The APDCAT completes its secure digital transformation with ENS medium-level certification and ISO 27001

The Director of the Catalan Data Protection Authority (APDCAT), Meritxell Borràs i Solé, has received the certifications that attest to the success of the Authority’s digital transformation, which now culminates after two years of profound changes within the institution. These include the certification of the National Security Framework (ENS 2022) for its information systems in the medium category, and ISO 27001 for its information security management system. The ENS is Spanish state regulation, mandatory for the entire public sector, aimed at ensuring robust system security policies within organizations. Meanwhile, ISO 27001 is the best international standard of security practices, based on the principle of continuous improvement, voluntary adherence, and used as a benchmark for certifying an information management system in both public and private organizations.

This milestone represents both national and international recognition in terms of information security and process management at APDCAT, which have had to adapt to the set of strategic changes recently implemented within the institution. In this regard, in addition to moving its offices to a new location on Gran Via de les Corts Catalanes, last June APDCAT launched a new electronic headquarters, a new procedures platform, and a new electronic case management system, which posed a major challenge for improving processes and user experience. It has also implemented a new intranet and new virtual spaces for the Data Protection Advisory Council and the community of data protection officers in Catalonia, "DPD en xarxa".

Currently, according to ENS figures, APDCAT’s systems are among the 1,271 that comply with the medium-level ENS out of a total of 3,224 systems, representing 39%. It should be noted that the medium and high categories of ENS certify that systems meet the highest cybersecurity standards.

In-depth review of processes

The update and modernization of APDCAT’s Information Security Management System (ISMS) have involved a comprehensive review of processes, technologies, and internal policies, with the active involvement of all organizational teams. As a result, a more robust system has been consolidated, aligned with international best practices and current legislation, providing guarantees for the security of APDCAT’s information systems. This evolution has improved operational efficiency, the effectiveness in protecting information assets, and the efficiency in cybersecurity management, ensuring a proactive and resilient response to the threats and challenges of today’s digital environment.

Within this transformation framework, the project has included the review and adaptation of hardware and software to new operational needs, the update of processes, procedures and workflows, as well as the reorganization of equipment inventory management. At the same time, continuous staff training has been promoted, not only to ensure the proper application of security measures but also to raise awareness and train professionals in secure information management, so that security becomes a shared and accessible responsibility in daily operations. In addition, all security controls have been reviewed, such as backups, data encryption, secure connections, strong passwords, clean desk policies, data destruction, and incident reporting, in line with established best practices and the applicable legal framework.

The set of actions is part of the 2023–2028 Strategic Plan, which promotes a new organizational culture based on innovation, continuous improvement, and digital transformation. The goal is to consolidate a secure, efficient, and resilient technological structure to meet the present and future challenges of the organization.

Commitment to security

APDCAT has received the ENS 2022 certification in the medium category, which highlights the Authority’s level of commitment to information security. Entities can be certified at basic, medium, or high categories. Basic category systems are accredited through a documented self-assessment, specifying the implementation of each security measure and the evidence of compliance. Meanwhile, medium- or high-category systems require an audit detailing the degree of compliance and conformity, the methodological criteria used, the scope and objectives of the audit, as well as the data, facts, and observations on which the conclusions are based.

The ENS ensures that organizations comply with the basic principles of information security, which relate to risk-based security management, prevention, detection, response and preservation, multiple lines of defense, continuous monitoring, periodic reassessment, and differentiation of responsibilities. Security is understood as a comprehensive process involving all human, material, technical, legal, and organizational elements related to the information system.

In addition, ISO 27001 provides international recognition of compliance with a set of best practices in system management. It enables the exhaustive identification of risks and threats and possible vulnerabilities, and the establishment of a security policy, with principles and guidelines, that demonstrates the organization’s commitment to information protection. It also entails the implementation of security controls and technical measures to mitigate risks.