NESA Compliance - An Overview
NESA, the abbreviation of National Electronic Security Authority, in the United Arab Emirates (UAE) is the federal body which takes care of the growth in Cyber Security in the UAE region.
With cyber awareness and building a secure culture around information technology, NESA has UAE Information Assurance Standards (UAE IAS) which comes with several strategies, policies, and standards to directly fall in line with Cyber Security compliance in the United Arab Emirates.
Adherence to NESA standard, as described in the UAE IA Standards, is mandatory for government and semi-government firms, and business organizations which are recognized as ‘critical infrastructure’ in the UAE.
What is UAE IAS?
NESA is responsible for security culture in the UAE. This gains immense strength in the security of UAE’s critical data information (CII) with the UAE Information Assurance Standards (UAE IAS), which is a set of standards and policies guidelines.
NESA UAE Compliance Objectives
By complying with NESA UAE Information Assurance Standards, organizations make sure that:
- It safeguards UAE’s information assets and reduce risks
- Secure crucial digital infrastructure and IT systems from cyber vulnerabilities.
- Implementation of effective security controls
- Promote cyber security awareness
- Pave way for human capital and IT security readiness
When was NESA regulation formed?
Formed on June 25,2014, the National Electronic Security Authority (NESA) made the declaration about important security policies and standards to align with UAE National cyber-security efforts.
The announcement came after a meeting with key members of UAE federal and local entities which were part of the ‘National Cyber Security Program’.
Why was NESA Compliance formed?
NESA Controls List
The UAE-NESA standards have 188 security controls– grouped under management level and Technical security level controls. 60 are related to management and the other 128 are technical.
Out of these 188 controls, there are 136 mandatory sub-controls and 564 sub-controls which are purely driven by risk assessment. The 188 controls of NESA UAE IAS function under a tier-based methodology.
NESA UAE Controls Standards
| Management Control Family | Controls | Technical control families | Controls |
| M1: Strategy and Planning | 15 | T1: Asset management | 10 |
| M2: Information Security Risk Management | 11 | T2: Physical & environmental security | 16 |
| M3: Awareness and Training | 8 | T3: Operations management | 17 |
| M4: Human Resource Security | 8 | T4: Communications | 15 |
| M5: Compliance | 13 | T5: Access control | 22 |
| M6: Performance Evaluation & Improvement | 5 | T6: 3rd-party security | 6 |
| T7: Information systems acquisition, development and maintenance | 25 | ||
| T8: Information security incident management | 13 | ||
| T9: Information security continuity management | 4 |
These controls are further categorized on the basis of a 4-tier layered approach – basically on the basis of Priority. P1 (Priority 1) being the highest and P4 is, as guessed, the lowest.
Also, NESA security controls are based on 24 types of threats and have been given the corresponding priority level according to the volume of data breaches certain type of attack caused.
| Priority | Controls |
| P1 | 39 |
| P2 | 69 |
| P3 | 35 |
| P4 | 45 |
39 controls, out of 188, are Priority 1 controls which contribute in 20% of security threats. Moreover, based on a tiered approach, Priority 1 controls are mandatory to be applied whereas none of the technical controls are “always applicable”.