The UAE’s National Electronic Security Authority (NESA) is tasked with developing and monitoring the UAE Information Assurance Standards (IAS). The IAS come under the National Information Assurance Framework (NIAF), which itself is part of the Critical Information Infrastructure Protection (CIIP) Policy.
The IAS are primarily based on ISO 27001:2005, with some additional controls. Some of these additional controls are taken from ISO 2700:2013 and some taken from NIST, whereas others are new, such as cloud security and BYOD security. The IAS also have additional specific requirements for each control compared to ISO 27001, namely sub-controls, document requirements and performance indicators.
From a high level perspective, organisations (or entities as the IAS terms them) in the UAE need to comply with the common IAS standards and any specific IAS standards relating to their industry sector . Organisations need to report compliance progress to sector regulators, who then report to NESA.
The IAS are based on organisations understanding their information security requirements, which will involve carrying out risk assessments, implementing security controls, monitoring those controls, and ensuring continual improvement.
The risk assessment mandated by the M2 control family in the IAS requires specific steps in the risk assessment, which are very close to the ISO 27001 risk assessment requirements. Firstly the organisation needs to determine the context and scope, and then establish the risk criteria and risk methodology. The organisation then needs to identify risks, threats, vulnerabilities, impacts and likelihoods along with a resulting risk level. The risk criteria will then determine whether risks are acceptable or need treatment. The organisation needs to then monitor risks and regularly review the risk assessment.
The list of security controls within the IAS are applicable depending on whether they are marked as “always applicable” or whether they are applicable determined by the risk assessment. Controls are prioritized to allow an incremental implementation, although all are mandatory based on whether the controls are applicable. Priorities of controls, other than those controls with P1 priority, can be changed based on the risk assessment outcome.
Each control has a number of sub-controls. The sub-controls give a clear list of requirements for the control. Each control has implementation guidance, which is similar to ISO 27002:2005 but is part of each control, which will help with implementation.
The controls are divided into families of management controls and technical controls, as shown in the tables below:
|Management control families
|M1 Strategy and planning
|M2 Information security risk management
|M3 Awareness and training
|M4 Human resources security
|M6 Performance evaluation and improvement
|Technical control families
|T2 Physical and environmental security
|T3 Operations management
|T5 Access control
|T6 Third party security
|T7 Information systems acquisition, development and maintenance
|T8 Information security incident management
|T9 Information security continuity management
There are 188 controls of which 60 are management controls and 128 are technical controls. 35 of the management controls are “always applicable”, none of the technical controls are “always applicable”.
Each control has one of four priorities, with the number of each as follows:
NESA has also published a summary list of the P1 controls, with the list in order of relative impact level. For example it shows that controls against malware and good password management can have a very high level impact on attack mitigation.
Although there are only 35 controls that are always applicable, it is very likely that many of the other controls will apply. If controls do apply, organisations will still need to achieve compliance regardless of the priority level of the control.
In my opinion there are several stages to achieving and maintaining compliance to the NESA UAE IAS:
- Gap audit
- Risk assessment
- Annual compliance audits
Gap audits determine how compliant organisations are and the actions needed to achieve compliance with estimations of resources and timescales.
Training gives those who need to be involved in working towards and maintaining compliance with the required knowledge. This will help the organisation implement the IAS more efficiently, more quickly and more cost effectively. Training is appropriate for internal stakeholders, information security staff, business unit leaders and certain IT staff.
The risk assessment methodology is specific to the M2 control family and can determine which controls apply to each organisation. It is important to start with a risk assessment methodology that fits the organisation to ensure it is meaningful, efficient and meets the requirements of the IAS. The risk assessment requires input from internal stakeholders and business unit leaders.
The gap audit can occur after training and risk assessment, however many organisations benefit from seeing what work is needed at the start of the compliance journey. An organisation can also have gap audits at key stages of the implementation phase.
Implementation is best done internally. Actions from the gap audit and risk treatment actions from the risk assessment will drive implementation.
Annual compliance audits can ensure organisations remain compliant. The compliance audit complements the internal audit process in M6 by providing an external, independent audit.
In summary, the NESA UAE Information Assurance Standards are a good set of standards based on solid international information security standards. The IAS also have the benefit of having clear sub-controls and performance indicators, which I think sets them apart. Although ISO 27001 is the international standard for an information security management system, I think any organisation would benefit from using the UAE IAS.