How often is the DESC audit?

DESC operates a recurring audit cycle, typically annual with continuous control monitoring expected. Higher-risk entities may face tighter cadences.

How does DESC ISR relate to UAE IAS?

ISR is Dubai-specific; UAE IAS is the federal baseline maintained under the Cyber Security Council / TDRA. We map both and design a single control set.

Does ISR replace ISO 27001?

No — they complement. ISR is the local mandate; ISO 27001 is the certification many entities pursue alongside.

Do free-zone entities have to comply?

Coverage depends on entity classification and the free-zone authority's own directives — we scope per legal-entity footprint and free-zone designation.

Dubai Electronic Security Centre · Information Security Regulation

Dubai DESC ISR Audit

DESC ISR readiness for Dubai government entities and sector-specific operators.

Full Dubai Electronic Security Centre Information Security Regulation audit — applicability mapping, control families across governance, asset, HR, access, operations, communications, acquisition, incident management and compliance. Sequenced for the DESC audit cycle and the Dubai Government Information Security Maturity model.

Request Audit Talk to a consultant

Download sample audit report

CERT-In format · anonymised

Aligned to

DESC Information Security Regulation v1.0 (2017) and v2.0 (2023)
Dubai Cyber Security Strategy
Dubai Government Information Security Maturity model
Smart Dubai / Digital Dubai security directives
UAE Information Assurance Standards (overlay)
ISO 27001:2022 (mapped)
NIST CSF (mapped)

Why this matters

Compliance is leverage, not paperwork.

The Dubai Electronic Security Centre's Information Security Regulation (DESC ISR v1.0 in 2017, updated to v2.0 in 2023) is the mandatory baseline for Dubai government entities and a growing set of sector-specific operators. DESC operates a regular audit cycle that grades entities against the ISR control set and the broader Dubai Cyber Security Strategy maturity model. Macksofy's DESC ISR audit is run the way DESC examiners read it — control mapping, sampled evidence and a clean closure pack.

Applicability

Dubai government entities (departments, authorities, councils)
Government-owned enterprises and free-zone authorities in Dubai
Sector-specific operators designated by DESC (utilities, transport, real estate, smart-city)
Strategic suppliers and managed-service providers to Dubai government
Smart-Dubai and digital-government platform operators
Major private-sector entities adopting ISR voluntarily as the emirate baseline

Standards & frameworks

Aligned to the regulations that matter.

DESC Information Security Regulation v1.0 (2017) and v2.0 (2023)

Dubai Cyber Security Strategy

Dubai Government Information Security Maturity model

Smart Dubai / Digital Dubai security directives

UAE Information Assurance Standards (overlay)

ISO 27001:2022 (mapped)

NIST CSF (mapped)

Methodology

How we run a DESC ISR engagement.

Interactive walkthrough — every phase clickable, every activity documented, every artefact regulator-ready.

Phase 01 of 5

1 · Applicability + scoping

Entity classification under DESC ISR
Sector-specific overlay mapping
Crown-jewel + critical-service identification

Deliverables

Everything you need to satisfy auditors.

DESC ISR applicability + scoping memo
Control-by-control compliance register
Maturity heatmap against Dubai Govt model
Technical validation report (VAPT + config audit)
Incident-response + supplier-risk pack
DESC submission pack + examiner Q&A deck
Annual recertification + closure tracker

Recent engagements

Dubai government authority

DESC ISR audit + Dubai Govt maturity uplift

Outcome: Maturity score lifted by two grades inside one audit cycle; closure achieved without follow-up DESC visit

Smart-city platform operator

ISR + ISO 27001 unified program

Outcome: Single evidence pack satisfied both regimes; supplier-risk review cycle automated for 90+ suppliers

At a glance

The shape of a DESC ISR engagement.

Every number below is grounded in how Macksofy actually runs the engagement — not aspirational marketing copy.

Methodology phases

Documented activities

Auditor-ready deliverables

0 day

Day retest window

Audit pillars

What we actually examine.

Each pillar is a distinct workstream inside the engagement — scoped, evidenced, and signed off independently before the audit pack is assembled.

Coverage breakdown

Applicability & scoping3 pts
Governance & policy3 pts
Access control & operations3 pts
Smart-Dubai integration3 pts
Incident response & continuity3 pts
DESC audit-cycle pack3 pts

Pillar 01

Applicability & scoping

DESC ISR coverage varies by entity classification — scoping defines audit cost and depth.

Entity-classification under ISR
Sector-overlay + free-zone scoping
Critical-service inventory

Pillar 02

Governance & policy

DESC examiners open every audit with policy currency and board accountability.

Information-security policy library
Security-committee charter + cadence
Risk-register + board reporting

Pillar 03

Access control & operations

Identity, privileged access and operational security tested against ISR clauses.

Identity + MFA on citizen services
Privileged-access + admin controls
Operations + change-management evidence

Pillar 04

Smart-Dubai integration

The control set where Dubai-specific examiners increasingly focus.

API + integration security with Dubai-Now / DubaiPulse
Cloud + data-residency posture
Citizen-data classification + protection

Pillar 05

Incident response & continuity

Detection, escalation and recovery with emirate-level coordination expectations.

Incident-detection + DESC notification SOP
Tabletop drill (citizen-service scenario)
BCP / DR with declared RTO + RPO

Pillar 06

DESC audit-cycle pack

Artefacts assembled exactly the way DESC examiners consume them.

Control-statement to evidence map
Maturity-heatmap deck
Examiner Q&A walk-through

Engagement timeline

From kick-off to regulator-ready report.

The horizontal flow below shows the typical week-by-week shape of a DESC ISR engagement. Click any station for detail in the methodology section above.

Week 1

Applicability + scoping

Week 2

Control assessment

Week 3

Technical validation

Week 4

Incident + supplier controls

Week 5

Submission + audit-cycle support

What clients say · Trusted India + UAE

Rated 4.9 ★ from 612 client reviews.

CERT-In Empanelled

Govt of India · MeitY

EC-Council ATC

Authorized Training

ISO 27001 Certified

Info Security Mgmt

“We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.”

Aisha Khan

Information Security Manager · Listed Fintech · BKC, Mumbai

“The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.”

Inspector K. Joshi

Cyber Cell · Maharashtra Police · Mumbai

“Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.”

Vivek Iyer

DevSecOps Lead · Healthcare SaaS · Hyderabad

Read all 612 reviews on Google →

FAQ

Things compliance leads ask before signing.

Yes — for Dubai government entities and entities designated by DESC. Private-sector adoption is rising as enterprises align with the emirate's cyber strategy.

Other audit engagements

Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.