Which entities must comply?

Federal and emirate-level government entities and Critical Information Infrastructure operators are in scope. Strategic suppliers are pulled in via contractual flow-down.

How is the tier decided?

Tier is driven by sector criticality and the impact of a compromise on national interests. We work with you and the sector regulator to confirm tiering before scoping the audit.

Does IAS replace ISO 27001?

No — they are complementary. IAS is the national baseline; ISO 27001 is the certification many regulated entities pursue alongside. We build a single ISMS satisfying both.

How often is the audit?

Annual is the working baseline, with continuous control monitoring expected for higher tiers. Sector regulators may impose tighter cycles.

UAE IA Standards · formerly NESA · now under TDRA / Cyber Security Council

UAE Information Assurance (NESA / IAS) Audit

Tier-1 to Tier-4 IA Standards audit for UAE critical sectors and federal entities.

Full UAE Information Assurance Standards audit — applicability and tiering, 60 management + 128 technical control assessment, sector-overlay alignment and submission pack for the Cyber Security Council / TDRA. Covers government entities, semi-government and Critical Information Infrastructure operators across energy, finance, telecom, transport and health.

Request Audit Talk to a consultant

Download sample audit report

CERT-In format · anonymised

Aligned to

UAE Information Assurance Standards (latest published version)
UAE Information Assurance Regulation
Cyber Security Council National Cybersecurity Strategy
TDRA sector cybersecurity directives
Critical Information Infrastructure Protection Policy
ISO 27001 / ISO 27002 (mapped)
NIST SP 800-53 (mapped)

Why this matters

Compliance is leverage, not paperwork.

The framework originally published by the National Electronic Security Authority (NESA) is now maintained under the UAE Cyber Security Council with TDRA as the operational regulator — but the structure remains the IA Standards Tier-1 through Tier-4, with controls graded by sector criticality. UAE government entities, CII operators and their major suppliers are expected to evidence compliance as part of TDRA / sector-regulator audit cycles. Macksofy's IAS audit is sequenced the way the regulator reads it: priority controls, risk-based tier selection and technical evidence rather than narrative.

Applicability

UAE federal and emirate-level government entities
Critical Information Infrastructure operators (energy, finance, telecom, transport, health)
Semi-government entities and government-owned enterprises
Strategic suppliers and managed-service providers to government / CII
Large UAE enterprises adopting IAS voluntarily as a national baseline
Cloud + data-centre operators hosting government workloads

Standards & frameworks

Aligned to the regulations that matter.

UAE Information Assurance Standards (latest published version)

UAE Information Assurance Regulation

Cyber Security Council National Cybersecurity Strategy

TDRA sector cybersecurity directives

Critical Information Infrastructure Protection Policy

ISO 27001 / ISO 27002 (mapped)

NIST SP 800-53 (mapped)

Methodology

How we run a UAE IAS engagement.

Interactive walkthrough — every phase clickable, every activity documented, every artefact regulator-ready.

REV.01 · METHODOLOGY SCHEMATIC

NODES 05

INSPECTOR · NODE-01

1 · Tiering + scoping

Sector + criticality assessment
Tier-1 to Tier-4 control set selection
Crown-jewel + CII asset identification

Deliverables

Everything you need to satisfy auditors.

IAS tier classification + scoping memo
Control-by-control compliance register (M1-M6, T1-T9)
Technical validation report (VAPT + config audit)
Risk treatment plan with priority + ETA
Regulator submission pack (TDRA / sector regulator)
Tabletop incident-response evidence
Annual recertification plan

Recent engagements

UAE utility (Critical Information Infrastructure)

IAS Tier-1 audit + OT security uplift

Outcome: Closed all priority-1 gaps in two cycles; sector regulator accepted submission without follow-up queries

Government shared-services entity

IAS + ISO 27001 unified audit

Outcome: Single evidence pack covered both regimes; recertification effort cut by an estimated 40%

At a glance

The shape of a UAE IAS engagement.

Every number below is grounded in how Macksofy actually runs the engagement — not aspirational marketing copy.

Methodology phases

Documented activities

Auditor-ready deliverables

0 day

Day retest window

Audit pillars

What we actually examine.

Each pillar is a distinct workstream inside the engagement — scoped, evidenced, and signed off independently before the audit pack is assembled.

Coverage breakdown

Tiering & applicability3 pts
Management controls (M1-M6)3 pts
Technical controls (T1-T9)3 pts
Incident response & continuity3 pts
Sector overlay alignment3 pts
Regulator submission pack3 pts

Pillar 01

Tiering & applicability

IAS controls scale by tier — Tier-1 to Tier-4 — and incorrect tiering inflates cost without lowering risk.

Sector-criticality classification
CII scoping + asset-criticality map
Tier confirmation with sector regulator

Pillar 02

Management controls (M1-M6)

The governance backbone the Cyber Security Council expects to see first.

Strategy + risk-management evidence
HR, awareness + third-party controls
Asset + information classification

Pillar 03

Technical controls (T1-T9)

Hands-on testing against the 128 technical controls in the standard.

Access control + cryptography
Operations + communications security
Physical + environmental controls

Pillar 04

Incident response & continuity

Detection, escalation and recovery walked end-to-end with table-top evidence.

SOC + log-monitoring efficacy
Tabletop drill with sector-specific scenarios
BCP / DR with declared RTO + RPO

Pillar 05

Sector overlay alignment

IAS rarely lives alone — banks add CBUAE, healthcare adds ADHICS, Dubai gov adds DESC ISR.

CBUAE / DESC / ADHICS overlay map
Single-evidence-pack design across regulators
Free-zone vs mainland scoping

Pillar 06

Regulator submission pack

The format TDRA and sector regulators consume — control statement to evidence map.

Control-statement to evidence map
Findings register with severity + risk acceptance
Inspector Q&A walk-through deck

Engagement timeline

From kick-off to regulator-ready report.

The horizontal flow below shows the typical week-by-week shape of a UAE IAS engagement. Click any station for detail in the methodology section above.

Week 1

Tiering + scoping

Week 2

Management controls (M1-M6)

Week 3

Technical controls (T1-T9)

Week 4

Technical validation

Week 5

Submission + regulator support

What clients say · Trusted India + UAE

Rated 4.9 ★ from 612 client reviews.

CERT-In Empanelled

Govt of India · MeitY

EC-Council ATC

Authorized Training

ISO 27001 Certified

Info Security Mgmt

“We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.”

Aisha Khan

Information Security Manager · Listed Fintech · BKC, Mumbai

“The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.”

Inspector K. Joshi

Cyber Cell · Maharashtra Police · Mumbai

“Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.”

Vivek Iyer

DevSecOps Lead · Healthcare SaaS · Hyderabad

Read all 612 reviews on Google →

FAQ

Things compliance leads ask before signing.

NESA was rebranded; cybersecurity policy is now set by the UAE Cyber Security Council with TDRA as the operational regulator. The IA Standards themselves — including the Tier-1 to Tier-4 structure — continue to apply.

Other audit engagements

Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.