Skip to main contentChat with us

NESA · UAE Information Assurance Standards

NESA IAS Compliance
Consulting

The UAE’s national cyber-security authority requires government, semi-government, and critical-infrastructure entities to implement the Information Assurance Standards (IAS) — 188 controls anchored by a mandatory P1 baseline. TCSA builds the ISO 27001-aligned ISMS that satisfies the IAS, maps every control to its family, and gets you to a defensible posture in 8–14 weeks.

TCSA has delivered 500+ audits and assessments across India, USA, UK, Australia and UAE. Our consultants have prepared ADIB, Mashreq Bank, and AMEX for ISO 22301 in the Middle East. Engagements are fixed-fee — quoted after a short scoping call, in AED or USD for Gulf engagements.

188IAS controls
P1mandatory baseline
8–14weeks to readiness

UAE Information Assurance Standards (NESA IAS v1.0) · Federal cyber-security baseline · Last reviewed July 2026

The IAS · 188 Controls

What the Information Assurance Standards Require

The IAS organises its 188 controls into two groups — six management families that govern the security programme, and nine technical families that implement it. The standard is openly derived from ISO 27001 and NIST, so the structure will look familiar to anyone who has built an ISMS.

Management families · ~60 controls

FamilyWhat it covers
Strategy & PlanningThe information-security strategy, governance structure, roles and responsibilities, and programme planning that anchors the whole IAS implementation.
Information Security Risk ManagementA formal process to identify, assess, and treat information-security risk — the engine that decides which conditional (P2–P4) controls apply to you.
Awareness & TrainingSecurity awareness across the workforce and role-based training for staff who carry specific security responsibilities.
Human Resources SecuritySecurity through the employment lifecycle — screening, terms of employment, and the handling of role changes and departures.
ComplianceCompliance with legal, regulatory, and contractual obligations, and with the IAS itself, backed by internal review.
Performance Evaluation & ImprovementMonitoring, measurement, internal audit, and continual improvement of the information-security programme.

Technical families · ~128 controls

FamilyWhat it covers
Asset ManagementInventory, ownership, and acceptable use of information assets, plus information classification and handling.
Physical & Environmental SecuritySecure areas, equipment protection, and environmental controls for facilities and data centres.
Operations ManagementOperational procedures, change and capacity management, malware protection, backup, logging, and monitoring.
CommunicationsNetwork security management and protection of information in transit across communications channels.
Access ControlIdentity and access management, authentication, privileged access, and access to systems and applications.
Third Party SecuritySecurity requirements for suppliers, service providers, and outsourced or cloud-hosted services.
Information Systems Acquisition, Development & MaintenanceSecurity built into systems from requirements through development, testing, and maintenance.
Information Security Incident ManagementDetection, reporting, response to, and learning from information-security incidents.
Information Systems Continuity ManagementKeeping critical information systems running through disruption — the IAS analogue of a BCMS.

Family groupings reflect the published IAS structure. Exact control counts vary slightly between IAS versions and secondary sources — we confirm the definitive applicable set during scoping.

Priority Levels P1–P4

The Priority Model — and Why P1 Is Non-Negotiable

Every IAS control carries a priority from P1 to P4. P1 is the fixed, mandatory floor; everything below it is applied on the basis of your risk assessment. That is what makes the applicability step the most important part of a NESA project — it decides how much of the 188 you actually have to build.

PriorityTierWhat it means
P1Priority 1 — mandatory baselineMandatoryThe 39 controls NESA identifies as addressing roughly 80% of the threats it assessed. Mandatory for every in-scope entity — you may strengthen a P1 control, but you cannot drop it.
P2Priority 2Applied according to your risk assessment; typically expected wherever sensitive information or higher-value systems are in play.
P3Priority 3Risk-based controls that raise assurance for higher-risk systems and data.
P4Priority 4Optional, best-practice controls adopted where risk or sector expectations justify the investment.

The 39-control P1 count and the “~80% of threats” characterisation are from NESA’s own framing of the baseline. Counts below P1 depend on your risk assessment and IAS version — treat exact figures as indicative until confirmed at scoping.

In-Scope Entities

Who Must Comply

The IAS is a national baseline for government and critical infrastructure — and, through its third-party controls, for the suppliers that serve them.

Federal & local government entities

UAE federal and emirate-level government bodies are the core population the IAS was written for — adherence is directed nationally through the UAE cyber-security authority.

Semi-government & government-linked entities

Semi-government organisations and government-linked companies fall in scope alongside full government bodies, with the same baseline expectations.

Critical Information Infrastructure (CII)

Operators in sectors designated as critical national infrastructure — energy, ICT and telecom, finance, transport, health and others — are expected to implement the IAS.

Suppliers & service providers

The Third Party Security family pulls suppliers, outsourcers, and cloud providers into scope. SaaS and services vendors are increasingly asked to demonstrate IAS alignment to win UAE government and CII tenders.

Applicability for a specific entity is determined by the UAE national authority and the relevant sector regulator. TCSA is an independent consultancy: we prepare and implement, the UAE authorities supervise — we are not affiliated with, or endorsed by, NESA / the Signals Intelligence Agency.

The TCSA Approach · Build Once

How ISO 27001 Accelerates NESA Compliance

The IAS names ISO 27001 and NIST among its sources — which is the opportunity. Instead of running a NESA project and an ISO project, we build one ISMS that satisfies the IAS control families and passes ISO 27001 certification, with every document and control doing double duty.

IAS requirementISO mechanismWhat you reuse
Management families — Strategy, Risk, HR, Compliance, Awareness, PerformanceISO 27001 Clauses 4–10 and the organisational / people controls in Annex AThe ISMS governance, risk methodology, and management-review discipline you build for ISO 27001 is the same evidence the IAS management controls ask for.
Information Security Risk Management (M)ISO 27001 Clauses 6 & 8, supported by ISO 27005One risk methodology and one register drive both the ISO risk-treatment plan and the IAS decision on which conditional P2–P4 controls apply.
Technical families — Access, Operations, Communications, Asset, Physical, Incident, DevelopmentISO 27001 Annex A technical controls (per ISO 27002)The IAS technical families track Annex A closely — the standard is openly derived from ISO 27001 and NIST — so control implementation is shared work, not parallel work.
Information Systems Continuity Management (T)ISO 22301 BCMS, and ISO 27001 continuity controls (A.5.29–A.5.30)Your BIA, continuity plans, and testing satisfy the IAS continuity family and earn an ISO 22301 certificate from the same body of work.
P1 mandatory baseline — controls that are “implemented and operating”ISO certification audit trail: documented ISMS, internal audits, management reviews, corrective actionsThe discipline ISO certification enforces is exactly what the IAS P1 baseline expects — controls that exist on paper and demonstrably operate.

Mapping is indicative — the IAS contains UAE-specific requirements that an ISO certificate alone does not discharge. We close those deltas explicitly in the gap register.

“Our consultants have prepared ADIB (Abu Dhabi Islamic Bank), Mashreq Bank, and AMEX for ISO 22301 in the Middle East.”
On-the-ground UAE recordThe same ISO discipline the IAS is built on — delivered for Gulf institutions whose regulators ask the questions NESA does.

See verified client reviews and engagement outcomes from 500+ audits and assessments across India, USA, UK, Australia and UAE.

The Wider UAE Picture

NESA IAS, DESC ISR & ADHICS

The NESA IAS is the federal baseline, but it is not the only regime you may face in the UAE. Individual emirates and sectors layer their own standards on top — closely aligned to the IAS and to ISO 27001, but with their own scope and reporting.

The Dubai Electronic Security Center (DESC) issues the Information Security Regulation (ISR) for Dubai Government entities, and the Department of Health – Abu Dhabi issues ADHICS for the Abu Dhabi health sector. Where more than one applies to you, we build a single ISO 27001-aligned control set and map it to each standard — the same build-once approach we use for SAMA in Saudi Arabia.

Engagement Path

From Applicability to a Defensible Posture in 8–14 Weeks

One engagement, two outcomes: a NESA-defensible IAS posture and — if you want it — ISO 27001 certification readiness from the same work.

PhaseTimelineWhat we deliver
Scoping, applicability & gap assessmentWeeks 1–2A risk and applicability assessment to fix which of the 188 controls apply, a current-state rating against the P1 baseline and the always-applicable management controls, and a gap register with owners.
Design & documentationWeeks 2–7An ISMS built to the IAS structure — strategy, a policy suite mapped to the six management families, a risk methodology and treatment plan, and technical control designs.
Implementation & evidenceWeeks 7–12Control rollout with your teams across the technical families — access reviews, monitoring, incident and change procedures, third-party reviews, continuity testing — producing the evidence the IAS expects.
Assurance & compliance reportingWeeks 12–14Internal audit, management review, IAS self-assessment and compliance-report preparation, and — if you choose to certify — coordination of the ISO 27001 certification audit.
Consulting fee: fixed and all-inclusive, quoted after a short scoping call (in AED or USD for Gulf engagements). ISO 27001 certification-body fees, if you choose to certify, are billed separately.
Timeline assumes a mid-size entity or supplier starting from partial maturity. Large government estates and multi-standard scopes extend the implementation phase — we confirm both at scoping.

TCSA prepares and implements; the UAE national authority and sector regulators supervise and assess. TCSA is not affiliated with, appointed by, or endorsed by NESA / the Signals Intelligence Agency.

NESA IAS Compliance — Frequently Asked Questions

Straight answers on the Information Assurance Standards, the 188 controls, the P1 baseline, and how ISO 27001 fits — from a team with an on-the-ground record in the Gulf.

What is NESA and the UAE Information Assurance Standards (IAS)?

NESA — the National Electronic Security Authority, now operating as the UAE’s Signals Intelligence Agency (SIA) — is the federal authority responsible for cyber security. It issued the UAE Information Assurance Standards (the IAS, also called the NESA IAS or UAE IA Standards), a set of 188 security controls that form the national baseline for protecting government and critical information infrastructure. The IAS is openly derived from international standards — most notably ISO/IEC 27001 and NIST — and organises its controls into management and technical families, each control carrying a priority level from P1 to P4.

Who must comply with the NESA IAS?

The IAS is directed primarily at UAE federal and local government entities, semi-government and government-linked organisations, and operators of Critical Information Infrastructure (CII) — sectors such as energy, ICT and telecommunications, finance, transport, and health. Its Third Party Security family also extends obligations to suppliers, outsourcers, and cloud providers, which is why private SaaS and services vendors are increasingly asked to show IAS alignment to win UAE government and CII contracts. Exact applicability for a given entity is set by the national authority and the relevant sector regulator — treat sector-level detail as something we confirm during scoping.

How many controls are in the IAS, and which ones are mandatory?

The IAS defines 188 controls — around 60 in the management families and around 128 in the technical families. A subset of roughly 35 controls (all within the management families) is always applicable regardless of your risk assessment; the technical controls apply according to the results of that assessment. Separately, the framework marks 39 controls as Priority 1 (P1) — the mandatory baseline that NESA says addresses about 80% of the threats it identified. Exact counts vary slightly between sources and IAS versions, so we confirm the definitive applicable set for your entity during the scoping and applicability assessment.

What do the P1–P4 priority levels mean?

Every IAS control carries a priority from P1 (highest) to P4 (lowest). P1 is the mandatory baseline — 39 controls that must be implemented by every in-scope entity and that may be strengthened but never dropped. P2, P3, and P4 are applied on a risk basis: your risk assessment determines which of them are required, with P2 typically expected wherever sensitive data or higher-value systems are involved, and P4 reserved for optional best practice. This risk-driven model is why two IAS implementations in the same sector can legitimately differ below the P1 line.

How does NESA IAS compare with ISO 27001?

ISO 27001 is a voluntary international standard you certify against once an accredited body audits your ISMS. The NESA IAS is a national assurance regime: mandatory for in-scope UAE entities, assessed against a fixed control set and priority model, with oversight from the national authority rather than a certificate. Because the IAS is explicitly built on ISO 27001 and NIST, the two overlap heavily — one well-built, ISO 27001-aligned ISMS produces most of the governance, risk, and control evidence the IAS management and technical families require. An ISO 27001 certificate is strong supporting evidence for IAS compliance, but it does not by itself discharge IAS-specific obligations, which we close explicitly in the gap register.

How does the IAS relate to Dubai’s DESC ISR and Abu Dhabi’s ADHICS?

The NESA IAS is the federal baseline. On top of it, individual emirates and sectors run their own regimes: the Dubai Electronic Security Center (DESC) issues the Information Security Regulation (ISR) for Dubai Government entities, and the Department of Health – Abu Dhabi issues ADHICS (the Abu Dhabi Healthcare Information and Cyber Security standard) for the Abu Dhabi health sector. These regimes are closely aligned with the IAS and with ISO 27001, so the approach is the same one we use for SAMA in Saudi Arabia — build one ISO 27001-aligned ISMS, then map the same control set to whichever emirate or sector standard also applies, so nothing is implemented twice.

How long does NESA IAS compliance take, and how is it priced?

For a typical mid-size CII operator or a supplier being pulled into scope, plan on roughly 8–14 weeks of consulting work to reach a defensible IAS posture: scoping and applicability, ISMS documentation, control implementation across the applicable families, and assurance. Engagements are custom-scoped to your size, sector deadlines, and existing maturity — we provide a fixed, all-inclusive quote after a short scoping call (in AED or USD for Gulf engagements), with no hourly billing and no scope creep. Large government estates take longer; ISO 27001 certification-body fees, if you choose to certify, are billed separately. TCSA is an independent consultancy — we prepare and implement; the UAE authorities supervise. We are not affiliated with, or endorsed by, NESA / the Signals Intelligence Agency.

Written By Expert Auditors

Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Last reviewed: July 2026Content verified by certified lead auditors

Get Started

Meet the UAE IAS Baseline
Without Building It Twice

One build: an IAS posture you can defend to the UAE authorities, and an ISO 27001 certificate from the same evidence. Start with a readiness assessment.

UAE Information Assurance Standards  ·  Serving the GCC, India, USA & UK

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations