Oct 28, 2025
Khalifa Al Shehhi
The United Arab Emirates (UAE) is rapidly advancing toward an AI-driven economy, where every sector, from government operations to energy and finance, relies on interconnected systems and data-driven technologies.
Recognizing this, the UAE Cybersecurity Council (CSC) has taken a leadership role in setting unified national standards that strengthen cybersecurity readiness across all sectors. Among these efforts, the UAE Information Assurance (IA) Standard stands as the cornerstone framework ensuring that organizations safeguard data, systems, and services vital to national security and economic growth.
This blog explores the latest Version 2 (V2) of the UAE IA Standard, released in 2025, offering insights into its objectives, structure, and transformative impact on entities operating in the UAE.
What Is the UAE Information Assurance (IA) Standard?
The UAE Information Assurance (IA) Standard is a comprehensive cybersecurity framework developed under the supervision of the UAE Cybersecurity Council (CSC) to safeguard the nation’s digital infrastructure. It sets out the minimum-security controls and governance requirements that public and private entities must implement to protect information, systems, and services essential to national interests.
Rooted in the National Information Assurance Framework (NIAF), the IA Standard provides a unified baseline for securing the Confidentiality, Integrity, and Availability (CIA) of information assets. It acts as both a policy guide and an implementation blueprint, helping entities align with global best practices while addressing UAE-specific challenges such as multi-sector data sharing, critical infrastructure interdependencies, and digital sovereignty.
At its core, the standard aims to:
Establish a consistent national cybersecurity posture across all federal and Emirate-level organizations.
Protect Critical Information Infrastructure (CII) across the energy, transportation, finance, healthcare, and defense sectors.
Strengthen collaboration between government and non-government entities through a unified set of requirements and reporting structures.
Foster resilience and incident preparedness by enforcing structured governance, risk management, and compliance processes.
Unlike isolated security programs, the UAE IA Standard integrates seamlessly into existing Information Security Management Systems (ISMS) and supports broader frameworks, such as ISO/IEC 27001, ensuring that organizations not only comply but also mature in their security culture.
Why the 2025 Version Matters?
The UAE IA Standard Version 2 (2025) marks a significant evolution in the nation’s cybersecurity landscape. Since the release of the first version in 2018, the UAE has undergone a rapid digital transformation, expanding innovative city ecosystems, adopting AI-driven platforms, and transitioning critical operations to cloud environments. This shift demanded an updated framework capable of addressing emerging technologies, evolving threats, and complex regulatory needs.
A Necessary Evolution.
The earlier version provided a strong foundation for government cybersecurity, but with the rise of multi-sector digital interconnectivity, it became essential to redefine security expectations beyond traditional IT systems. The 2025 update ensures that the standard remains relevant, risk-based, and adaptive to the current cybersecurity environment.
Key Focus Areas in Version 2.
The latest version introduces several new domains and enhancements:
Cloud, AI, and IoT Security: Establishes controls for data sovereignty, model integrity, and endpoint protection in connected environments.
Third-Party and Supply Chain Risk Management: Integrates vendor assurance controls aligned with ISO 27036 and NIST SP 800-161, acknowledging that supply chain vulnerabilities now pose national-level risks.
Operational Technology (OT) and Critical Infrastructure Protection: Extends requirements to energy, transportation, and manufacturing sectors to mitigate cyber-physical threats.
Risk-Based and Phased Implementation: Enables organizations to prioritize control adoption according to business criticality, resources, and risk exposure.
Alignment with Global Standards.
Version 2 (2025) reflects strong alignment with major international frameworks, including:
ISO/IEC 27001:2022: For information security management systems.
NIST SP 800-53 Rev. 5: For control categorization and federal information security standards.
CIS Controls v8: For operational best practices and cyber hygiene.
By harmonizing with these frameworks, the UAE IA Standard ensures that compliance efforts not only meet national expectations but also support global interoperability and audit readiness.
Structure of the UAE IA Standard V2 – 2025.
The UAE IA Standard Version 2 (2025) is organized into a clear and practical structure that guides entities from understanding cybersecurity governance principles to implementing detailed security controls. The document is divided into four main chapters, each serving a distinct purpose in building a comprehensive information assurance framework.
Introduction
This chapter outlines the scope, applicability, and guiding principles of the IA Standard. It defines which organizations must comply, including federal, Emirate-level, and critical infrastructure entities, and establishes the foundational philosophy of risk-based cybersecurity management. It also emphasizes the UAE's commitment to aligning with international standards and future technologies.
Security Controls
The core of the document, this chapter introduces 15 Security Control Families divided into two categories: Management (M1–M6) and Technical (T1–T9). Each family includes detailed controls, sub-controls, and objectives to ensure consistent implementation across sectors. These controls address governance, risk management, network security, incident handling, and continuity planning.
Implementation
This chapter explains the risk-based approach that entities should adopt. It provides guidance on tailoring control adoption according to the organization's impact level, resources, and operational context. It also defines roles and responsibilities for stakeholders, including the Cybersecurity Council (CSC), sector regulators, and implementing entities, and describes the phased maturity model used to measure compliance progress.
Appendices
The appendices include valuable resources such as:
Control summaries and mappings to global standards (ISO 27001, NIST SP 800-53, CIS v8).
Guidance for cloud environments and AI-based systems.
Definitions, acronyms, and references to ensure consistent interpretation of terms across entities.
Together, these four sections provide a structured, scalable, and actionable roadmap for organizations to achieve cybersecurity maturity in alignment with the UAE's national objectives.
Guiding Principles
The UAE IA Standard V2 (2025) is built on five core guiding principles that ensure its adaptability, inclusiveness, and long-term relevance. These principles guide organizations regardless of size or sector in implementing effective and sustainable cybersecurity measures.
Technology Agnostic: The standard is designed to be independent of any specific technology, vendor, or platform. This flexibility allows entities to adopt suitable tools and architectures while maintaining compliance. Whether operating in on-premises, cloud, or hybrid environments, organizations can apply the same controls consistently.
Future Ready: Anticipating rapid advancements in AI, IoT, and automation, the framework emphasizes scalability and adaptability to meet these emerging needs. It encourages proactive risk assessment and continuous improvement, allowing security measures to evolve in parallel with digital transformation initiatives.
Aligned with International Practices: The UAE IA Standard incorporates globally recognized frameworks, including ISO/IEC 27001, NIST SP 800-53, and CIS Controls v8. This alignment ensures that entities implementing the IA Standard not only meet national regulatory expectations but also achieve internationally accepted levels of cyber maturity.
Broad Applicability: The framework is intentionally inclusive, applying to federal and Emirate-level organizations, critical infrastructure entities, and private sector partners handling national data. This wide applicability ensures uniform protection across interconnected systems and promotes a culture of shared responsibility for national cybersecurity.
Continuous Improvement: Recognizing that cybersecurity is a moving target, the IA Standard promotes ongoing evaluation through audits, performance metrics, and maturity assessments. Entities are encouraged to regularly review, refine, and optimize their controls, transforming compliance into a dynamic, data-driven process rather than a one-time exercise.
The 15 Security Control Families
At the heart of the UAE Information Assurance (IA) Standard V2–2025 are 15 Security Control Families that provide a structured approach to managing cybersecurity risks. These are divided into two main categories: Management Controls (M1–M6) and Technical Controls (T1–T9), ensuring that both organizational governance and technical defenses are comprehensively addressed.
Each family defines a clear purpose, control objectives, and real-world implementation measures that entities can tailor to their specific risk exposure and operational environment.
A. Management Controls (M1–M6)
M1: Strategy & Planning
Purpose: Establish a governance structure and cybersecurity strategy aligned with organizational objectives and UAE national policy.
Key Measures: Develop and approve cybersecurity policies, assign roles and responsibilities, and integrate IA goals into business planning and operations.
Real-World Relevance: Ensures leadership accountability and sets the tone for a culture that is risk-aware across all departments.
M2: Information Security Risk Management
Purpose: Identify, assess, and treat information risks systematically.
Key Measures: Implement risk assessment methodologies, maintain a risk register, and apply appropriate mitigation controls to manage risks effectively.
Real-World Relevance: Enables proactive defence by prioritizing critical risks that could disrupt operations or compromise data integrity.
M3: Awareness & Training
Purpose: Build cybersecurity competency across all levels of the organization.
Key Measures: Conduct regular awareness sessions, phishing simulations, and role-based training to enhance cybersecurity awareness and promote a culture of security.
Real-World Relevance: Reduces human error, the leading cause of security incidents, through continuous education.
M4: Human Resource Security
Purpose: Protect organizational assets by managing personnel security throughout the employment lifecycle.
Key Measures: Pre-employment screening, confidentiality agreements, and secure offboarding procedures.
Real-World Relevance: Prevents insider threats and ensures responsible handling of sensitive information.
M5: Compliance
Purpose: Ensure adherence to legal, regulatory, and contractual cybersecurity obligations.
Key Measures: Maintain a compliance register, perform regular audits, and document evidence of control effectiveness.
Real-World Relevance: Simplifies audit readiness and strengthens regulatory confidence.
M6: Performance Evaluation & Improvement
Purpose: Measure and enhance cybersecurity performance continuously.
Key Measures: Define KPIs, perform gap analyses, and review incident metrics to identify areas for improvement.
Real-World Relevance: Drives continuous improvement and accountability within the cybersecurity management system.
B. Technical Controls (T1–T9)
T1: Information Asset Management
Purpose: Identify and classify all information assets, both physical and digital.
Key Measures: Maintain an updated asset inventory and define ownership.
Real-World Relevance: Enables visibility into what needs protection and ensures assets are secured according to their sensitivity.
T2: Physical & Environmental Security
Purpose: Protect facilities, data centers, and hardware against unauthorized access and environmental hazards.
Key Measures: Implement access control systems, surveillance, and environmental monitoring.
Real-World Relevance: Reduces the risk of physical tampering, theft, or natural disruptions.
T3: Operations Management
Purpose: Maintain secure and reliable IT operations.
Key Measures: Apply change management, logging, monitoring, and backup processes.
Real-World Relevance: Ensures system integrity and minimizes downtime from operational failures.
T4: Network Security
Purpose: Safeguard data in transit through secure network design and monitoring.
Key Measures: Implement segmentation, firewalls, intrusion detection/prevention systems (IDS/IPS), and encryption.
Real-World Relevance: Defends against network-based attacks and data breaches.
T5: Identity & Access Management (IAM)
Purpose: Ensure that only authorized individuals access systems and data.
Key Measures: Apply least privilege principles, multi-factor authentication (MFA), and access reviews.
Real-World Relevance: Reduces unauthorized access risks and enforces accountability through traceable user actions.
T6: Third-Party Security
Purpose: Manage cybersecurity risks arising from vendors and partners.
Key Measures: Conduct due diligence, review contractual clauses, and monitor third-party compliance.
Real-World Relevance: Addresses supply chain vulnerabilities and ensures partners meet UAE IA standards.
T7: Information System Acquisition, Development, and Maintenance
Purpose: Integrate security into system design and development from inception.
Key Measures: Perform security testing, code reviews, and patch management.
Real-World Relevance: Prevents vulnerabilities from entering systems during development or updates.
T8: Information System Incident Management
Purpose: Detect, respond to, and recover from cybersecurity incidents effectively.
Key Measures: Establish a CSIRT, define escalation paths, and maintain an incident log.
Real-World Relevance: Reduces response time and limits damage in the event of security breaches.
T9: Information System Continuity Management
Purpose: Ensure critical operations can continue during and after disruptions.
Key Measures: Develop business continuity plans (BCP), disaster recovery plans (DRP), and conduct regular tests.
Real-World Relevance: Maintains service availability and resilience even in crisis scenarios.
Together, these 15 control families provide a balanced foundation of policy, process, and technology, enabling entities to achieve both compliance and operational resilience in accordance with the UAE’s national cybersecurity vision.
Implementation Framework
The Implementation Framework of the UAE IA Standard V2 (2025) provides the roadmap for translating cybersecurity policy into measurable action. It guides entities on how to adopt, monitor, and continuously enhance controls in proportion to their risk exposure and operational maturity.
Information Assurance Lifecycle
The UAE IA Standard adopts a lifecycle approach to ensure continuous improvement in information assurance across entities and sectors.
The lifecycle reinforces a continuous improvement loop:
Risk Assessment → Implementation → Monitoring → Evaluation → Enhancement.
Core Phases:
Define Requirements: Establish security objectives and policies.
Assess Risks: Identify threats, evaluate risks, and select suitable controls.
Implement Controls: Apply and operate security measures aligned with business goals.
Monitor and Review: Evaluate control effectiveness and performance.
Improve Continuously: Adapt and enhance IA capabilities based on measurable outcomes.
Integrating this lifecycle into governance and planning helps organizations stay resilient and aligned with evolving security and regulatory needs.
Entities are encouraged to integrate IA processes within existing Information Security Management Systems (ISMS) or enterprise governance structures to streamline coordination and reporting.
Risk-Based Approach
The standard promotes a risk-driven methodology, ensuring that organizations prioritize controls based on the potential impact of cyber threats. Instead of enforcing uniform compliance, it allows entities to tailor security requirements according to their environment, data sensitivity, and criticality.
| Diagram: UAE IA Standard V2 2025 / Figure 1 The Risk-Based Approach Process
This approach ensures that high-impact systems such as national infrastructure or citizen data platforms receive the highest level of protection, while lower-risk environments maintain proportional safeguards.
Stakeholder Roles
The IA ecosystem operates through shared responsibility among key stakeholders:
Cybersecurity Council (CSC): Develops, maintains, and audits the standard to ensure national consistency.
Sector Regulators: Oversee compliance within their domains and report status to the CSC.
Entities and Organizations: Implement controls, conduct assessments, and submit compliance reports.
This layered governance model ensures that accountability flows from policy to practice across all levels of the national cybersecurity framework.
Control Summary and Compliance
The UAE IA Standard V2 (2025) defines a clear, measurable control structure that enables organizations to understand, implement, and report their cybersecurity maturity with precision. The standard introduces an updated control taxonomy that enhances visibility and consistency across sectors.
Control Breakdown
The framework is organized into a multi-layered hierarchy of controls that capture both management and technical dimensions:
Category | Count | Description |
Control Families | 15 | Core security domains divided into Management (M1–M6) and Technical (T1–T9). |
Sub-Families | 47 | Thematic groupings within each family for focused control management. |
Controls | 134 | Main requirements defining security outcomes. |
Sub-Controls | 449 | Detailed implementation steps ensuring completeness and consistency. |
Always Applicable Controls | 70 | Mandatory for all entities, regardless of risk or sector. |
Risk-Based Controls | 64 | Applied based on organizational impact, data sensitivity, and operational risk. |
This structure provides flexibility, enabling entities to scale implementation based on their operational scope while maintaining alignment with national objectives.
Compliance Measurement and Maturity
The standard introduces a five-level maturity model that measures how effectively an organization adopts and maintains IA controls:
Initial (Level 1): Ad-hoc or informal processes.
Developing (Level 2): Basic control implementation without complete documentation.
Defined (Level 3): Established and documented processes.
Managed (Level 4): Monitored, measured, and reviewed performance.
Optimized (Level 5): Continuous improvement and predictive risk management.
Each entity is expected to achieve and sustain an acceptable maturity level defined by the UAE Cybersecurity Council (CSC) and its respective sector regulator.
Monitoring and Auditing
Compliance is not a one-time certification but an ongoing process. Entities must:
Conduct annual internal audits and third-party reviews.
Submit regular compliance reports to their sector regulator and the CSC.
Maintain evidence such as policies, configurations, logs, and risk assessments for verification.
Address non-compliance findings through Corrective Action Plans (CAPs) and post-assessment reviews.
This continuous oversight ensures that national cybersecurity readiness remains dynamic, measurable, and verifiable.
Reporting Obligations
All entities within the framework’s scope must report:
Incident notifications within 6 hours of detection.
Quarterly compliance updates summarizing control progress.
Annual IA Maturity Assessments validated by management.
These reporting requirements establish a transparent and accountable mechanism that enables the CSC to monitor systemic risks, identify sectoral weaknesses, and coordinate national cyber defence initiatives.
By combining structured control design with robust compliance oversight, the UAE IA Standard V2 (2025) transforms cybersecurity governance into a continuous, evidence-based process that strengthens both individual entities and the nation’s collective resilience.
Alignment with Global Frameworks
One of the defining strengths of the UAE IA Standard V2 (2025) is its harmonization with globally recognized cybersecurity frameworks. By aligning its structure, terminology, and control logic with international best practices, the UAE ensures that organizations operating under its jurisdiction can achieve global interoperability while meeting national compliance obligations.
Integration with ISO/IEC 27001:2022
The updated IA Standard closely aligns with ISO/IEC 27001:2022, the international benchmark for information security management systems (ISMS).
Key points of alignment include:
Governance and Risk Management: Mirrors ISO’s requirements for risk assessment, treatment, and continual improvement.
Leadership and Commitment: Reinforces the need for executive oversight, aligning with ISO’s Clause 5.
Performance Evaluation: Incorporates similar monitoring, measurement, and audit mechanisms.
This alignment enables ISO-certified entities to seamlessly integrate UAE IA controls into their existing ISMS, reducing duplication and effort.
Mapping to NIST SP 800-53 (Rev. 5)
The IA Standard also references the U.S. National Institute of Standards and Technology (NIST) SP 800-53 Revision 5, known for its comprehensive control catalog.
Alignment highlights include:
Control Families: The IA’s 15 families align with NIST’s 20 categories, providing broad coverage from access control to contingency planning.
Risk Management Framework (RMF): The UAE’s risk-based approach parallels NIST’s “Categorize–Select–Implement–Assess–Authorize–Monitor” cycle.
Continuous Monitoring: Both frameworks emphasize ongoing visibility and adaptive risk management rather than static compliance.
This connection enables multinational organizations to standardize their security governance across the UAE and international operations.
Consistency with CIS Controls v8
The IA Standard adopts several best practices from the Center for Internet Security (CIS) Controls v8, focusing on operational hygiene and measurable security outcomes.
Examples include:
Asset and Access Management: Ensuring comprehensive inventory and control over devices and users.
Vulnerability Management: Routine patching and exposure monitoring.
Incident Response: Establishing structured processes for detection, reporting, and recovery.
These practical, control-level similarities help organizations transition smoothly from tactical to strategic cybersecurity management.
Alignment with Regional and Sectoral Frameworks
The UAE IA Standard also complements other regional and sector-specific cybersecurity guidelines, creating a coherent ecosystem of defence:
DESC Information Security Regulation (ISR) v3: Integrates with Dubai’s digital governance requirements.
National Third-Party Security Policy: Reinforces vendor risk management and data-sharing safeguards.
SAMA and NESA Frameworks: Ensures consistency with neighbouring GCC standards, enabling regional interoperability for cross-border operations.
Strategic Advantage of Global Alignment
By synchronizing with leading international frameworks, the UAE IA Standard:
Simplifies multi-framework compliance for global organizations.
Improves audit efficiency through unified control mappings.
Positions the UAE as a cybersecurity leader, driving both national protection and international trust.
This global alignment ensures that entities adopting the IA Standard not only strengthen their local resilience but also achieve recognition on a worldwide cybersecurity maturity scale.
Prioritization of Controls Implementation
The concept of prioritization enables a phased, incremental implementation of the UAE IA Standard security controls. It is important to note that control priority does not equate to control criticality. The priority levels assigned to each control (P1, P2, P3, P4) are intended to help entities plan the sequence of their implementation efforts, rather than dictate that a specific control is inherently more critical than another.
| Diagram: UAE IA Standard V2 2025 / Figure 2 Prioritization of Controls
The prioritization approach of the UAE IA Standard is based on the relative impact of security controls in helping implementing entities to:
Mitigate common threats
Build foundational IA capabilities
Based on these criteria, the security controls are grouped into four priority levels, P1, P2, P3, and P4, in order of importance, and the prioritization outcomes are included in Annex C.
While all applicable security controls across the four priority levels are mandatory for critical entities, they are required to begin implementing them with P1 security controls, given their highest relative impact in protecting against critical threats and in building foundational information assurance capabilities.
Entities implementing these may alter (promote or demote) the suggested priority of controls based on the outcomes of their risk assessments, except for top-priority controls (P1).
