NESA’s IAS Standards & Security Controls

Published on : 06 Jul 2020

nesa security controls

The National Electronic Security Authority (NESA) was established in 2012 in the United Arab Emirates (UAE). It was the first federal authority responsible for establishing cybersecurity in the country. As part of its mandate, and intending to improve cybersecurity, NESA produced the UAE Information Assurance Standards (IAS), as a set of standards and guidelines for entities who are involved directly or indirectly in businesses that support critical national services across all sectors.

The standards set by NESA aims to protect the UAE’s critical data infrastructure and advance national cybersecurity. For relevant institutes and organizations to be compliant, they must abide by the set standards which include protecting information assets, mitigate identified information security risks, implement effective controls and establish a secure culture by creating cybersecurity awareness in the organization. 

Let us today through this article understand the IAS Standards and its financial implications if an organization does not abide by these rules and regulations. 

Also Read:What is NESA Compliance

NESA’s IAS Standards & Security Control

  • NESA’s IAS’s Standards stem from the existing international standards, most widely and popularly accepted ISO 27001 and NIST, from which they have adopted several controls. Currently the IAS consist of 188 security controls and standards that are split into four priority tiers, P1- P4 in which P1 having the highest priority and P4 the having the lowest priority. Further, every security control has additional sub-controls, document requirements, and performance indicators.
  • The list of security controls is based on 24 threats identified by NESA through industry reports. Taking into consideration the percentage of the breach, NESA prioritized security controls based on threats identified. In this way, the controls make up the highest priority tier, P1, which addresses 80% of the security threats identified by NESA.
  • In total, the IAS has 136 mandatory sub-controls and 564 sub-controls whose application depends on risk assessment results. The risk assessment requirements are similar to the ISO 27001 Standards.
  • Organizations are expected to establish a risk methodology and criteria for identifying risks/ threats/vulnerabilities and calculating their potential impact. This shall help determine their risk levels and further help them decide whether they need to apply the IAS sub-controls. Additionally, the organizations are expected to monitor and review these risks/threats/Vulnerabilities regularly.
  • The controls can further be divided into two categories namely, management controls which totals up to 60 and technical controls which total up to 128. While the management controls include establishing information security risk management, human resources security, compliance efforts, awareness and training, performance evaluation, and improvement.
  • The technical controls include asset management, physical and environmental security, operations management, access control management, third party security, information systems acquisition, development and maintenance, information security incident management, and information security business continuity management.
  • It is important to note that out of the 188 security controls, the mandatory 35 controls that NESA considers to be essential fall under the category of management controls. None of the mentioned technical controls are mandatory. Their application simply depends on risk assessment results conducted by the organization.

How can VISTA InfoSec services help the organization implement the required security controls?

VISTA Infosec is a highly reputed and renowned Infosec Consultancy service provider offering NESA Compliance services to clients across the UAE. Our team of Technical Advisors can help you manage your Information Security requirements of NESA Standard with ease and strengthen your IT Infrastructure security systems. We can help you achieve your compliance goals and offload the burden of understanding the standards and requirements necessary to implement relevant security control systems to your Infrastructure. Our team of analysts will help your internal IT team determine the gap areas and suggest implementable strategies to bridge those gaps and secure Information Technology Infrastructure efficiently. To know more about our services, get in touch with our technical experts right away!  

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.