NESA · UAE Information Assurance Standards
NESA IAS Compliance
Consulting
The UAE’s national cyber-security authority requires government, semi-government, and critical-infrastructure entities to implement the Information Assurance Standards (IAS) — 188 controls anchored by a mandatory P1 baseline. TCSA builds the ISO 27001-aligned ISMS that satisfies the IAS, maps every control to its family, and gets you to a defensible posture in 8–14 weeks.
TCSA has delivered 500+ audits and assessments across India, USA, UK, Australia and UAE. Our consultants have prepared ADIB, Mashreq Bank, and AMEX for ISO 22301 in the Middle East. Engagements are fixed-fee — quoted after a short scoping call, in AED or USD for Gulf engagements.
UAE Information Assurance Standards (NESA IAS v1.0) · Federal cyber-security baseline · Last reviewed July 2026
The IAS · 188 Controls
What the Information Assurance Standards Require
The IAS organises its 188 controls into two groups — six management families that govern the security programme, and nine technical families that implement it. The standard is openly derived from ISO 27001 and NIST, so the structure will look familiar to anyone who has built an ISMS.
Management families · ~60 controls
| Family | What it covers |
|---|---|
| Strategy & Planning | The information-security strategy, governance structure, roles and responsibilities, and programme planning that anchors the whole IAS implementation. |
| Information Security Risk Management | A formal process to identify, assess, and treat information-security risk — the engine that decides which conditional (P2–P4) controls apply to you. |
| Awareness & Training | Security awareness across the workforce and role-based training for staff who carry specific security responsibilities. |
| Human Resources Security | Security through the employment lifecycle — screening, terms of employment, and the handling of role changes and departures. |
| Compliance | Compliance with legal, regulatory, and contractual obligations, and with the IAS itself, backed by internal review. |
| Performance Evaluation & Improvement | Monitoring, measurement, internal audit, and continual improvement of the information-security programme. |
Technical families · ~128 controls
| Family | What it covers |
|---|---|
| Asset Management | Inventory, ownership, and acceptable use of information assets, plus information classification and handling. |
| Physical & Environmental Security | Secure areas, equipment protection, and environmental controls for facilities and data centres. |
| Operations Management | Operational procedures, change and capacity management, malware protection, backup, logging, and monitoring. |
| Communications | Network security management and protection of information in transit across communications channels. |
| Access Control | Identity and access management, authentication, privileged access, and access to systems and applications. |
| Third Party Security | Security requirements for suppliers, service providers, and outsourced or cloud-hosted services. |
| Information Systems Acquisition, Development & Maintenance | Security built into systems from requirements through development, testing, and maintenance. |
| Information Security Incident Management | Detection, reporting, response to, and learning from information-security incidents. |
| Information Systems Continuity Management | Keeping critical information systems running through disruption — the IAS analogue of a BCMS. |
Family groupings reflect the published IAS structure. Exact control counts vary slightly between IAS versions and secondary sources — we confirm the definitive applicable set during scoping.
Priority Levels P1–P4
The Priority Model — and Why P1 Is Non-Negotiable
Every IAS control carries a priority from P1 to P4. P1 is the fixed, mandatory floor; everything below it is applied on the basis of your risk assessment. That is what makes the applicability step the most important part of a NESA project — it decides how much of the 188 you actually have to build.
| Priority | Tier | What it means |
|---|---|---|
| P1 | Priority 1 — mandatory baselineMandatory | The 39 controls NESA identifies as addressing roughly 80% of the threats it assessed. Mandatory for every in-scope entity — you may strengthen a P1 control, but you cannot drop it. |
| P2 | Priority 2 | Applied according to your risk assessment; typically expected wherever sensitive information or higher-value systems are in play. |
| P3 | Priority 3 | Risk-based controls that raise assurance for higher-risk systems and data. |
| P4 | Priority 4 | Optional, best-practice controls adopted where risk or sector expectations justify the investment. |
The 39-control P1 count and the “~80% of threats” characterisation are from NESA’s own framing of the baseline. Counts below P1 depend on your risk assessment and IAS version — treat exact figures as indicative until confirmed at scoping.
In-Scope Entities
Who Must Comply
The IAS is a national baseline for government and critical infrastructure — and, through its third-party controls, for the suppliers that serve them.
Federal & local government entities
UAE federal and emirate-level government bodies are the core population the IAS was written for — adherence is directed nationally through the UAE cyber-security authority.
Semi-government & government-linked entities
Semi-government organisations and government-linked companies fall in scope alongside full government bodies, with the same baseline expectations.
Critical Information Infrastructure (CII)
Operators in sectors designated as critical national infrastructure — energy, ICT and telecom, finance, transport, health and others — are expected to implement the IAS.
Suppliers & service providers
The Third Party Security family pulls suppliers, outsourcers, and cloud providers into scope. SaaS and services vendors are increasingly asked to demonstrate IAS alignment to win UAE government and CII tenders.
Applicability for a specific entity is determined by the UAE national authority and the relevant sector regulator. TCSA is an independent consultancy: we prepare and implement, the UAE authorities supervise — we are not affiliated with, or endorsed by, NESA / the Signals Intelligence Agency.
The TCSA Approach · Build Once
How ISO 27001 Accelerates NESA Compliance
The IAS names ISO 27001 and NIST among its sources — which is the opportunity. Instead of running a NESA project and an ISO project, we build one ISMS that satisfies the IAS control families and passes ISO 27001 certification, with every document and control doing double duty.
| IAS requirement | ISO mechanism | What you reuse |
|---|---|---|
| Management families — Strategy, Risk, HR, Compliance, Awareness, Performance | ISO 27001 Clauses 4–10 and the organisational / people controls in Annex A | The ISMS governance, risk methodology, and management-review discipline you build for ISO 27001 is the same evidence the IAS management controls ask for. |
| Information Security Risk Management (M) | ISO 27001 Clauses 6 & 8, supported by ISO 27005 | One risk methodology and one register drive both the ISO risk-treatment plan and the IAS decision on which conditional P2–P4 controls apply. |
| Technical families — Access, Operations, Communications, Asset, Physical, Incident, Development | ISO 27001 Annex A technical controls (per ISO 27002) | The IAS technical families track Annex A closely — the standard is openly derived from ISO 27001 and NIST — so control implementation is shared work, not parallel work. |
| Information Systems Continuity Management (T) | ISO 22301 BCMS, and ISO 27001 continuity controls (A.5.29–A.5.30) | Your BIA, continuity plans, and testing satisfy the IAS continuity family and earn an ISO 22301 certificate from the same body of work. |
| P1 mandatory baseline — controls that are “implemented and operating” | ISO certification audit trail: documented ISMS, internal audits, management reviews, corrective actions | The discipline ISO certification enforces is exactly what the IAS P1 baseline expects — controls that exist on paper and demonstrably operate. |
Mapping is indicative — the IAS contains UAE-specific requirements that an ISO certificate alone does not discharge. We close those deltas explicitly in the gap register.
“Our consultants have prepared ADIB (Abu Dhabi Islamic Bank), Mashreq Bank, and AMEX for ISO 22301 in the Middle East.”
See verified client reviews and engagement outcomes from 500+ audits and assessments across India, USA, UK, Australia and UAE.
The Wider UAE Picture
NESA IAS, DESC ISR & ADHICS
The NESA IAS is the federal baseline, but it is not the only regime you may face in the UAE. Individual emirates and sectors layer their own standards on top — closely aligned to the IAS and to ISO 27001, but with their own scope and reporting.
The Dubai Electronic Security Center (DESC) issues the Information Security Regulation (ISR) for Dubai Government entities, and the Department of Health – Abu Dhabi issues ADHICS for the Abu Dhabi health sector. Where more than one applies to you, we build a single ISO 27001-aligned control set and map it to each standard — the same build-once approach we use for SAMA in Saudi Arabia.
Engagement Path
From Applicability to a Defensible Posture in 8–14 Weeks
One engagement, two outcomes: a NESA-defensible IAS posture and — if you want it — ISO 27001 certification readiness from the same work.
| Phase | Timeline | What we deliver |
|---|---|---|
| Scoping, applicability & gap assessment | Weeks 1–2 | A risk and applicability assessment to fix which of the 188 controls apply, a current-state rating against the P1 baseline and the always-applicable management controls, and a gap register with owners. |
| Design & documentation | Weeks 2–7 | An ISMS built to the IAS structure — strategy, a policy suite mapped to the six management families, a risk methodology and treatment plan, and technical control designs. |
| Implementation & evidence | Weeks 7–12 | Control rollout with your teams across the technical families — access reviews, monitoring, incident and change procedures, third-party reviews, continuity testing — producing the evidence the IAS expects. |
| Assurance & compliance reporting | Weeks 12–14 | Internal audit, management review, IAS self-assessment and compliance-report preparation, and — if you choose to certify — coordination of the ISO 27001 certification audit. |
TCSA prepares and implements; the UAE national authority and sector regulators supervise and assess. TCSA is not affiliated with, appointed by, or endorsed by NESA / the Signals Intelligence Agency.
NESA IAS Compliance — Frequently Asked Questions
Straight answers on the Information Assurance Standards, the 188 controls, the P1 baseline, and how ISO 27001 fits — from a team with an on-the-ground record in the Gulf.
What is NESA and the UAE Information Assurance Standards (IAS)?
NESA — the National Electronic Security Authority, now operating as the UAE’s Signals Intelligence Agency (SIA) — is the federal authority responsible for cyber security. It issued the UAE Information Assurance Standards (the IAS, also called the NESA IAS or UAE IA Standards), a set of 188 security controls that form the national baseline for protecting government and critical information infrastructure. The IAS is openly derived from international standards — most notably ISO/IEC 27001 and NIST — and organises its controls into management and technical families, each control carrying a priority level from P1 to P4.
Who must comply with the NESA IAS?
The IAS is directed primarily at UAE federal and local government entities, semi-government and government-linked organisations, and operators of Critical Information Infrastructure (CII) — sectors such as energy, ICT and telecommunications, finance, transport, and health. Its Third Party Security family also extends obligations to suppliers, outsourcers, and cloud providers, which is why private SaaS and services vendors are increasingly asked to show IAS alignment to win UAE government and CII contracts. Exact applicability for a given entity is set by the national authority and the relevant sector regulator — treat sector-level detail as something we confirm during scoping.
How many controls are in the IAS, and which ones are mandatory?
The IAS defines 188 controls — around 60 in the management families and around 128 in the technical families. A subset of roughly 35 controls (all within the management families) is always applicable regardless of your risk assessment; the technical controls apply according to the results of that assessment. Separately, the framework marks 39 controls as Priority 1 (P1) — the mandatory baseline that NESA says addresses about 80% of the threats it identified. Exact counts vary slightly between sources and IAS versions, so we confirm the definitive applicable set for your entity during the scoping and applicability assessment.
What do the P1–P4 priority levels mean?
Every IAS control carries a priority from P1 (highest) to P4 (lowest). P1 is the mandatory baseline — 39 controls that must be implemented by every in-scope entity and that may be strengthened but never dropped. P2, P3, and P4 are applied on a risk basis: your risk assessment determines which of them are required, with P2 typically expected wherever sensitive data or higher-value systems are involved, and P4 reserved for optional best practice. This risk-driven model is why two IAS implementations in the same sector can legitimately differ below the P1 line.
How does NESA IAS compare with ISO 27001?
ISO 27001 is a voluntary international standard you certify against once an accredited body audits your ISMS. The NESA IAS is a national assurance regime: mandatory for in-scope UAE entities, assessed against a fixed control set and priority model, with oversight from the national authority rather than a certificate. Because the IAS is explicitly built on ISO 27001 and NIST, the two overlap heavily — one well-built, ISO 27001-aligned ISMS produces most of the governance, risk, and control evidence the IAS management and technical families require. An ISO 27001 certificate is strong supporting evidence for IAS compliance, but it does not by itself discharge IAS-specific obligations, which we close explicitly in the gap register.
How does the IAS relate to Dubai’s DESC ISR and Abu Dhabi’s ADHICS?
The NESA IAS is the federal baseline. On top of it, individual emirates and sectors run their own regimes: the Dubai Electronic Security Center (DESC) issues the Information Security Regulation (ISR) for Dubai Government entities, and the Department of Health – Abu Dhabi issues ADHICS (the Abu Dhabi Healthcare Information and Cyber Security standard) for the Abu Dhabi health sector. These regimes are closely aligned with the IAS and with ISO 27001, so the approach is the same one we use for SAMA in Saudi Arabia — build one ISO 27001-aligned ISMS, then map the same control set to whichever emirate or sector standard also applies, so nothing is implemented twice.
How long does NESA IAS compliance take, and how is it priced?
For a typical mid-size CII operator or a supplier being pulled into scope, plan on roughly 8–14 weeks of consulting work to reach a defensible IAS posture: scoping and applicability, ISMS documentation, control implementation across the applicable families, and assurance. Engagements are custom-scoped to your size, sector deadlines, and existing maturity — we provide a fixed, all-inclusive quote after a short scoping call (in AED or USD for Gulf engagements), with no hourly billing and no scope creep. Large government estates take longer; ISO 27001 certification-body fees, if you choose to certify, are billed separately. TCSA is an independent consultancy — we prepare and implement; the UAE authorities supervise. We are not affiliated with, or endorsed by, NESA / the Signals Intelligence Agency.
Keep Exploring
Related Reading
ISO 27001 Overview
The ISMS standard — the baseline certificate global buyers ask for.
Read moreAnnex A Controls Overview
All 93 controls across organizational, people, physical and tech domains.
Read moreSAMA CSF & BCM
The Saudi Central Bank's cyber and continuity frameworks, demystified.
Read morePDPL Compliance (KSA & UAE)
Saudi Arabia's SDAIA-enforced privacy law and the UAE's federal PDPL.
Read moreMiddle East — UAE & Saudi Arabia
How we serve Gulf banks, vendors and enterprises, remote + on-site.
Read moreOperational Resilience Consulting
One ISO 22301-grade BCMS that answers CBUAE, SAMA, CPS 230 and DORA.
Read moreWritten By Expert Auditors
Get Started
Meet the UAE IAS Baseline
Without Building It Twice
One build: an IAS posture you can defend to the UAE authorities, and an ISO 27001 certificate from the same evidence. Start with a readiness assessment.
UAE Information Assurance Standards · Serving the GCC, India, USA & UK
Get in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours