
UAE IAR Compliance (NESA IAS): Requirements and the vCISO Guide (2026)
UAE IAR compliance means implementing the UAE Information Assurance Standards, the national security framework most people still call NESA, and then proving that implementation to your sector regulator through an independent assessment that reaches the score the regulator sets. It is not a self-graded checklist. Two features separate it from a generic security programme: a share of the controls are mandatory regardless of your risk profile, and your compliance has to be validated by someone other than the people who built it.
The standard does not merely recommend a security owner. It makes one mandatory. Control M1.1.3, Roles and Responsibilities for Information Security, is flagged Always Applicable, which means it applies regardless of your risk assessment, and it requires top management to appoint a leadership member with overall responsibility for the security programme, backed by a dedicated security function, alongside an Information Security Committee to govern it. The standard even names the Chief Information Security Officer as the typical holder of that role, while leaving the exact title to the entity. It also requires the security leadership to be kept separate from IT operations, with no conflict in reporting lines. That person owns the scope, the risk assessment, the remediation, the evidence, and the relationship with the assessor and the regulator. For most firms in scope, hiring them full time is expensive and badly matched to how the work falls, because the heaviest effort clusters around the assessment and then drops to steady-state oversight. A virtual CISO fills the role without the full salary.
This guide covers what IAR is, who has to comply, what the standard requires, why the independent assessment and the score matter, where programmes lose points, and how the vCISO route works.
Your vCISO in the UAE and Middle East
A named security leader of record, backed by a delivery team that builds the programme, not just advises. From $2,500 / mo
NESA, IAR, IAS: the names, cleared up
The terms get used interchangeably, which causes confusion. The framework was built by the National Electronic Security Authority (NESA), a federal body established in 2012. NESA was later renamed the Signals Intelligence Agency (SIA), and national cybersecurity is now coordinated by the UAE Cyber Security Council (CSC), which owns and maintains the standard. The standard sits within the UAE's National Cyber Security Strategy and the Critical Information Infrastructure Protection framework.
So when you see NESA compliance, UAE IAR (Information Assurance Regulation), or UAE IAS, they point to the same body of requirements. This guide uses IAR for the obligation and IAS for the control set. The framework is not frozen: the current version is Version 2, published in September 2025, and it was rebased onto the 2022 editions of the ISO 27000 standards, which matters if you are relying on older guidance or an older gap assessment. More on that below.
Who has to comply
IAR compliance is mandatory for federal and local government entities, semi-government bodies, and operators of critical information infrastructure. Private-sector firms are pulled in two ways: by being classified as critical infrastructure, or through a sector regulator adopting the IAS as the security baseline for the entities it licenses. The critical sectors include energy, transport, healthcare, telecommunications, banking, and insurance.
The financial sector is the clearest case. The Central Bank of the UAE requires every institution it licenses to run a technology risk and information security programme as a condition of that licence, and for payment service providers the UAE Information Assurance Standards are named as the minimum baseline in Article 13 of the Retail Payment Services and Card Schemes Regulation (Circular 15/2021). The obligation reaches well beyond banks and traditional payment firms:
Finance companies and exchange houses.
Stored value facility (e-wallet) providers, under the Stored Value Facilities Regulation (Circular 6/2020).
Payment token (stablecoin) providers, under the Payment Token Services Regulation (Circular 2/2024).
Open Finance Providers, under the Open Finance Regulation (Circular 3/2025), whose Article 31 requires a technology and cyber security risk management framework, an IT governance structure, and secure authentication and communication standards.
The newer regimes tend to reference recognised international standards rather than naming the UAE IA Standards line by line, but the security substance is the same, and the CBUAE can issue further cybersecurity standards on top. The 2025 CBUAE Law (Federal Decree-Law No. 6 of 2025) widened this perimeter again to bring in open finance, payment services using virtual assets, and enabling technology providers, with newly in-scope firms required to hold a licence by 16 September 2026. We cover this pathway in the CBUAE compliance guide. The reporting chain runs upward: an entity reports its compliance to its sector regulator, and the regulator reports to the SIA.
One boundary is worth stating so you scope this correctly. The federal IAR applies onshore and to critical infrastructure. Entities in the DIFC and ADGM financial free zones sit under their own regulators, the DFSA and the FSRA, with separate cyber and data protection regimes rather than the federal IAS. The cross-regulator Guidelines for Financial Institutions adopting Enabling Technologies, issued jointly by the CBUAE, SCA, DFSA, and FSRA, do apply across all of them.
The practical test is simple. If you operate critical services, hold sensitive data at scale, or hold a licence from a regulator that references the IAS or requires an equivalent security framework, you are in scope, and the number of firms that discover this only during a licence review or an audit is not small.
What the standard requires
The IAS is one document with a defined structure, and Version 2 (September 2025) rebased it onto current international standards:
ISO/IEC 27001:2022 and ISO/IEC 27002:2022, for the management system and the controls.
ISO/IEC 27005:2022, for the risk methodology.
NIST SP 800-53 Revision 5 and the CIS Critical Security Controls Version 8, for additional control depth.
The Dubai DESC Information Security Regulation Version 3.
If you have seen the framework described as a set of 188 controls built on the older ISO 27001, that was the earlier version. Version 2 restructured the control set and updated the international baseline, so a gap assessment run against the old edition will miss changes.
The controls sit in two groups. Six management families cover governance and process:
M1 Strategy and Planning
M2 Information Security Risk Management
M3 Awareness and Training
M4 Human Resource Security
M5 Compliance
M6 Performance Evaluation and Improvement
Nine technical families cover the defences:
T1 Information Asset Management
T2 Physical and Environmental Security
T3 Operations Management
T4 Network Security
T5 Identity and Access Management
T6 Third Party Security
T7 Information Systems Acquisition, Development and Maintenance
T8 Information Security Incident Management
T9 Information Systems Continuity Management
Each family breaks into sub-families and individual controls, and each control carries mandatory sub-controls. Every control is tagged either Always Applicable or applicable based on the risk assessment, and each also carries a priority from P1 to P4. Two rules then govern which controls you have to implement, and getting the distinction wrong is the most common early mistake:
Always Applicable controls are mandatory for any entity claiming compliance, regardless of risk profile. Omitting one, or any of its sub-controls, is a non-conformity, full stop. The governance controls that anchor the whole programme sit here, including M1.1.3 on roles and responsibilities.
Risk-based controls are selected through the risk assessment mandated by the M2 family. If you exclude one, you have to justify the exclusion with evidence and record that an accountable person or authorising body accepted the associated risk. You cannot skip a control because it is inconvenient.
The combined set, the always-applicable controls plus the ones your risk assessment pulls in, is what the standard calls mandatory, and it is the explicit basis of the compliance monitoring scheme. The standard also attaches performance indicators to each control area; you can substitute your own, but you have to justify the deviation and set a measurable replacement. The domains will look familiar to anyone who has run an ISMS, which is the point: the closer you already are to ISO 27001:2022, the shorter the distance to IAR.
The part firms miss: it has to be independently assessed, and there is a score to hit
Two points here decide whether an IAR programme actually satisfies the regulator, and both are routinely underestimated.
First, the internal audit is not the whole of it, but the standard is explicit that even the internal audit must be independent. The M6 performance evaluation family requires the security controls to be subject to independent internal audits on a pre-defined schedule, with annual audits as the baseline and more frequent audits for critical entities. The standard stresses the independence of the auditor, and where that independence or the expertise cannot be found inside the entity, it allows external resources to perform the audit. The results go to the Information Security Committee, and findings have to be corrected in a timely manner. On top of that, demonstrating compliance to your sector regulator requires an external assessment of your control implementation by someone outside the team that built and runs it. In the regulated financial sector, the regulator expects that independent validation as a matter of course, not as an optional extra.
Second, there is a passing mark, and it does not come from the standard itself. The IAS defines the mandatory control set and its performance indicators as the basis of compliance monitoring, but it does not publish a numeric pass mark. That threshold comes from the sector regulator's assessment methodology. The assessment produces an overall compliance score across the applicable controls, and the regulator sets a minimum the entity has to reach and then sustain. For the programmes we work with, that mark is 86 percent. Falling short does not mean a quiet note in a report; it means a corrective action plan with deadlines, a re-assessment, and continued regulatory attention until you close the gap. A programme that looks complete on paper can still land below the line if the evidence is thin or controls are not operating in practice.
There is a governance consequence that follows directly from these two points, and it is one the one-stop vendors tend to gloss over. The party that builds and runs your programme should not be the same party that then attests to it independently. That is a conflict of interest, and a regulator can see it as one. The clean model separates the two roles: someone owns and prepares the programme, and an independent assessor validates it. Keep that separation and the assessment carries weight; blur it and you undermine the assurance you paid for.
Where IAR programmes lose points
The gaps that pull a score below the threshold repeat across engagements. Most are about evidence and operation rather than missing controls entirely. The ones worth checking before an assessor finds them:
Stale or excess access. Accounts belonging to former employees or contractors left active, privileged access reviewed once a year instead of quarterly, and multi-factor authentication not enforced for remote access. This sits in T5, Identity and Access Management, one of the most heavily assessed technical families, so these cost real points.
A risk register that is a document, not a process. The M2 risk assessment treated as a one-time exercise and never revisited after a cloud migration, a new system, or an infrastructure change. A static register from two years ago will not pass, because the standard requires ongoing review.
Patch management without an SLA or a trail. Critical patches applied ad hoc, with no documented service level and no record of completion dates or exceptions. Patch and vulnerability management sit in T3, Operations Management, alongside logging, backup, and configuration, and the evidence is what fails even where the patching itself happens.
An incident response plan that has never been run. Having a documented plan is necessary but not sufficient. T8, Information Security Incident Management, expects tested procedures, a maintained incident log, and a defined process for reporting to the sector regulator within the required timeframe. An untested plan is not a functioning control.
Training records that cannot be tied to people. Auditors want individual-level evidence: who was trained, on what, and when. An awareness programme described in the abstract, without per-employee records, does not satisfy the control.
Asset inventories that stop at hardware. T1, Information Asset Management, treats information, cloud services, and third-party systems as assets requiring classification and ownership. Inventories that list laptops and servers but omit data assets and cloud platforms leave a visible gap.
Backups that run but have never been restored. T9, Information Systems Continuity Management, expects a tested recovery with defined recovery time and recovery point objectives. A successful backup job is not evidence that you can actually recover.
What the assessor asks for
An IAR assessment runs on evidence. The assessor reviews your documented framework, then tests whether the controls actually operate through interviews, sampling, and inspection of records across governance, risk, security, operations, compliance, cloud, development, business continuity, incident management, and third-party management. Two categories decide the outcome: the documented set, and the operational evidence that proves the documents are more than shelfware. Because the current IAS is built on ISO 27001:2022, the documented set looks close to an ISO 27001 ISMS documentation suite, with UAE-specific additions.
The documented set
Mapped to the control families, the documents an assessor expects to see include the following.
Governance and management system (M1, M5, M6):
Information security scope, context, and interested-party requirements
The Information Security Policy and its supporting topic-specific policies
An ISMS manual and a process interaction overview
Roles, responsibilities, and authorities, including the security leadership appointment and the Information Security Committee terms of reference
Information security objectives and an implementation plan
A legal and regulatory requirements procedure and a compliance register
A procedure for control of documented information
Internal audit procedure, audit plan, and audit action log
Management review procedure, agenda, and minutes
Nonconformity and corrective action procedure and log
Security metrics, measurement, and KPI reporting
Risk management (M2):
A risk assessment methodology and process
A risk treatment process and a risk treatment plan
The risk register itself
People (M3, M4):
An awareness and training programme
A competence development procedure and its records
An HR security policy covering screening, employment terms, and exit
Acceptable use, internet use, and electronic messaging policies
Asset and access (T1, T5):
An asset management policy and an asset inventory that includes information, cloud, and third-party assets
An asset handling and classification procedure
An access control policy and identity and access management operating procedures
Operations and resilience (T3, T9):
Operating procedures for backup and recovery, vulnerability management, patch management, and logging and monitoring
Configuration and change management policy and process
A cryptographic policy and key management
Anti-malware, data leakage prevention, and technical vulnerability management policies
An ICT continuity plan and a continuity test plan, with recovery time and recovery point objectives
Network, physical, and development (T2, T4, T7):
A network security policy
Physical security and clear desk policies
Secure development and secure coding policies, and principles for engineering secure systems
Cloud services, mobile device, remote working, and BYOD policies
Third party (T6):
A supplier security policy and a supplier evaluation process
A supplier assessment questionnaire and third-party assessment records
Confidentiality and non-disclosure agreement templates
Incident and privacy (T8, with UAE PDPL overlap):
An incident response procedure and incident response plans for the main scenarios, such as ransomware, denial of service, and data breach
An incident log
A personal data breach notification procedure, notification form, and data-subject notification template, which also feed your UAE PDPL obligations
A records retention policy and a privacy and personal data protection policy
The operational evidence
Documents alone do not pass an assessment. The assessor samples records that show the controls run in practice:
Individual-level training completion records, tied to named people and dates
A live risk register with recent review dates, updated after significant changes
Access review records and evidence that leavers were deprovisioned
Patch records with completion dates and exceptions, and vulnerability scan reports
Penetration test and cyber-attack simulation reports, with remediation tracked to closure
Incident tickets and evidence that the incident response plan has been exercised, not just written
Backup logs and a tested recovery result measured against the recovery objectives
Logging and monitoring evidence, with retention in line with the policy
Supplier assessments on file for material third parties
Internal audit reports, management review minutes, and a corrective action log that shows findings closed
The volume is the reason the work is front-loaded, and the reason a vCISO earns the engagement. Assembling this set to the standard an assessor accepts, and then keeping it current, is most of the job.
Does ISO 27001 get you there?
Partly, and the overlap is worth using. Because the IAS is built on ISO 27001, an organisation running a current ISO 27001:2022 ISMS already has a large share of the management controls, the risk methodology, and the documentation the IAS expects. That is a strong head start, and UAE regulators recognise ISO 27001 as evidence of security management maturity.
It is not a substitute. ISO 27001 does not cover the UAE-specific always-applicable controls, the reporting obligations to the sector regulator, or the independent assessment against the passing score. The efficient path for most firms is to run ISO 27001 as the certification base and layer the IAR-specific controls and evidence on top, rather than treating either as covering the other. A firm that assumes its ISO certificate equals IAR compliance usually finds the gap during the assessment, at the worst possible time.
Why hiring a full-time CISO first is usually the wrong call
The IAS requires a senior accountable security owner, but that does not mean your first move should be a permanent executive hire. For most firms approaching an assessment, a full-time CISO is the wrong instrument, for three reasons:
Cost. An experienced CISO in the UAE commands a senior-executive salary, broadly in the AED 400,000 to 700,000 a year range, committed before the compliance work has delivered anything.
Workload shape. The effort is front-loaded. Scoping, the risk assessment, remediation across the management and technical controls, and building the evidence set is intense work concentrated over a few months. Once compliance is achieved, the role settles into monitoring, the annual re-assessment, and continual improvement. A full-time hire buys idle capacity after the peak.
The experience bar. The person needs to satisfy the regulator, face an independent assessor, and know the IAS methodology in detail. That candidate is expensive, and the affordable hire rarely clears the bar.
How a vCISO runs your IAR compliance
A virtual CISO takes the accountable security role on a retained, part-time basis, and for IAR the fit is direct, because control M1.1.3 requires exactly this appointment: a leadership member with overall responsibility for the security programme, backed by a dedicated security function, kept separate from IT. The vCISO owns the programme end to end and scales involvement to what the work needs at each stage. In an IAR engagement that means:
Defining the scope and the critical-infrastructure classification.
Running the M2 risk assessment that determines which risk-based controls apply.
Driving remediation across the management and technical families, with the always-applicable controls closed first.
Building the evidence set an assessor will accept: individualised training records, a live risk register, documented patch SLAs under T3, a tested incident response plan under T8 with a regulator-reporting procedure, and tested recovery under T9.
Maintaining the monitoring and the annual review that keep the score above the line, and preparing for and coordinating the independent assessment so you go in ready rather than hopeful.
The separation of duties holds throughout. The vCISO gets you ready and manages the engagement; the formal compliance assessment is done by an independent assessor, which keeps the attestation credible. Two adjacent capabilities usually sit alongside the role. The incident controls in T8 and the logging and monitoring controls in T3 need real detection and response behind them, not just a written plan, which is where a managed SOC earns its place. And the IAS data-protection and breach-handling controls overlap heavily with UAE PDPL obligations, so the same engagement can often carry the Data Protection Officer role, covered in our UAE PDPL compliance guide.
Choosing a vCISO for IAR work
Not every vCISO is equipped for this. IAR is specific to the UAE, and an arrangement built for a generic technology company will not hold up in an assessment. A few checks before you appoint anyone:
UAE IA Standards experience, not just ISO. Has the person worked against the IAS itself, including the always-applicable controls and the M2 risk methodology, or only against ISO 27001 and general enterprise security?
Evidence discipline. IAR assessments turn on evidence quality. The vCISO has to build records to the individual level auditors demand, not a folder of policy documents.
Regulator and assessor fluency. Someone who can face a sector regulator and an independent assessor directly, and position the programme to reach the score.
Delivery, not advice. The requirement is to build the programme and prepare it for assessment, not to hand over a gap report and leave execution to your team. Ask whether the person executes or only recommends.
Standing and credentials. Recognised certifications such as CISSP and CISM, alongside real UAE regulatory experience, give the appointment credibility with a regulator.
How Dynova handles IAR engagements
Dynova provides vCISO services and DPO-as-a-service to regulated firms in the UAE, including banks, fintechs, payment providers, and virtual asset businesses. Our work covers the frameworks that matter in this market: the UAE Information Assurance Standards, CBUAE technology risk requirements, ISO 27001, PCI DSS, UAE PDPL, and the VARA regime. We have migrated ISMS document suites onto the current UAE IAR requirements, built the evidence sets that assessments turn on, and led OGold's ISO 27001 certification with BSI in six months from a standing start.
The model is built for how IAR work lands. A senior CISO takes the accountable role, runs the scoping and risk assessment, drives remediation, builds the evidence, and prepares you for an independent assessment, then holds the steady-state oversight and the annual re-assessment, without the firm carrying a full-time C-level salary. If you are weighing that against a permanent hire, we set out the numbers in Virtual CISO vs Full-Time CISO.
If you are preparing for an IAR assessment, or already carry the obligation through your sector regulator and need a credible accountable owner to get your score above the line and keep it there, we can take the role and the build that comes with it. Book a call and we will map your scope, your applicable controls, and where your gaps sit.
Frequently asked questions
Is NESA the same as UAE IAR?
Effectively yes. NESA was the federal authority that created the framework and has since been renamed the Signals Intelligence Agency, with national cybersecurity now coordinated by the UAE Cyber Security Council, which owns the standard. The standard is the UAE Information Assurance Standards (IAS), currently at Version 2 (September 2025), and the obligation to implement it is the UAE Information Assurance Regulation (IAR). The terms are used interchangeably for the same body of requirements.
Who has to comply with UAE IAR?
Federal and local government, semi-government bodies, and operators of critical information infrastructure across sectors such as energy, transport, healthcare, telecom, banking, and insurance. Private firms come into scope by being classified as critical infrastructure or through a sector regulator that adopts the IAS. The Central Bank of the UAE, for example, requires its payment providers to meet the IAS as a minimum, and carries an equivalent technology risk and information security obligation across its other licence categories, including stored value facility, payment token, and Open Finance Provider licences. Entities regulated in the DIFC or ADGM fall under the DFSA and FSRA regimes rather than the federal IAS.
How many controls are in the NESA IAS?
Version 2 of the standard (September 2025) organises its controls into fifteen families: six management families (M1 Strategy and Planning, M2 Information Security Risk Management, M3 Awareness and Training, M4 Human Resource Security, M5 Compliance, M6 Performance Evaluation and Improvement) and nine technical families (T1 Information Asset Management through to T9 Information Systems Continuity Management). Each family breaks into sub-families and controls, and every control is tagged either Always Applicable or applicable based on your risk assessment, plus a priority from P1 to P4. The earlier version was commonly described as 188 controls on an older ISO 27001 base; Version 2 rebased the framework onto ISO 27001:2022 and restructured it, so older control counts no longer map cleanly.
Does UAE IAR require an independent assessment?
Demonstrating compliance to your sector regulator requires an external, independent assessment, not just the internal audit the IAS includes as control family M6. The party that builds and runs your programme should not be the one that attests to it independently, since that is a conflict of interest a regulator can flag.
What score do you need to pass a UAE IAR assessment?
The assessment produces an overall compliance score against the applicable controls, and the regulator sets a minimum the entity has to reach and sustain. For the programmes we work with, that threshold is 86 percent. Falling short triggers a corrective action plan with deadlines and a re-assessment. Confirm the exact figure with your own sector regulator, as thresholds can vary by programme.
Does ISO 27001 make us IAR compliant?
No, but it gives a strong head start, and more so now. Version 2 of the IAS is rebased onto ISO/IEC 27001:2022 and ISO/IEC 27002:2022, so a current ISO 27001:2022 ISMS covers much of the management families and documentation the standard expects. It does not cover the UAE-specific always-applicable controls, the reporting obligations to the sector regulator, or the independent assessment against the passing score. Run ISO 27001:2022 as the base and layer the IAR-specific controls and evidence on top.
Can a vCISO run our IAR compliance?
Yes. Control M1.1.3 of the IAS requires a senior leadership member with overall responsibility for the security programme, backed by a dedicated security function, which is exactly the role a vCISO fills. The vCISO scopes the programme, runs the risk assessment, drives remediation, builds the evidence set, prepares you for the independent assessment, and sustains compliance afterward, on a retained basis rather than a full-time salary.
Related: CBUAE Cybersecurity Requirements: A vCISO Compliance Guide · vCISO for VARA Compliance: Meeting Dubai's CISO Requirement · UAE PDPL Compliance: A vCISO and DPO Guide
Experience
Guide