Abu Dhabi Healthcare Cybersecurity: ADHICS v2 Compliance Guide (2026)

Abu Dhabi Healthcare Cybersecurity: ADHICS v2 Compliance Guide (2026)

Abu Dhabi Healthcare Cybersecurity: ADHICS v2 Compliance Guide (2026)

ADHICS v2 Compliance for Abu Dhabi Healthcare: The vCISO Guide (2026)

If your organisation handles health information in the Emirate of Abu Dhabi, ADHICS compliance is mandatory and tied to your licence. The Abu Dhabi Healthcare Information and Cyber Security Standard is issued by the Department of Health (DoH), and the external audit against it is built into the health facility audit programme, linked to new facility registration and renewals. Fail it and your licensing is affected, not just your security posture.

Two things make ADHICS heavier than a normal certification, and both point to the same conclusion. It is continuous, not a one-time badge: you run periodic self-assessments across every control, submit through the DoH portal, and sit a multi-stage audit. And it names the role directly. Section 2.1.3 of the standard requires the entity to appoint a Chief Information Security Officer, or an equivalent resource, to lead the security workgroup and act as the point of contact with the regulator. For most clinics, centres, and mid-size payers, hiring that person full time is hard to justify, yet the role has to be filled and the quarterly cycle has to run. A virtual CISO answers both.

This guide covers who ADHICS applies to, how it is structured, the CISO requirement, how the three-stage audit works, the self-assessment cycle, what the auditor expects to see, and how the vCISO route works.

Your vCISO in the UAE and Middle East
A named security leader of record, backed by a delivery team that builds the programme, not just advises. From $2,500 / mo

Who ADHICS applies to

ADHICS applies to any entity in Abu Dhabi that generates, accesses, stores, uses, processes, or transmits health information. The standard names three broad categories, and the reach is wider than hospitals:

  • Healthcare facilities, from single clinics to large hospitals

  • Payers, meaning insurers and third-party administrators

  • Healthcare technology and service providers that touch health information

The standard treats health information as a highly classified data element to be protected across its lifecycle. If your systems hold patient data, connect to Malaffi (the Abu Dhabi Health Information Exchange), or support a licensed facility, you are in scope.

Which controls apply depends on your classification. ADHICS sorts controls into three cumulative tiers, and your entity type and size set the level you have to reach:

  • Basic. Essential controls that apply to every entity by default.

  • Transitional. Adds to Basic. Applies to hospitals with a bed capacity of 1 to 20, and to centres such as diagnostic, dialysis, fertilisation (IVF), and rehabilitation centres.

  • Advanced. Adds to Basic and Transitional. Applies to hospitals with a bed capacity of 21 and above, to the Health Information Exchange (Malaffi), and to payers, meaning insurers and third-party administrators.

To reach Transitional you must meet all Basic and all Transitional demands. To reach Advanced you must meet all three. The compliance timeline is short: within six months of programme onboarding or the standard's release, whichever comes first.

How ADHICS is structured

ADHICS v2 (document reference DOH/SD/ICSO/ADHICS/V2/2024, published May 2024, effective August 2024) is organised into two parts:

  • Section A sets the governance and management requirements: the governance structure, risk management, the Statement of Applicability, and compliance.

  • Section B sets the control requirements across the technical and operational domains.

Together they hold 131 controls, each with its own sub-controls and a tier tag of Basic, Transitional, or Advanced. The control domains an auditor works through are the governance and management set, then the control set:

  • Governance Framework, Risk Management, Statement of Applicability, and Compliance

  • Human Resources Security

  • Asset Management

  • Physical and Environmental Security

  • Access Control

  • Communications and Operations Management

  • Data Privacy and Protection

  • Cloud Security

  • Third Party Security

  • Information Systems Acquisition, Development and Maintenance

  • Information Security Incident Management

  • Information Systems Continuity Management

The controls carry cross-references to the national UAE Information Assurance framework, so an ADHICS programme and a UAE IAR programme share a large part of their control base. If you also carry a national IAR obligation, the two align rather than duplicate, and we cover that framework in the UAE IAR guide.

ADHICS names the CISO. It is not optional.

Where some regulators require the substance of a security leadership role without naming it, ADHICS is explicit. Section 2.1.3 states that the entity shall appoint a Chief Information Security Officer, or an equivalent resource, to lead the security workgroup. The standard sets a governance structure with three layers:

  • The Information Security Governance Committee (ISGC) sits at the top and governs the programme.

  • The CISO leads the security workgroup, reports to the ISGC, and acts as the entity's point of contact with the sector regulator.

  • The implementation stakeholders, meaning information security officers, IT professionals, bio-medical staff, and business representatives, run the day-to-day controls.

The CISO's mandate under the standard is broad. It covers the security architecture and strategy, maintaining the policies, overseeing control implementation, running training and awareness, securing medical devices and equipment, coordinating incident investigation, and reporting security effectiveness through audits and KPIs to the ISGC. This is a real accountable role, and a nominal appointment that cannot carry it will show during an audit.

That is the crux for most entities. The standard requires a credible CISO and an active governance structure, but a mid-size clinic, a diagnostic centre, or a regional payer rarely has the volume to justify a full-time security executive. The role still has to exist, and the work behind it does not pause between audits.

How the ADHICS audit works

The external audit runs in three stages, and it is document-heavy from the start. Understanding the shape of it is the difference between walking in ready and scrambling.

  • Pre-audit. You submit a process-evaluation questionnaire and supporting documentation in advance. The questionnaire captures your entity details, DoH licence numbers, personnel counts, how your sites and functions are centralised, your datacentre arrangements, and factors of complexity. This sets the scope and the baseline the auditor works from.

  • Phase 1. A process and governance review, run mostly as interviews, working domain by domain through the agenda: governance, risk, the Statement of Applicability, and compliance first, then human resources, asset management, physical security, access control, operations, data privacy, cloud, third party, systems development, incident management, and continuity. The auditor checks that the processes exist, are owned, and are operating.

  • Phase 2. A more applied, technical assessment. This goes beyond documents to test how controls actually run, including identifying misconfigurations in live systems. A control that reads well on paper but is misconfigured in practice fails here.

There is a hard bar to clear. DoH requires a minimum of 70 percent compliance in every domain, not on average. Because the threshold is per domain, a strong overall position cannot offset one weak area: a single domain below the line is a finding you have to close. That per-domain floor is what turns ADHICS preparation from a box-ticking exercise into disciplined, evidence-backed work across all of the control areas at once.

The whole process runs through the DoH portal, from the pre-audit submission to the evidence and the results.

The self-assessment never really stops

ADHICS compliance is monitored continuously, not just at audit time. You run a self-assessment against all 131 controls and their sub-controls, in the form of a Statement of Applicability: for each control you record whether it is implemented, and for any control you classify as Not Applicable you provide documentary evidence justifying the exclusion. You then submit your updated compliance status to DoH through the portal on a recurring cycle, with your roadmap timelines and any deviations.

In practice this is a quarterly rhythm with firm deadlines, and it is the part organisations underestimate most. The self-assessment is not a form you fill once. Each cycle you have to re-evidence that controls are still operating, update the register after any change, and reconcile your position against the standard before you submit. Between the quarterly self-assessments, the audit preparation, the portal submissions, and the ongoing liaison with the regulator, ADHICS behaves less like a project with an end date and more like a standing function that needs someone accountable running it week to week.

What the auditor expects to see

An ADHICS audit turns on evidence, and the auditor works to a defined list per domain. The governance layer and the first control domains give the shape of it. Grouped by domain, the records an auditor expects include the following.

Governance (Section A):

  • Information security governance committee meeting minutes and records

  • The risk register

  • A controlled document tracker

  • A compliance tracker and legal register

  • The information security internal audit plan

  • Internal audit reports and an action tracker

Human Resources Security:

  • An active employee list with employee ID, name, joining date, and job role

  • A leavers list

  • Access creation and exit records

  • Confidentiality agreements

  • Background verification records

  • Information security awareness training records

  • Disciplinary action records and a tracker

Asset Management:

  • An asset inventory

  • Preventive maintenance and PPM records

  • Asset disposal records

Physical and Environmental Security:

  • A secure areas list

  • A physical key register

  • Periodic access reconciliation reports for physical access

  • Maintenance records for CCTV, UPS, and similar equipment

  • The ADMCC report

  • A visitor logbook

  • A register for incoming and outgoing materials

Access Control, operations, data privacy, cloud, third party, development, incident management, and continuity each carry their own evidence sets in the same pattern: the access creation and revocation process and periodic access reviews, operating and monitoring records, data protection and consent records, cloud and supplier assessments, secure development records, the incident log and response evidence, and tested continuity and recovery results. The common thread is that the auditor wants records that prove the control operates, tied to dates and owners, not just a policy that describes it.

Why hiring a full-time CISO first is usually the wrong call

ADHICS requires a CISO, but for most entities in scope a permanent executive hire is the wrong first move. The reasons differ slightly from a one-time certification, because ADHICS is continuous:

  • Cost against size. An experienced CISO in the UAE commands a senior-executive salary, broadly in the AED 400,000 to 700,000 a year range. A single clinic, a diagnostic centre, or a regional payer rarely has the risk profile or the budget to carry that as a full-time line.

  • The work is ongoing, not one big push. The load is a steady quarterly cycle of self-assessment, evidence upkeep, portal submissions, audit preparation, and regulator liaison. It needs a role reliably filled and a cadence reliably run, which is a different thing from a full-time headcount.

  • The bar is specific. The person has to satisfy the standard, front a DoH audit, understand healthcare and medical-device security, and run the portal process. That profile is expensive, and the affordable hire rarely clears it.

How a vCISO runs your ADHICS compliance

A virtual CISO takes the accountable security role on a retained basis, and for ADHICS the fit is direct, because Section 2.1.3 requires exactly this appointment. The vCISO is named as your CISO of record and carries the mandate the standard assigns, while you pay for the level of involvement the entity needs. In an ADHICS engagement that means:

  • Serving as the appointed CISO, leading the security workgroup, and standing up the Information Security Governance Committee

  • Classifying the entity and building the Statement of Applicability across all 131 controls at the correct tier

  • Running the quarterly self-assessment cycle and keeping the evidence current between submissions

  • Preparing for and fronting the three-stage audit, including the pre-audit questionnaire, the Phase 1 interviews, and the Phase 2 technical assessment

  • Remediating findings and misconfigurations, and keeping every domain above the compliance floor

  • Acting as the point of contact with DoH and managing the portal submissions

  • Covering the healthcare-specific demands the standard adds, from medical-device security to the health information lifecycle

Two adjacent capabilities usually sit alongside the role. The incident management and continuity domains need real detection and response behind them, which is where a managed SOC earns its place. And the data privacy and protection domain overlaps heavily with UAE PDPL, so the same engagement can often carry the Data Protection Officer role, covered in our UAE PDPL compliance guide.

Choosing a vCISO for ADHICS work

ADHICS is specific to Abu Dhabi healthcare, and an arrangement built for a generic company will not hold up in a DoH audit. A few checks before you appoint anyone:

  • Healthcare and ADHICS experience, not just ISO. Has the person run the ADHICS domains, the tier classification, and the Statement of Applicability, or only general enterprise security?

  • Portal and regulator fluency. The role includes DoH liaison and portal submissions. Ask whether the person has run the process end to end.

  • Evidence discipline. ADHICS audits, and the 70 percent per-domain floor, turn on evidence quality tied to owners and dates, not a folder of policies.

  • Capacity for the cycle. The quarterly self-assessment and continuous upkeep need reliable dedicated time, not ad hoc attention.

  • Delivery, not advice. The requirement is to build the programme, run the cycle, and front the audit, not to hand over a gap report and leave execution to your team.

How Dynova handles ADHICS engagements

Dynova provides virtual CISO and DPO services to regulated firms in the UAE, including healthcare providers and payers. Our work covers the frameworks that matter here: ADHICS v2, the UAE Information Assurance Standards, ISO 27001, UAE PDPL, and the wider set of UAE regulatory regimes. We have run ADHICS remediation programmes end to end, including tier classification, Statement of Applicability and self-assessment population, asset-based risk registers, corrective action planning, and portal submissions to DoH, and we led OGold's ISO 27001 certification with BSI in six months from a standing start.

The model is built for how ADHICS actually lands. A senior CISO takes the appointed role the standard requires, builds the governance and the Statement of Applicability, runs the quarterly self-assessment and the audit cycle, and manages the DoH relationship, without the entity carrying a full-time C-level salary. If you are weighing that against a permanent hire, we set out the numbers in Virtual CISO vs Full-Time CISO.

If you handle health information in Abu Dhabi and need a credible CISO of record and the capacity to run ADHICS week to week, we can take the role and the work that comes with it. Book a call and we will map your entity classification, your applicable controls, and where your gaps sit.

Frequently asked questions

Is ADHICS mandatory?

Yes. The Abu Dhabi Healthcare Information and Cyber Security Standard is issued by the Department of Health and applies to any entity in Abu Dhabi that handles health information. The external audit against it is integrated into the health facility audit programme and linked to facility registration and renewal, so compliance affects licensing.

Who has to comply with ADHICS?

Healthcare facilities from single clinics to hospitals, payers meaning insurers and third-party administrators, and healthcare technology and service providers that touch health information. Which controls apply depends on your classification into Basic, Transitional, or Advanced, set by your entity type and size.

How many controls are in ADHICS v2?

131 controls, each with sub-controls, split across Section A (governance and management) and Section B (the control domains). Each control is tagged Basic, Transitional, or Advanced, and the tiers are cumulative.

Does ADHICS require a CISO?

Yes, explicitly. Section 2.1.3 of the standard requires the entity to appoint a Chief Information Security Officer, or an equivalent resource, to lead the security workgroup and act as the point of contact with the regulator, reporting to the Information Security Governance Committee. A vCISO can fill this appointed role.

What compliance score do you need to pass an ADHICS audit?

DoH requires a minimum of 70 percent compliance in every domain, assessed per domain rather than on average, so a weak domain cannot be offset by strong ones. Confirm the current threshold and its application with DoH, as compliance requirements are updated over time.

How often is the ADHICS self-assessment?

Compliance is monitored continuously through a self-assessment against all 131 controls, in Statement of Applicability form, submitted to DoH through the portal on a recurring cycle, in practice quarterly with firm deadlines. Any control classified as Not Applicable needs documentary justification.

Does ISO 27001 help with ADHICS?

It gives a head start. ADHICS shares much of its control base with ISO 27001 and the UAE Information Assurance framework, so a live ISO 27001:2022 ISMS covers a good share of the governance and management controls. It does not cover the ADHICS-specific tiers, the healthcare and medical-device requirements, the DoH audit and portal process, or the per-domain compliance floor.

Can a vCISO run our ADHICS compliance?

Yes. A vCISO can serve as the appointed CISO the standard requires, build the governance and Statement of Applicability, run the quarterly self-assessment, front the three-stage audit, and manage the DoH portal and liaison, on a retained basis rather than a full-time salary.

Related: UAE IAR Compliance (NESA IAS): A vCISO Guide · CBUAE Cybersecurity Requirements: A vCISO Compliance Guide · UAE PDPL Compliance: A vCISO and DPO Guide

Experience

Guide

Get started

Don’t scale security harder. Scale smarter.

Dynova provides Virtual CISO (vCISO) and Fractional CISO services in Dubai and across the UAE, from security strategy and CBUAE, VARA, ISO 27001, PCI DSS and SOC 2 compliance to hands-on execution, security testing, and code review.

Info: info@business-ciso.com 

Incident Report: soc@business-ciso.com


Dynova Services LLC-FZ, License 2644102.01, Issued by Meydan Free Zone, Dubai, UAE

Get started

Don’t scale security harder. Scale smarter.

Dynova provides Virtual CISO (vCISO) and Fractional CISO services in Dubai and across the UAE, from security strategy and CBUAE, VARA, ISO 27001, PCI DSS and SOC 2 compliance to hands-on execution, security testing, and code review.

Info: info@business-ciso.com
Incident Report: soc@business-ciso.com


Dynova Services LLC-FZ,

License 2644102.01,

Issued by Meydan Free Zone, Dubai, UAE

Get started

Don’t scale security harder. Scale smarter.

Dynova provides Virtual CISO (vCISO) and Fractional CISO services in Dubai and across the UAE, from security strategy and CBUAE, VARA, ISO 27001, PCI DSS and SOC 2 compliance to hands-on execution, security testing, and code review.

Info: info@business-ciso.com

Incident Report: soc@business-ciso.com


Dynova Services LLC-FZ, License 2644102.01,

Issued by Meydan Free Zone, Dubai, UAE