{"id":2884,"date":"2015-10-18T17:25:13","date_gmt":"2015-10-18T16:25:13","guid":{"rendered":"https:\/\/dn-www.azurewebsites.net\/2015\/10\/18\/nesa-uae-information-assurance-standards\/"},"modified":"2024-02-06T10:23:43","modified_gmt":"2024-02-06T10:23:43","slug":"nesa-uae-information-assurance-standards","status":"publish","type":"post","link":"https:\/\/dionach.com\/en-us\/nesa-uae-information-assurance-standards\/","title":{"rendered":"NESA UAE Information Assurance Standards"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

The UAE\u2019s National Electronic Security Authority (NESA) is tasked with developing and monitoring the UAE Information Assurance Standards (IAS).  The IAS come under the National Information Assurance Framework (NIAF), which itself is part of the Critical Information Infrastructure Protection (CIIP) Policy.<\/p>\n

The IAS are primarily based on ISO 27001:2005, with some additional controls. Some of these additional controls are taken from ISO 2700:2013 and some taken from NIST, whereas others are new, such as cloud security and BYOD security. The IAS also have additional specific requirements for each control compared to ISO 27001, namely sub-controls, document requirements and performance indicators.<\/p>\n

From a high level perspective, organisations (or entities as the IAS terms them) in the UAE need to comply with the common IAS standards and any specific IAS standards relating  to their industry sector . Organisations need to report compliance progress to sector regulators, who then report to NESA.<\/p>\n

The IAS are based on organisations understanding their  information security requirements, which will involve carrying out risk assessments, implementing security controls, monitoring those controls, and ensuring continual improvement.<\/p>\n

The risk assessment mandated by the M2 control family in the IAS requires specific steps in the risk assessment, which are very close to the ISO 27001 risk assessment  requirements. Firstly the organisation needs to determine the context and scope, and then establish the risk criteria and risk methodology. The organisation then needs to identify risks, threats, vulnerabilities, impacts and likelihoods along with a resulting risk level. The risk criteria will then determine whether risks are acceptable or need treatment. The organisation needs to then monitor risks and regularly review the risk assessment.<\/p>\n

The list of security controls within the IAS are applicable depending on whether they are marked as \u201calways applicable\u201d or whether they are applicable determined by the risk assessment. Controls are prioritized to allow an incremental implementation, although all are mandatory based on whether the controls are applicable. Priorities of controls, other than those controls with P1 priority, can be changed based on the risk assessment outcome.<\/p>\n

Each control has a number of sub-controls. The sub-controls give a clear list of requirements for the control.  Each control has implementation guidance, which is similar to ISO 27002:2005 but is part of each control, which will help with implementation.<\/p>\n

The controls are divided into families of management controls and technical controls, as shown in the tables below:<\/p>\n