NESA Audit

What does NESA Stands for?

The National Electronic Security Authority (NESA) is a UAE federal authority in charge of the UAE’s cybersecurity. NESA developed Information Assurance (IA) Standards across the UAE in order to boost national cybersecurity. The standard was created to ensure a minimal level of security in businesses that support important national services in all sectors. The NESA Standard’s major goal is to develop a stringent national Cyber Security Strategy that permits advancement in cybersecurity and raises awareness of Cyber Security in the UAE.

Who must be NESA compliant?

NESA Compliance is mandated to all government organizations, semi-government organizations and business organizations that are identified as critical infrastructure to UAE.

What are the standards to follow to become NESA Compliant?

The UAE National Cyber Security Strategy (NCSS), developed and governed by NESA, defines the protection requirements of UAE Cyberspace. The primary standard to follow for NESA compliance is UAE Information Assurance Standards (UAE IAS). Additionally, the NESA National Cyber Risk Management Framework defines the NESA Risk Assessment process.

What are the NESA Security Control Implementation timelines?

In a prioritised way, UAE IAS lists 188 security controls. There are four stated priorities, and the controls are organised around these four goals. NESA anticipates that the entities will implement the Priority 1 controls as soon as possible. P2 to P4 controls will be added later. Despite the fact that no set dates are stated in the NESA regulations, our experience suggests that the P1 dates are close.

P1 controls are largely management controls, with some technological security needs thrown in for good measure. NESA demands 35 controls among the 188 controls that assist organisations in establishing an information security foundation. These measures must be adopted by all relevant entities, regardless of the conclusion of the NESA Risk Assessment.

How does NESA evaluate the compliance status?

According to the standards and based on the information, from the public domain. NESA would get involved through different approaches based on the implementation level at the operator.

(a) Reporting: NESA would collect and consolidate the reports from entities to generate sector and national risk contexts. These are based on the self-assessment reports prepared by the critical national infrastructure entities

(b) Auditing: NESA may audit, by means of requesting evidence, the operator to validate some or all of the reported status of an entity.

(c) Testing: The audits may be extended by testing specific control implementations at the operator.

More About NESA IA

The IAS Standards developed by NESA are a threat-based strategy that aids organisations in creating necessary security measures. Every security control mapping was created to neutralise the majority of the 24 risks that NESA derived from multiple industry reports in 2012, which accounted for close to 80% of the reported breaches. According to the IAS standard, security controls are classed according to priority, from highest priority to lowest importance, spanning from P1 to P4. It is unquestionably the proper move to close the gap between IT Risk and Business Risk that the standard being introduced often takes a threat-based approach rather than an asset-based one. Although NESA is a thorough standard, it may not always provide protection from very sophisticated attackers. Although it doesn’t go into great detail with activities particular to each business, it covers the management and technical control sectors.

Audit and Compliance Process

Tiers-based enforcement of compliance is used by NESA. How NESA and the other regulatory agencies cooperate with you in enforcing Compliance depends on the extent of risk that your organization poses to the UAE’s information infrastructure. The results of your present security controls and the inherent risk of the sector are used to calculate the level of risk.

Stage 1

Stage 2

Where Can We Help?

  • Data and information governance
  • Security controls
  • Training and Awareness
  • Provide guidance
  • Policies and procedures
  • Data handling procedures
  • Contracts, notices, inquiries, complaints, and dispute resolution
  • Information lifecycle management

Interested in Knowing more about our Services or get a quote from us: Contact us