11/07/2017 NESA UAE Information Assurance Standards | Dionach

Oxford: +44 (0)1865 877830 Manchester: +44 (0)161 713 0176 London: +44 (0)203 5983740

New York: +1 646-781-7580 Dubai: +971 (0)4 427 0429

(https://www.facebook.com/pages/Ethical-
(https://twitter.com/DionachUK)
(https://www.linkedin.com/company/dionach-
(https://github.com/dionach)

NESA UAE INFORMATION ASSURANCE STANDARDS

Home (/) NESA UAE I

NESA UAE INFORMATION ASSURANCE STANDARDS (/BLOG/NESA-UAE-

18 INFORMATION-ASSURANCE-STANDARDS)

OCT 18 Oct 15 Bil Blog (/blog-categories/blog) 0 Comments

The UAEs National Electronic Security Authority (NESA) is tasked with developing and monitoring the UAE
Information Assurance Standards (IAS). The IAS come under the National Information Assurance
Framework (NIAF), which itself is part of the Critical Information Infrastructure Protection (CIIP) Policy.

The IAS are primarily based on ISO 27001:2005, with some additional controls. Some of these additional
controls are taken from ISO 2700:2013 and some taken from NIST, whereas others are new, such as cloud
security and BYOD security. The IAS also have additional speci c requirements for each control compared
to ISO 27001, namely sub-controls, document requirements and performance indicators.

From a high level perspective, organisations (or entities as the IAS terms them) in the UAE need to comply
with the common IAS standards and any speci c IAS standards relating to their industry sector .
Organisations need to report compliance progress to sector regulators, who then report to NESA.

The IAS are based on organisations understanding their information security requirements, which will
involve carrying out risk assessments, implementing security controls, monitoring those controls, and
ensuring continual improvement.

https://www.dionach.com/blog/nesa-uae-information-assurance-standards 1/6
11/07/2017 NESA UAE Information Assurance Standards | Dionach

The risk assessment mandated by the M2 control family in the IAS requires speci c steps in the risk
assessment, which are very close to the ISO 27001 risk assessment requirements. Firstly the organisation
needs to determine the context and scope, and then establish the risk criteria and risk methodology. The
organisation then needs to identify risks, threats, vulnerabilities, impacts and likelihoods along with a
resulting risk level. The risk criteria will then determine whether risks are acceptable or need treatment.
The organisation needs to then monitor risks and regularly review the risk assessment.

The list of security controls within the IAS are applicable depending on whether they are marked as
always applicable or whether they are applicable determined by the risk assessment. Controls are
prioritized to allow an incremental implementation, although all are mandatory based on whether the
controls are applicable. Priorities of controls, other than those controls with P1 priority, can be changed
based on the risk assessment outcome.

Each control has a number of sub-controls. The sub-controls give a clear list of requirements for the
control. Each control has implementation guidance, which is similar to ISO 27002:2005 but is part of each
control, which will help with implementation.

The controls are divided into families of management controls and technical controls, as shown in the
tables below:

Management control families Controls

M1 Strategy and planning 15

M2 Information security risk management 11

M3 Awareness and training 8

M4 Human resources security 8

M5 Compliance 13

M6 Performance evaluation and improvement 5

Technical control families Controls

T1Asset management 10

T2 Physical and environmental security 16

T3 Operations management 17

T4 Communications 15

T5 Access control 22

https://www.dionach.com/blog/nesa-uae-information-assurance-standards 2/6
11/07/2017 NESA UAE Information Assurance Standards | Dionach

T6 Third party security 6

T7 Information systems acquisition, development and maintenance 25

T8 Information security incident management 13

T9 Information security continuity management 4

There are 188 controls of which 60 are management controls and 128 are technical controls. 35 of the
management controls are always applicable, none of the technical controls are always applicable.

Each control has one of four priorities, with the number of each as follows:

Priority Controls

P1 39

P2 69

P3 35

P4 45

NESA has also published a summary list of the P1 controls, with the list in order of relative impact level.
For example it shows that controls against malware and good password management can have a very
high level impact on attack mitigation.

Although there are only 35 controls that are always applicable, it is very likely that many of the other
controls will apply. If controls do apply, organisations will still need to achieve compliance regardless of
the priority level of the control.

In my opinion there are several stages to achieving and maintaining compliance to the NESA UAE IAS:

Gap audit
Training
Risk assessment
Implementation
Annual compliance audits

Gap audits determine how compliant organisations are and the actions needed to achieve compliance
with estimations of resources and timescales.

https://www.dionach.com/blog/nesa-uae-information-assurance-standards 3/6
11/07/2017 NESA UAE Information Assurance Standards | Dionach

Training gives those who need to be involved in working towards and maintaining compliance with the
required knowledge. This will help the organisation implement the IAS more e ciently, more quickly and
more cost e ectively. Training is appropriate for internal stakeholders, information security sta ,
business unit leaders and certain IT sta .

The risk assessment methodology is speci c to the M2 control family and can determine which controls
apply to each organisation. It is important to start with a risk assessment methodology that ts the
(/)
organisation to ensure it is meaningful, e cient and meets the requirements of the IAS. The risk
assessment requires input from internal stakeholders and business unit leaders.

The gap audit can occur after training and risk assessment, however many organisations bene t from
seeing what work is needed at the start of the compliance journey. An organisation can also have gap
Assurance (/assurance) Compliance (/compliance) Response (/response) Research (/research) Abo
audits at key stages of the implementation phase.
Blog (/dionach-blog) Contact (/contact)
Implementation is best done internally. Actions from the gap audit and risk treatment actions from the
risk assessment will drive implementation.

Annual compliance audits can ensure organisations remain compliant. The compliance audit
complements the internal audit process in M6 by providing an external, independent audit.

In summary, the NESA UAE Information Assurance Standards are a good set of standards based on solid
international information security standards. The IAS also have the bene t of having clear sub-controls
and performance indicators, which I think sets them apart. Although ISO 27001 is the international
standard for an information security management system, I think any organisation would bene t from
using the UAE IAS.

POSTED BY BIL

RELATED POSTS

LEAVE A COMMENT

Your name

https://www.dionach.com/blog/nesa-uae-information-assurance-standards 4/6
11/07/2017 NESA UAE Information Assurance Standards | Dionach

Subject

Comment *

Your message

SEND MESSAGE

SEARCH

Search...

SIMILAR ENTRIES

Combining Operational & Cyber Risk Management (/blog/combining-operational-cyber-risk-management-0)

Information Security Training (/information-security-training)
Gambling Commission ISO 27001 Security Requirements and Penetration Testing (/blog/gambling-commission-iso-
27001-security-requirements-and-penetration-testing)
Risk based Application Penetration Testing (/blog/risk-based-application-penetration-testing)
Red Team Security Assessment (/assurance/penetration-testing/red-team-security-assessment)
Adventures in Risk Assessments (/blog/adventures-in-risk-assessments)
Penetration Testing: A Preventative Security Control (/blog/penetration-testing-a-preventative-security-control)
PCI DSS compliance: Ensure an e ective use of resources (/blog/pci-dss-compliance-ensure-an-e ective-use-of-
resources)

RECENT NEWS POSTS

https://www.dionach.com/blog/nesa-uae-information-assurance-standards 5/6
11/07/2017 NESA UAE Information Assurance Standards | Dionach

New York live hack - Wednesday April 26 2017 (/blog/new-york-live-hack-wednesday-april-26-2017-0)

Dionach New York Breakfast brie ng (/blog/dionach-new-york-breakfast-brie ng)

Dionach Launches in UAE by Simulating a Cyber Attack in Dubai (/blog/dionach-launches-in-uae-by-simulating-a-

cyber-attack-in-dubai)

Telephone scams up 30 percent last year (/news/telephone-scams-up-30-percent-last-year)

Hotel Chain Admits Credit Card Security Breach (/news/hotel-chain-admits-credit-card-security-breach)

FCC's Latest Vote Favors Net Neutrality (/news/fccs-latest-vote-favors-net-neutrality)

Google have disclosed three OS X 0days (/news/google-have-disclosed-three-os-x-0days)

RECENT BLOG POSTS

An introduction to Dionachs Ransomware Readiness Review (/blog/an-introduction-to-dionach%E2%80%99s-

ransomware-readiness-review)

An Overview of OWASP Top 10 2017 (/blog/an-overview-of-owasp-top-10-2017)

Adventures in Risk Assessments (/blog/adventures-in-risk-assessments)

PCI DSS 3.2 and Changes to PCI SAQs (/blog/pci-dss-32-and-changes-to-pci-saqs)

The Risk of Data Recovery from Damaged Drives (/blog/the-risk-of-data-recovery-from-damaged-drives)

Android Binary Protection Methods (/blog/android-binary-protection-methods)

The Real Impact of Cross-Site Scripting (/blog/the-real-impact-of-cross-site-scripting)

ABOUT DIONACH

https://www.dionach.com/blog/nesa-uae-information-assurance-standards 6/6