Escolar Documentos
Profissional Documentos
Cultura Documentos
Oxford: +44 (0)1865 877830 Manchester: +44 (0)161 713 0176 London: +44 (0)203 5983740
(https://www.facebook.com/pages/Ethical-
(https://twitter.com/DionachUK)
(https://www.linkedin.com/company/dionach-
(https://github.com/dionach)
The UAEs National Electronic Security Authority (NESA) is tasked with developing and monitoring the UAE
Information Assurance Standards (IAS). The IAS come under the National Information Assurance
Framework (NIAF), which itself is part of the Critical Information Infrastructure Protection (CIIP) Policy.
The IAS are primarily based on ISO 27001:2005, with some additional controls. Some of these additional
controls are taken from ISO 2700:2013 and some taken from NIST, whereas others are new, such as cloud
security and BYOD security. The IAS also have additional speci c requirements for each control compared
to ISO 27001, namely sub-controls, document requirements and performance indicators.
From a high level perspective, organisations (or entities as the IAS terms them) in the UAE need to comply
with the common IAS standards and any speci c IAS standards relating to their industry sector .
Organisations need to report compliance progress to sector regulators, who then report to NESA.
The IAS are based on organisations understanding their information security requirements, which will
involve carrying out risk assessments, implementing security controls, monitoring those controls, and
ensuring continual improvement.
https://www.dionach.com/blog/nesa-uae-information-assurance-standards 1/6
11/07/2017 NESA UAE Information Assurance Standards | Dionach
The risk assessment mandated by the M2 control family in the IAS requires speci c steps in the risk
assessment, which are very close to the ISO 27001 risk assessment requirements. Firstly the organisation
needs to determine the context and scope, and then establish the risk criteria and risk methodology. The
organisation then needs to identify risks, threats, vulnerabilities, impacts and likelihoods along with a
resulting risk level. The risk criteria will then determine whether risks are acceptable or need treatment.
The organisation needs to then monitor risks and regularly review the risk assessment.
The list of security controls within the IAS are applicable depending on whether they are marked as
always applicable or whether they are applicable determined by the risk assessment. Controls are
prioritized to allow an incremental implementation, although all are mandatory based on whether the
controls are applicable. Priorities of controls, other than those controls with P1 priority, can be changed
based on the risk assessment outcome.
Each control has a number of sub-controls. The sub-controls give a clear list of requirements for the
control. Each control has implementation guidance, which is similar to ISO 27002:2005 but is part of each
control, which will help with implementation.
The controls are divided into families of management controls and technical controls, as shown in the
tables below:
M5 Compliance 13
T1Asset management 10
T3 Operations management 17
T4 Communications 15
T5 Access control 22
https://www.dionach.com/blog/nesa-uae-information-assurance-standards 2/6
11/07/2017 NESA UAE Information Assurance Standards | Dionach
There are 188 controls of which 60 are management controls and 128 are technical controls. 35 of the
management controls are always applicable, none of the technical controls are always applicable.
Each control has one of four priorities, with the number of each as follows:
Priority Controls
P1 39
P2 69
P3 35
P4 45
NESA has also published a summary list of the P1 controls, with the list in order of relative impact level.
For example it shows that controls against malware and good password management can have a very
high level impact on attack mitigation.
Although there are only 35 controls that are always applicable, it is very likely that many of the other
controls will apply. If controls do apply, organisations will still need to achieve compliance regardless of
the priority level of the control.
In my opinion there are several stages to achieving and maintaining compliance to the NESA UAE IAS:
Gap audit
Training
Risk assessment
Implementation
Annual compliance audits
Gap audits determine how compliant organisations are and the actions needed to achieve compliance
with estimations of resources and timescales.
https://www.dionach.com/blog/nesa-uae-information-assurance-standards 3/6
11/07/2017 NESA UAE Information Assurance Standards | Dionach
Training gives those who need to be involved in working towards and maintaining compliance with the
required knowledge. This will help the organisation implement the IAS more e ciently, more quickly and
more cost e ectively. Training is appropriate for internal stakeholders, information security sta ,
business unit leaders and certain IT sta .
The risk assessment methodology is speci c to the M2 control family and can determine which controls
apply to each organisation. It is important to start with a risk assessment methodology that ts the
(/)
organisation to ensure it is meaningful, e cient and meets the requirements of the IAS. The risk
assessment requires input from internal stakeholders and business unit leaders.
The gap audit can occur after training and risk assessment, however many organisations bene t from
seeing what work is needed at the start of the compliance journey. An organisation can also have gap
Assurance (/assurance) Compliance (/compliance) Response (/response) Research (/research) Abo
audits at key stages of the implementation phase.
Blog (/dionach-blog) Contact (/contact)
Implementation is best done internally. Actions from the gap audit and risk treatment actions from the
risk assessment will drive implementation.
Annual compliance audits can ensure organisations remain compliant. The compliance audit
complements the internal audit process in M6 by providing an external, independent audit.
In summary, the NESA UAE Information Assurance Standards are a good set of standards based on solid
international information security standards. The IAS also have the bene t of having clear sub-controls
and performance indicators, which I think sets them apart. Although ISO 27001 is the international
standard for an information security management system, I think any organisation would bene t from
using the UAE IAS.
POSTED BY BIL
RELATED POSTS
LEAVE A COMMENT
Your name
https://www.dionach.com/blog/nesa-uae-information-assurance-standards 4/6
11/07/2017 NESA UAE Information Assurance Standards | Dionach
Subject
Comment *
Your message
SEND MESSAGE
SEARCH
Search...
SIMILAR ENTRIES
https://www.dionach.com/blog/nesa-uae-information-assurance-standards 5/6
11/07/2017 NESA UAE Information Assurance Standards | Dionach
ABOUT DIONACH
https://www.dionach.com/blog/nesa-uae-information-assurance-standards 6/6