ISO 27001 & NESA IAS Controls
93 ISO 27001:2022 controls mapped to the UAE Information Assurance Standards (NESA IAS). Each control page shows what it requires, how to implement it in Microsoft 365, and which IAS and CBUAE requirements it satisfies.
NESA IAS v2.0 ISO/IEC 27001:2022 CBUAE Framework Decree-Law 45
The UAE Information Assurance Standards are the federal cybersecurity baseline for all government entities and critical national infrastructure operators. NESA IAS was explicitly built on ISO/IEC 27001 — meaning ISO 27001 certification provides a strong foundation for UAE regulatory compliance.
One ISMS. Multiple UAE frameworks.
NESA IAS v2.0
40 controls across Governance, Operations, Architecture, Monitoring, and Incident Response. Mandatory for all government entities and critical infrastructure operators.
ISO/IEC 27001:2022
93 Annex A controls. The international standard that NESA IAS was built upon. Certification demonstrates baseline compliance across all UAE frameworks.
CBUAE Cyber Resilience
Financial sector framework for CBUAE-regulated institutions. Built on ISO 27001 and NIST CSF. Banks, insurance, and payment providers must comply.
22 Information Security Governance IAS D1
A.5.1 Policies for Information Security D1-C1 → A.5.2 Information Security Roles and Responsibilities D1-C1, D1-C2 → A.5.3 Segregation of Duties D1-C3, D1-C8 → A.5.4 Management Responsibilities D1-C3, D1-C8 → A.5.5 Contact with Authorities D1-C3 → A.5.8 Information Security in Project Management D1-C3, D1-C8 → A.5.24 Information Security Incident Management Planning and Preparation D1-C6 → A.5.25 Assessment and Decision on Information Security Events D1-C6 → A.5.26 Response to Information Security Incidents D1-C6 → A.5.27 Learning from Information Security Incidents D1-C6 → A.5.28 Collection of Evidence D1-C6 → A.5.29 Information Security During Disruption D1-C6 → A.5.30 ICT Readiness for Business Continuity D1-C6 → A.5.31 Legal Statutory Regulatory and Contractual Requirements D1-C4 → A.5.32 Intellectual Property Rights D1-C4 → A.5.33 Protection of Records D1-C4 → A.5.34 Privacy and Protection of PII D1-C4 → A.5.35 Independent Review of Information Security D1-C7 → A.5.36 Compliance with Policies Rules and Standards for Information Security D1-C4, D1-C7 → A.6.3 Information Security Awareness, Education and Training D1-C5 → A.6.8 Information Security Event Reporting D1-C6 → A.8.14 Redundancy of Information Processing Facilities D1-C7 →
50 Information Security Operations IAS D2
A.5.3 Segregation of Duties D2-C15 → A.5.4 Management Responsibilities D2-C15 → A.5.9 Inventory of Information and Other Associated Assets D2-C9 → A.5.10 Acceptable Use of Information and Other Associated Assets D2-C9 → A.5.11 Return of Assets D2-C9 → A.5.12 Classification of Information D2-C9 → A.5.13 Labelling of Information D2-C9 → A.5.15 Access Control D2-C10 → A.5.16 Identity Management D2-C10 → A.5.17 Authentication Information D2-C10 → A.5.18 Access Rights D2-C10 → A.5.23 Information Security for Use of Cloud Services D2-C16 → A.5.37 Documented Operating Procedures D2-C13 → A.7.1 Physical Security Perimeters D2-C12 → A.7.2 Physical Entry D2-C12 → A.7.3 Securing Offices, Rooms and Facilities D2-C12 → A.7.4 Physical Security Monitoring D2-C12 → A.7.5 Protecting Against Physical and Environmental Threats D2-C12 → A.7.6 Working in Secure Areas D2-C12 → A.7.7 Clear Desk and Clear Screen D2-C12 → A.7.8 Equipment Siting and Protection D2-C12 → A.7.9 Security of Assets Off-Premises D2-C12 → A.7.10 Storage Media D2-C12 → A.7.11 Supporting Utilities D2-C12 → A.7.12 Cabling Security D2-C12 → A.7.13 Equipment Maintenance D2-C12 → A.7.14 Secure Disposal or Re-use of Equipment D2-C12 → A.8.2 Privileged Access Rights D2-C10 → A.8.3 Information Access Restriction D2-C10 → A.8.4 Access to Source Code D2-C10 → A.8.5 Secure Authentication D2-C10 → A.8.6 Capacity Management D2-C13 → A.8.7 Protection Against Malware D2-C13 → A.8.8 Management of Technical Vulnerabilities D2-C13 → A.8.9 Configuration Management D2-C13 → A.8.16 Monitoring Activities D2-C17 → A.8.17 Clock Synchronisation D2-C17 → A.8.18 Use of Privileged Utility Programs D2-C13 → A.8.19 Installation of Software on Operational Systems D2-C14 → A.8.20 Networks Security D2-C14 → A.8.21 Security of Network Services D2-C14 → A.8.22 Segregation of Networks D2-C14 → A.8.23 Web Filtering D2-C15 → A.8.24 Use of Cryptography D2-C15 → A.8.25 Secure Development Life Cycle D2-C15 → A.8.26 Application Security Requirements D2-C15 → A.8.27 Secure System Architecture and Engineering Principles D2-C15 → A.8.28 Secure Coding D2-C15 → A.8.32 Change Management D2-C15 → A.8.33 Test Information D2-C11 →
19 Information Security Architecture IAS D3
A.5.8 Information Security in Project Management D3-C18 → A.5.19 Information Security in Supplier Relationships D3-C23 → A.6.7 Remote Working D3-C24 → A.7.5 Protecting Against Physical and Environmental Threats D3-C25 → A.8.1 User Endpoint Devices D3-C24 → A.8.3 Information Access Restriction D3-C22 → A.8.8 Management of Technical Vulnerabilities D3-C25 → A.8.9 Configuration Management D3-C25 → A.8.10 Information Deletion D3-C22 → A.8.11 Data Masking D3-C22 → A.8.12 Data Leakage Prevention D3-C22 → A.8.19 Installation of Software on Operational Systems D3-C20, D3-C25 → A.8.21 Security of Network Services D3-C20, D3-C25 → A.8.23 Web Filtering D3-C21 → A.8.24 Use of Cryptography D3-C21 → A.8.26 Application Security Requirements D3-C19 → A.8.27 Secure System Architecture and Engineering Principles D3-C19, D3-C21 → A.8.28 Secure Coding D3-C19 → A.8.31 Separation of Development Test and Production Environments D3-C18 →
9 Information Security Monitoring & Testing IAS D4
A.5.5 Contact with Authorities D4-C31 → A.8.8 Management of Technical Vulnerabilities D4-C27 → A.8.13 Information Backup D4-C26, D4-C30 → A.8.14 Redundancy of Information Processing Facilities D4-C26 → A.8.15 Logging D4-C30 → A.8.24 Use of Cryptography D4-C29 → A.8.28 Secure Coding D4-C29 → A.8.29 Security Testing in Development and Acceptance D4-C28 → A.8.30 Outsourced Development D4-C28 →
10 Incident Response & Recovery IAS D5
A.5.6 Contact with Special Interest Groups D5-C40 → A.5.7 Threat Intelligence D5-C40 → A.5.24 Information Security Incident Management Planning and Preparation D5-C32 → A.5.25 Assessment and Decision on Information Security Events D5-C33 → A.5.26 Response to Information Security Incidents D5-C34, D5-C39 → A.5.27 Learning from Information Security Incidents D5-C35 → A.5.28 Collection of Evidence D5-C40 → A.6.8 Information Security Event Reporting D5-C33 → A.8.16 Monitoring Activities D5-C36, D5-C37, D5-C38 → A.8.17 Clock Synchronisation D5-C36, D5-C37 →
Assess your IAS and ISO 27001 compliance gaps
Our free assessment evaluates your M365 configuration against all 93 controls and maps findings to both NESA IAS and ISO 27001 requirements.