NESA Compliance is mandated by Signals Intellegence Agency (SIA), earlier known as NESA, on all critical information infrastructure operators in UAE
What does NESA Stands for?
NESA stands for National Electronic Security Authority. It is a federal authority in United Arab emirates responsible for cyber security strategy of UAE.
Who must be NESA compliant?
NESA Compliance is mandated to all government organizations, semi-government organizations and business organizations that are identified as critical infrastructure to UAE.
What are the standards to follow to become NESA Compliant?
The UAE National Cyber Security Strategy (NCSS), developed and governed by NESA, defines the protection requirements of UAE Cyberspace. The primary standard to follow for NESA compliance is UAE Information Assurance Standards (UAE IAS). Additionally, the NESA National Cyber Risk Management Framework defines the NESA Risk Assessment process.
What are the NESA Security Control Implementation timelines?
UAE IAS lists 188 security controls in a prioritized approach. There are 4 priorities defined and the controls are grouped into these 4 priorities. NESA expects the entities to implement the Priority 1 controls at the earliest. Controls from P2 to P4 to follow. Even though there are no fixed dates listed in the NESA documents, our experience indicates that the P1 dates are nearby.
P1 Controls are mostly the management controls, with some technical security requirements. From the 188 controls, NESA mandates 35 controls which help entities in building the information security foundation. These controls are required to be implemented by all the relevant entities, irrespective of the outcome of the NESA Risk Assessment results.
How does NESA evaluate the compliance status?
According to the standards and based on the information, we receive from the public domain, NESA would get involved through different approaches based on the implementation level at the operator.
(a) Reporting: NESA would collect and consolidate the reports from entities to generate sector and national risk contexts. These are based on the self-assessment reports prepared by the critical national infrastructure entities
(b) Auditing: One of our customers had retained us until the NESA audits are over. This indicates that the NESA may audit, by means of requesting evidence, the operator to validate some or all of the reported status of an entity.
(c) Testing: The audits may be extended by testing specific control implementations at the operator.
Follow the service page to know more about our NESA Compliance service