Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit

UAE Compliance

One ISMS. Federal, emirate, and sector frameworks.

The UAE's cybersecurity landscape spans federal standards (NESA IAS), emirate-level requirements (ADDA, DESC), and sector-specific frameworks (CBUAE). ISO 27001 is the international foundation they all reference. We implement the controls once in your Microsoft 365 environment — then map the evidence to every framework you're measured against.

The UAE cybersecurity framework landscape

Unlike centralised models, the UAE operates a federated approach — federal baseline standards with emirate-level and sector-specific extensions. ISO 27001 certification provides the strongest foundation for compliance across all layers.

ISO/IEC 27001:2022 93 Annex A controls

The international foundation. All UAE frameworks were built on or reference it.

Federal baseline
NESA IAS v2.0 40 controls, 128 requirements

Federal baseline for all government entities and critical national infrastructure.

Decree-Law No. 45 Data protection

UAE's federal personal data protection law. Enforced by the UAE Data Office.

Emirate & sector extensions
ADDA Abu Dhabi
DESC DCSS Dubai
CBUAE Financial sector
TDRA Telecoms

Our ISO 27001 controls cover UAE requirements

83

of 93 ISO controls map to NESA IAS

61

of 93 ISO controls map to CBUAE

40

NESA IAS controls covered via ISO 27001 mapping

Framework details

NESA Information Assurance Standards (IAS v2.0)

UAE Cybersecurity Council

The federal cybersecurity baseline, originally issued by NESA and now overseen by the UAE Cybersecurity Council. Explicitly based on ISO/IEC 27001:2013, with more prescriptive requirements tailored to UAE national security priorities.

D1: Information Security Governance

Policy, roles, risk management, compliance oversight

D2: Information Security Operations

Asset management, access control, data protection, network and endpoint security

D3: Information Security Architecture

Secure design, cryptography, application security, cloud security

D4: Information Security Monitoring & Testing

Log management, event monitoring, vulnerability management, penetration testing

D5: Incident Response & Recovery

Incident response planning, handling, business continuity, disaster recovery

Applies to: All UAE government entities and critical national infrastructure operators

Browse controls by IAS domain

Abu Dhabi Digital Authority (ADDA) Standards

Abu Dhabi Government

ADDA's Cyber Security Policy and supporting standards extend the federal NESA IAS with Abu Dhabi-specific requirements. They provide more detailed implementation guidance tailored to Abu Dhabi government entities and their third-party service providers.

Applies to: All Abu Dhabi government entities, contractors, and partners handling government data

Our Abu Dhabi office ensures direct alignment with ADDA requirements for all local engagements.

CBUAE Cyber Resilience Framework

Central Bank of the UAE

Mandatory for all CBUAE-regulated financial institutions. Covers governance, cyber operations, threat intelligence, incident management, business continuity, and third-party risk management. Uses a maturity model approach.

Applies to: Banks, insurance companies, payment service providers, and other CBUAE-regulated entities

Assess your compliance across all UAE frameworks

Our free assessment evaluates your Microsoft 365 configuration against ISO 27001 and maps findings to NESA IAS and CBUAE requirements — showing you exactly where you stand across all applicable frameworks.

Start Your Assessment Browse All Controls