9001. Master's in Data Science (UCAV/Indra). Direct interaction with certification bodies during ENAC audits.

  • ISO 27001 Auditor
  • ENS
  • NIS2
  • ISO 22301
LinkedIn profile →
TM

Thilina Manana

Director of Operations & Security

Director of Operations & Security and co-founder. CQI IRCA ISO/IEC 27001:2022 Lead Auditor. Operational experience preparing evidence and accompanying ENS audits in tech providers serving the Spanish public sector.

  • CQI IRCA ISO 27001:2022 Lead Auditor
  • Security Operations
LinkedIn profile →

Anonymized case

Case · Spanish public-sector tech provider preparing for ENS Medium certification

They came to Hard2bit with the ACCM audit in six weeks and reasonable doubts about the state of the system. We ran a full pre-audit with a real sample of 12 Annex II controls — 7 potential findings appeared, two of them blocking. We worked five weeks on the closure plan, mock audit with the team and evidence consolidation. The official audit closed with 1 minor observation, no non-conformities. ENS Medium certification was issued on time.

— Irene Ocando · Head of Cybersecurity Projects

Case summarized and anonymized due to contractual confidentiality. Details available under NDA.

What the auditor finds

Common ENS audit findings — and how to avoid them

Non-traceable evidence

The control exists in policy but there's no evidence of periodic execution. This is the most frequent non-conformity — and the easiest to avoid with disciplined record-keeping.

Outdated inventory

In-scope assets missing from the inventory (or vice versa). A single discrepancy breaks the traceability chain across 5–6 controls at once.

Poorly defined scope

Connected systems, third parties or cloud services the client considers out of scope but the auditor sees as in scope. A discussion best closed in pre-audit, not in the audit room.

Missing periodic review record

The programme runs but there's no signed record of management reviewing the system at the agreed cadence. ENS demands governance, not just operations.

Unsigned non-remediation decisions

Accepting a risk is valid — but who accepted it, with what justification and for how long must be documented. Without that signature, it becomes a finding.

Documentation vs. technical reality mismatch

Policy says one thing, configuration does another. The auditor asks to see and verifies. This is exactly where pre-audit with real sample is vital.

Frequently asked questions

FAQ — ENS audit readiness

Direct answers to the questions we hear most from CISOs, IT Managers and compliance leads facing an ENS audit.

Does Hard2bit perform the official ENS audit?

No. The official ENS audit is performed by a certification body accredited by ENAC (in many cases, ACCM). Hard2bit does everything before and alongside: pre-audit, documentation review, mock audits, gap closure plan, accompaniment during the official audit and non-conformity closure. This separation is the right one — a single provider should not be both certifier and consultant.

What's the difference between pre-audit and the official audit?

Pre-audit is a controlled rehearsal we run as consultants using methodology equivalent to the accredited auditor. It identifies where the official auditor would raise findings. It has no certification value — it's preparation. The official audit is performed by a body like ACCM, under ENAC accreditation, and decides whether the ENS certificate is issued.

When should I engage this service?

Typically 2 to 4 months before the official audit, but it depends on programme maturity. If adequacy is solid, two months suffice for pre-audit + mock audit. With gray zones or shorter timelines, we can compress the cycle. It's also engaged for annual internal audits or 2-year certification renewals.

What if pre-audit detects significant gaps?

That's exactly what it's for. Better to find a blocking gap in pre-audit than during the official audit. We turn each finding into a concrete action with owner, date and expected evidence. If the gaps are too large for the official audit timeline, we'll advise postponing — that honesty saves a non-conformity.

Do you accompany on-site during the ACCM/ENAC audit?

Yes — on-site or remote depending on client and certification body preference. We sit alongside your owners, handle auditor requests in real time, organize evidence on demand and help contextualize technical responses. Formal interaction with the auditor is led by your organization; we provide in-room support.

How long does a typical engagement take?

A full pre-audit plus mock audit usually takes 3–5 weeks, depending on scope. Audit accompaniment runs for the duration of the official ACCM/ENAC audit (typically 2–5 days for Medium, 5–10 for High). Non-conformity closure depends on number and complexity — typically 4–12 weeks.

What experience does the Hard2bit team have with ENS audits?

Irene Ocando and Thilina Manana have years of experience accompanying ENS audits and certifications under ACCM/ENAC. In addition, Hard2bit as a company passes its own ENS HIGH audit every 2 years with ACCM (certificate ENS_2.026.061). We know what the auditor asks because we ourselves answer those questions.

Does it cover mandatory ENS internal audits?

Yes. ENS requires periodic internal review of the system. We act as external internal auditor (not the official one — yes the internal one), produce a formal internal audit report and the associated action plan. It's one of the most-requested modes for organizations already certified that need to keep the system alive between renewals.

Can it be combined with ISO 27001 or NIS2 audit prep?

Yes, and it usually pays off. If your system will also be audited against ISO 27001 or NIS2, a pre-audit designed with multi-framework lens can build reusable evidence. We explain how in the ENS vs ISO 27001 vs NIS2 vs DORA comparison.

What happens with non-conformities after the audit?

Non-conformities have a formal closure deadline agreed with the auditor. We classify them by severity, turn them into concrete actions with expected evidence, run the necessary technical or organizational changes and coordinate final verification with the auditor for formal lifting. Until then, the certificate may be issued conditionally or held in suspension.

What if our scope touches cloud, M365 or third parties?

All of it goes into pre-audit. M365, Entra ID, AWS, Azure, GCP and tech providers are typically inside ENS scope, especially for modern tech providers. Most often the auditor asks about the evidence chain that crosses cloud and third parties — and that's where improvised preparation breaks down.

What does the service cost?

It depends on system scope, target ENS category (Basic, Medium, High), timeline available before the official audit and whether you contract the full cycle (pre-audit + mock + accompaniment + closure) or modules separately. The initial diagnostic session is always the first step to scope a proposal. Request it without commitment.

Related

Looking for something different or complementary?

Full ENS adequacy

If you need full ENS adequacy lifecycle (categorization, gap analysis, risks, measures, implementation) instead of audit-readiness, start here.

View ENS service →

Vulnerability management for ENS

Operational vulnerability management aligned with ENS RD 311/2022 — one of the most-audited controls in Medium and High categories.

View vulnerability management for ENS →

ISO 27001

Reuse controls, evidence and policies between ISO 27001 and ENS to reduce audit effort.

View ISO 27001 →

NIS2

For essential or important sectors under the European directive. ENS and NIS2 audits often coexist.

View NIS2 →

ENS vs ISO 27001 vs NIS2 vs DORA

Detailed side-by-side to understand overlaps and control reuse across frameworks.

View comparison →

Compliance & GRC pillar

Cross-cutting view of governance, risk and compliance that underpins any audit project.

View GRC pillar →

Let's talk

Got an ENS audit ahead?

A short call to diagnose where the system stands, what's missing to walk in clean and what level of accompaniment fits your case for the official audit with ACCM/ENAC.

Request diagnostic Call +34 910 139 827 Download ENS certificate (PDF, in Spanish)

Page reviewed: 2026-04-28. Hard2bit · Cybersecurity company in Spain since 2013 · ENS HIGH category · ISO/IEC 27001:2022