Security Norms Consulting

ISO 27K, ENS and TSP. We are aware of every security related norm. If you are about to undertake a security audit or evaluation call us.

Request information

Security Norms

There are many norms that promise to guarantee the security of a product or system by implementing various controls or by specific audits.

We are familiar with all of them and can help you to attain the certification that is required by your company.

We are experts in risk analysis and can help you to achieve success by giving you access to our expertise.

Whatever your problem, do not hesitate to contact us to see how we can help you, compliance is still the great unknown in many ways, the advantages it can bring seem to raise multiple doubts in the organizations that implement it, and SMEs still show little awareness about the compliance obligations of their company and its importance.

Recent developments, such as the proliferation of more advanced ransomware, have led many companies re-assess the security of their systems, and you? Have you checked the security status of your business already?

Scheme definition

jtsec members have a great experience in different well known IT evaluation methodologies and schemes, such as Common Criteria, FIPS 140-2, Global Platform TEE, FIDO, EMVco or eIDAS Regulation (EU) 910/2014. We have also participated in different innovative initiatives, like the European IACS Cybersecurity Certification Framework in industrial sector or a Security evaluation framework for IoT. We have also supported the launching of some of these schemes.

jtsec could be your perfect partner if you need to define your IT security certification scheme including the methodology, security requirements, evaluation/certification process or lab accreditation process.

FIPS 140-2

FIPS 140-2 is a norm for the validation of software and hardware cryptographic modules. Conformance with this norm implies the correct implementation of a set of a cryptographic algorithms chosen in accordance with the CMVP (Cryptographic Module Validation Program) and with the CAVP (Cryptographic Algorithm Validation Program) NIST criteria for key sizes and approved security functions. The norm usually requires the presence of a role based access and a correct key management. FIPS 140-2 defines four security levels and takes into account a lot of requirements to protect the module against physical access. Ask us about our FIPS 140-2 Consulting service.

View more...

ISO 27001

ISO 27001 is an ISO norm (International Organization for Standardization) that allows the establishment, implementation, maintenance and continuous improvement of an Information Security Management System (ISMS) to keep the confidentiality, integrity and availability of the information managed inside an organization. To achieve this, it is required to perform a risk analysis and the treatment of the identified risks. The appropiate treatment of the risks using the control objectives described in the norm, will allow us to keep the risk under control. We offer professional ISO 27001 Consulting services. With our help, your business will be able to pass the ISO 27001 audit. We will help you to design and implement the required ISO 27001 controls that will be reviewed by an ISO 27001 Auditor. If you need an ISO 27001 Certification, call us now.

View more...


The Esquema Nacional de Seguridad is a national Spanish norm that regulates the fulfilment of requirements in the management of information security for the public administrations providing services through the Internet. Similarly to ISO 27001, the ENS manage security from a risk analysis perspective, but with its own controls and establishing a mandatory minimal security based on the system's category.


A SOC2 (Service Organization Control) report focuses on the service organization controls relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. These controls are defined by the AICPA (American Institute of Certified Public Accountants). There are two kinds of SOC2 reports, named Type I and Type II, depending on whether the existence of records demonstrating the actual implementation of the described controls is required. SOC2 guides are widely used nowadays to certify the security of cloud service providers. We are experts in SOC2 consultancy.

View more...


The PCI Data Security Requirements applies "to all Members, merchants, and service providers that store, process, or transmit cardholder data." Additionally, these security requirements apply to all "system components" which is defined as any network component, server, or application included in, or connected to, the cardholder data environment. Network components include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Servers include, but are not limited to, web, database, authentication, DNS, mail, proxy and NTP. Applications include all purchased and custom applications, including both internal and external (web) applications.


The FIDO ("Fast IDentity Online") Alliance is an industry consortium launched in February 2013 to address the lack of interoperability among strong authentication devices and the problems users face creating and remembering multiple usernames and passwords. FIDO is the World’s Largest Ecosystem for Standards-Based, Interoperable Authentication. The specifications and certifications from the FIDO Alliance enable enterprises and service providers to deploy strong authentication solutions that reduce reliance on passwords and protect against phishing, man-in-the-middle and replay attacks using stolen passwords.

View more...


The EU has published the new General Data Protection Regulation to create an environment of common legislation for all member states of the European Union, so that existing data protection laws adapt to new technological developments, which have led to an exponential growth in the processing of personal data. In order to comply with the new regulation, it is necessary for companies to have a clear understanding that the concept of personal data refers to all the data that allows identifying a person directly or indirectly without excessive effort, and to be able to answer the following questions: What personal data do they work with? What kind of processing is carried out on this data? Are these high-risk treatments? What is the purpose of the treatment? What are the risks involved? What is their assessment on severity of impact and probability of occurrence? What rights do the data subjects have?

View more...