UAE Standard

UAE Information Assurance Standard v2.0

Comprehensive Cybersecurity Controls (CSC) for organizations operating in the United Arab Emirates

Get Started

Control Families

Management Controls (M1–M6)

M1
Governance

Leadership, policies, and oversight

M2
Risk Management

Risk assessment and treatment processes

M3
Asset Management

Inventory and classification of assets

M4
Human Resources

Personnel security and training

M5
Third-Party Management

Supplier and vendor risk

M6
Incident Management

Detection, response, and recovery

Technical Controls (T1–T9)

T1
Access Control

Authentication and authorization

T2
Network Security

Segmentation, firewalls, IDS/IPS

T3
Data Protection

Encryption, DLP, backup

T4
Communications Security

Email, TLS, DMARC, SPF

T5
System Hardening

Configuration, patching, logging

T6
Application Security

SDLC, code review, vulnerability mgmt

T7
Cloud Security

IaaS, PaaS, SaaS controls

T8
IoT & OT Security

Industrial control systems

T9
Resilience & Recovery

Business continuity, DR

Priority-Based Scoring Model

Controls are assigned priorities (P1–P4) based on risk and impact. Scoring uses weighted points: any unmet P1 control triggers a Critical flag regardless of overall percentage.

P1
Critical
Weight: 4 points
P2
High
Weight: 3 points
P3
Medium
Weight: 2 points
P4
Low
Weight: 1 points

Critical Flag: If any P1 control is non-compliant, the assessment is flagged as CRITICAL even if the overall score is high. This ensures foundational security controls are not bypassed.