CSC V2 / 2025
IAS
UAE Information Assurance Standard (formerly NESA)
15 families
One audit. Twelve UAE frameworks. A single, prioritised report.
We audit your security posture against every UAE cybersecurity regulation that applies to your business — UAE IAS V2 (NESA), ADHICS V2, DESC ISR V3, CBUAE, DFSA, DIFC DPL, ADGM, NCEMA, TDRA — alongside the international standards your customers care about. One audit. One unified report. One clear roadmap.
12
UAE
STANDARDS
STANDARDS
30+
TOTAL
FRAMEWORKS
FRAMEWORKS
2–6wk
DELIVERY
WINDOW
WINDOW
// 01 THE CASE
Compliance is fragmented.
Your audit shouldn't be.
Most companies pay for separate audits against each standard — paying twice for overlapping controls and getting reports that don't talk to each other. We fix that.
- 01
Hidden gaps → surfaced
Discover security weaknesses across people, processes, and technology — before attackers or auditors do. Mapped, not buried.
- 02
One audit, every standard
Cross-framework control mapping means a single engagement gives you visibility into ISO, NIST, SOC 2, PCI DSS, NESA, and beyond.
- 03
Risk-ranked roadmap
A clear action plan ordered by business risk and effort — so you know exactly what to fix first, and why it matters.
- 04
Stakeholder confidence
Show customers, investors, and regulators that your security posture is independently assessed and documented to international standards.
// 02 THE COVERAGE
The periodic table
of UAE compliance
Twelve UAE-specific standards. Plus international and GCC frameworks. One unified audit. Hover any tile to see the details.
UAE UAE Standards & Regulations PRIMARY FOCUS 12 standards
UAE 2021
PDPL
Federal Data Protection Law (Decree 45)
29 articles
DOH V2 / 2024
ADHICS
Abu Dhabi Healthcare Info & Cyber Security
692 ctrl
DESC V3 / 2025
ISR
Dubai Information Security Regulation
13 domains
CBUAE Ch.14
InfoSec
Central Bank Information Security Standards
Banking
DFSA 2024
Cyber
DFSA Cyber Risk Management Rules
8 elements
DIFC 5/2020
DPL
DIFC Data Protection Law (2025 amend.)
GDPR-aligned
ADGM 2021
DPR
ADGM Data Protection Regulations
GDPR-aligned
NCEMA 2021
7000
National Business Continuity Standard
BCMS
MOH 2019
FL 2
Federal Health Data ICT Law
Health data
TDRA 2024
IoT
TDRA IoT & Telecom Security Framework
IoT/Telecom
DHA 2025
NABIDH
Dubai Health Information Standards
HIS
INT International Standards 08 standards
ISO 2022
27001
Information Security Management
93 ctrl
ISO 2022
27002
Security Controls Code of Practice
Guidance
ISO 2019
22301
Business Continuity Management
BCMS
ISO 2019
27701
Privacy Information Management
PIMS
NIST v2.0
CSF
Cybersecurity Framework
6 functions
NIST Rev 5
800-53
Security & Privacy Controls
1000+ ctrl
AICPA TSC
SOC 2
Trust Services Criteria
5 TSC
CIS IG1-3
v8
18 Critical Security Controls
18 ctrl
IND Industry-Specific 05 standards
PCI v4.0
DSS
Payment Card Industry Data Security
12 reqs
HHS 1996
HIPAA
Health Insurance Portability Act
Privacy/Sec
EU 2018
GDPR
General Data Protection Regulation
99 articles
SWIFT v2024
CSP
Customer Security Programme
31 ctrl
ISACA 2019
COBIT
IT Governance & Management
40 obj
GCC GCC & Regional 05 standards
NCA 2018
ECC-1
Saudi Essential Cybersecurity Controls
114 ctrl
SAMA v1.0
CSF
Saudi Monetary Authority Framework
118 ctrl
KSA 2023
PDPL
Saudi Personal Data Protection Law
44 articles
BHR 2018
PDPL
Bahrain Personal Data Protection Law
Privacy
QAT v2.0
NIA
Qatar National Information Assurance
Standards
Cross-mapped controls. When you implement multi-factor authentication to satisfy UAE IAS V2 T2.3.1, the same control maps to ADHICS V2 AC.5, ISO 27001 A.8.5, NIST CSF PR.AA-03, DESC ISR Access and PCI DSS 8.4. We show every connection in one place.
// 03 THE MAP
Find your sector.
See your standards.
UAE compliance is sector-specific. Healthcare answers to ADHICS, banks to CBUAE, free-zone firms to DIFC or ADGM. Here's what applies to your business.
S.01
Federal Government & CII
- UAE IAS V2
- Cybercrime Law
- Cloud Policy
S.02
Banking & Financial Services
- CBUAE Ch.14
- DFSA Cyber Rules
- SAMA CSF
S.03
Healthcare (Abu Dhabi)
- ADHICS V2
- Federal Health Law
- Riayati / Malaffi
S.04
Healthcare (Dubai)
- DHA Standards
- NABIDH
- Federal Health Law
S.05
Dubai Government
- DESC ISR V3
- DESC CSP Standard
- Dubai CII Reg
S.06
DIFC Free Zone
- DIFC DPL (amended 2025)
- DFSA Cyber Rules
S.07
ADGM Free Zone
- ADGM DPR 2021
- ADGM FSRA Cyber
S.08
Telecom & IoT
- TDRA Frameworks
- TDRA IoT Policy
- UAE IAS V2
S.09
Aviation
- GCAA Aviation Cyber
- ICAO Annex 17
- ISO 27001
S.10
All UAE Organizations
- Federal PDPL
- Cybercrime Law
- NCEMA 7000:2021
// 04 THE OUTPUT
A single chart
that tells the truth
Our final report includes a multi-axis maturity radar — a single visual that shows your security posture across every domain we audited. Strengths and weaknesses, side by side.
- 01 Scored 0–5 across 7 security domains
- 02 Compared against industry baseline
- 03 Mapped to every framework you care about
SAMPLE OUTPUT
Your posture Industry baseline
// 05 THE METHOD
Five phases.
Two to six weeks.
01 3-5d
Scope & Frame
Map your business to the right framework combination. We pick what applies — not everything that exists.
- + Scope Doc
- + Framework Map
- + Audit Plan
02 5-10d
Evidence Sweep
Document review, configuration audit, architecture inspection. We collect proof, not promises.
- + Evidence Inventory
- + Config Audit
- + Initial Gaps
03 5-10d
Stakeholder Interviews
We speak to IT, security, ops, HR, legal. Process maps come from people, not policies.
- + Interview Notes
- + Process Maps
- + Walkthrough Logs
04 3-5d
Gap Analysis
Each control scored. Severity ranked. Cross-framework mapping. The numbers don't lie.
- + Gap Matrix
- + Risk Heatmap
- + Maturity Score
05 3-5d
Report & Roadmap
An executive read, a technical deep-dive, and a remediation plan you can actually execute.
- + Executive Report
- + Technical Findings
- + Roadmap
// 06 THE DELIVERY
What lands
in your inbox
D.01
Executive Audit Report
A board-ready document. Maturity score, key findings, business risk impact, and strategic recommendations across every framework audited.
D.02
Cross-Framework Matrix
A single matrix mapping every control across ISO, NIST, SOC 2, PCI, NESA — showing where you comply, where you don't, and what overlaps.
D.03
Remediation Roadmap
Findings ranked by risk and effort. Quick wins, strategic initiatives, and timeline estimates.
D.04
Technical Findings
Control-by-control evidence and remediation steps for IT and security teams.
D.05
Maturity Heatmap
Visual scoring by domain — governance, identity, network, endpoint, cloud, data.
D.06
Walkthrough Session
A live readout meeting with your team to discuss findings, Q&A, and prioritise next steps.
// 07 THE TEAM
Why
Underwings
A
UAE-first expertise
Deep operational knowledge of UAE IAS V2, ADHICS, DESC ISR, CBUAE, DFSA, DIFC DPL, ADGM, NCEMA — not consultants who learned UAE rules from a Google search.
B
One audit, many standards
We cross-map controls between UAE regulations and international standards so a single engagement satisfies multiple compliance requirements.
C
Actionable, not academic
Reports prioritised by business risk with effort estimates — not 200-page documents nobody reads.
D
Based in Abu Dhabi
Local team with on-ground knowledge of UAE regulators, free zones, and emirate-level requirements. Same time zone, same week, same room.
// 08 THE ANSWERS
Common questions
Q.01 Is NESA still a thing in 2026? What's it called now?
NESA (National Electronic Security Authority) was renamed to the Signals Intelligence Agency (SIA) in 2019, and the UAE Cyber Security Council (CSC) now governs the standard. The framework itself is now officially called UAE IA Standard V2 (2025), though most people still call it 'NESA compliance'. We audit against the latest V2 baseline.
Q.02 Which UAE standards apply to my business?
It depends on your sector. Federal/CII entities need UAE IAS V2. Banks need CBUAE. DIFC firms need DIFC DPL + DFSA Cyber Rules. ADGM firms need ADGM DPR. Abu Dhabi healthcare needs ADHICS V2. Dubai government needs DESC ISR V3. Telecom needs TDRA. We help you identify exactly which apply during the free scoping call.
Q.03 What's the difference between UAE PDPL, DIFC DPL, and ADGM DPR?
All three are data protection laws, but they apply to different jurisdictions. UAE PDPL (Federal Decree-Law 45/2021) applies to mainland UAE entities. DIFC DPL (Law 5/2020, amended 2025) applies only to entities in DIFC free zone. ADGM DPR 2021 applies only to ADGM free zone. We map your data flows to determine which apply.
Q.04 Can you audit against multiple frameworks at once?
Yes — that's our specialty. We map controls across UAE IAS V2, ADHICS, DESC ISR, ISO 27001, NIST CSF, SOC 2, PCI DSS and more. A single audit gives you visibility into every applicable framework, with overlap automatically identified.
Q.05 How long does a UAE security audit take?
A typical audit takes 2–6 weeks depending on scope, number of frameworks, and your organisation's size. UAE-only single-framework audits can be completed in 2 weeks; multi-framework cross-jurisdiction audits (e.g., UAE + DIFC + international) take 4–6 weeks.
Q.06 Do you only audit, or do you help fix the gaps?
Both. Our audit report includes prioritised remediation recommendations mapped to each framework, and our team can also implement the fixes — from policies and processes to technical controls and tooling. We work with you all the way to compliance.
Q.07 Will the audit disrupt our operations?
No. Audits are non-intrusive — document reviews, interviews, and configuration assessments. Any active testing is scheduled to minimise impact on business operations and explicitly authorised in advance.
// READY?
Get a single, prioritised
view of your security posture.
Free scoping call. We'll recommend the right framework combination for your industry and provide a transparent quote.
