NESA UAE Information Assurance Standards

If you are involved in information/cyber security with any UAE critical information infrastructure entity most likely you already have a grasp of NESA UAE Information Assurance Standards and came to appreciate its level of details. For details is what makes the difference from mediocrity to quality in any ISMS implementation.

We are often asked to implement NESA UAE IAS and we include ISO/IEC 27001:2013 compliancy as well, for we have seen the synergy of these two standards and the benefits for our clients. There is a complete mapping between clauses and control objectives of ISO/IEC27001:2013, ISO/IEC27002:2013 and controls in NESA UAE IAS, therefore a natural course at the end of this implementation would be to pursue the ISO/IEC 27001:2013 certification with a reputable Certification Body.

Why is this step needed?

Well, knowing that standard best practices are followed during the implementation of 188 controls of NESA UAE IAS (60 management and 128 technical), that precious security posture will have to be maintained. Therefore, it is much easier to do so while under the scrutiny of both internal and external ISO/IEC27001 auditors, whom will audit the as-is ISMS which is also NESA UAE IAS compliant.

Under the 188 controls, NESA UAE IAS comprises 136 mandatory sub-controls and 564 sub-controls based on risk assessment, and each sub-control has a priority in implementation from P1 (highest) to P4 (lowest). The managerial part of the ISMS framework consisting of Governance policies, risk management framework and a program to address training needs, along with performing business impact analysis and risk assessment, as well as implementing specific controls for access management, malware protection, monitoring systems use, information backup, network security, and technical vulnerability management, are both P1 and mandatory controls.

This is where things are getting complicated, because the sub-controls of NESA UAE IAS are also mapped with controls of the following standards:

  • ISO/IEC27005, to ensure that we follow the standard best practices when implementing the risk management framework and performing the risk assessment.
  • ISO/IEC27032, and we know that organizations implementing an ISMS in accordance with ISO/IEC27001 will be aligned to the Governance guidelines of ISO/IEC27032 once the scope of the ISMS is extended to include cyber security.
  • NIST 800-53, to ensure industry best practices and technical controls for information/cyber security.

Therefore, by performing a business impact analysis and risk assessment in P1 we identify critical information assets that will give us the framework for cyber security protection against social engineering attacks, hacking, malware, spyware, and other unwanted software, and we do so by using technical controls such as end point protection, secure coding, network monitoring, and incident response, each of which being the core controls of ISO/IEC27032. Our incident response framework includes policy, procedure and responsibilities for incident response team and management, as well as technical controls to aid in detecting, investigating and responding to incidents. This is where P1 is put to rest.

As we progress with the ISMS implementation and the client decides what risk can be accepted, both teams work together to identify the most efficient risk mitigation controls and prioritize their implementation. Luckily, our concept of addressing the most critical risk doesn’t translate by default into an investment in security technologies before exhausting the basic security hygiene solutions. After knowing the information assets affected by risk, the supporting security documentation along with technical controls to mitigate the risk are implemented following NESA UAE IAS control priority.

Tracking 700 sub-controls and around 200 risk records is not an easy task, let alone updating and reporting their status to different teams. We knew that and came up with our very own GRC software that won the heart of our first client! We kept it simple in concept and complicated in details: it has a comprehensive management dashboard and reports and 5 different roles involved in a business process flow which starts with collecting/adding information and ends with storing all approved documents. We wanted efficiency and visibility, and there it is deployed in our clients’ infrastructure.

In the last phase of the project we provide security awareness for end users and training for IT and information security teams involved in software development, network security, security operations and incident response.

After having implemented NESA UAE IAS and ISO/IEC27001:2013 in five companies across different sectors, here is what I believe is needed for a smooth implementation:

From the Compliance Consulting
  • Recommendations: client names, and testimonials of successful implementations across different critical sectors
  • Experienced consultant: full implementations of NESA UAE IAS combined with security professional and risk management certifications, as well as certifications on ISO/IEC27001 and ISO/IEC27032
  • Experienced Red & Blue Team
From the Client
  • Resources: ISMS manager, information/cyber security officer, risk assessor, IT team, compliance officer, auditor, to provide input and review the documentation, as well as to implement mitigation controls, monitor and audit the ISMS
  • Budget: only needed when critical security technologies are missing