The Dubai Electronic Security Center's Information Security Regulation sets the baseline for cybersecurity across Dubai government entities and critical infrastructure. CyberHeed maps every domain, tracks compliance, and manages evidence - in one platform.
The Information Security Regulation (ISR) is issued by the Dubai Electronic Security Center (DESC), the government body responsible for the protection of information in Dubai. The ISR establishes a comprehensive framework of security controls that all Dubai government entities and critical infrastructure operators must implement. It is aligned with international standards - particularly ISO 27001 and NIST CSF - but adds specific requirements for the Dubai context, including data sovereignty, Arabic language requirements, and alignment with UAE national security objectives.
All Dubai government departments, authorities, and organisations must comply with the DESC ISR. This includes entities like the Dubai Health Authority, Roads and Transport Authority, Dubai Municipality, and all other government bodies operating in the Emirate of Dubai.
Operators of critical national infrastructure in Dubai - energy, water, transportation, telecommunications, financial services, and healthcare - must implement DESC ISR controls. The regulation recognises that critical infrastructure security is a matter of national interest.
Private sector organisations providing IT services, cloud hosting, or technology solutions to Dubai government entities may be required to demonstrate DESC ISR compliance as a condition of their contracts.
Entities with partial government ownership or those operating under government mandates in Dubai. The scope extends to any entity that handles Dubai government data or connects to government networks.
DESC operates as the cybersecurity regulator for the Emirate of Dubai, with specific responsibilities:
DESC develops and enforces information security regulations for Dubai. The ISR is the primary regulation, but DESC also issues guidelines, advisories, and directives that entities must follow.
DESC conducts compliance assessments of government entities and critical infrastructure operators. Entities must demonstrate compliance through documented evidence, not just self-declaration. Assessments can be announced or unannounced.
DESC serves as the central point for cybersecurity incident coordination across Dubai government. Entities must report security incidents to DESC and follow its incident response coordination protocols.
The DESC ISR is organised into twelve security domains, each containing specific controls that entities must implement. The domains are comprehensive, covering governance through to technical controls, physical security, and incident management.
Establish information security governance structures, including a dedicated security function, defined roles and responsibilities, security steering committee, and executive-level accountability. Security must be embedded in the organisational structure, not bolted on.
Implement a risk management framework that identifies, assesses, treats, and monitors information security risks. Risk assessments must be conducted regularly and when significant changes occur. Risk treatment plans must be documented and tracked to completion.
Develop and maintain a comprehensive set of information security policies covering acceptable use, access control, data classification, incident management, and more. Policies must be approved by senior management, communicated to all personnel, and reviewed regularly.
Background checks, security awareness training, confidentiality agreements, and security responsibilities throughout the employment lifecycle. Personnel with access to sensitive systems must undergo enhanced screening.
Identify and classify information assets by sensitivity and criticality. Maintain asset inventories covering hardware, software, data, and services. Define ownership, handling requirements, and acceptable use for each asset category.
Implement access control policies and mechanisms including user registration, privilege management, authentication, and access reviews. Role-based access control, multi-factor authentication for privileged and remote access, and regular access certification.
Implement cryptographic controls for data protection at rest and in transit. Key management procedures, approved algorithms, certificate management, and cryptographic policy covering all use cases.
Physical security perimeters, access controls, CCTV, environmental controls, equipment protection, and secure areas. Data centres and critical facilities must meet specific physical security requirements.
Change management, capacity management, malware protection, backup, logging, monitoring, vulnerability management, and software installation controls. Operational procedures must be documented and followed.
Network security management, network segmentation, information transfer policies, and secure communications. Includes requirements for network monitoring, intrusion detection, and protection of information in public networks.
Incident response planning, detection, reporting, assessment, response, and recovery. Entities must report incidents to DESC within specified timeframes. Post-incident reviews and lessons learned must be documented.
Compliance with legal, regulatory, and contractual requirements. Internal compliance monitoring, audit programmes, and corrective action management. Includes specific requirements for UAE data protection and sovereignty obligations.
CyberHeed maps every DESC ISR domain and control, captures your current state, identifies gaps, and tracks remediation with evidence that withstands DESC assessment.
SmartPrep guides your team through structured conversations covering each of the twelve security domains. AI captures your current security posture, identifies gaps against DESC requirements, and generates documentation that reflects your actual practices - not generic templates.
For entities already compliant with ISO 27001, SmartPrep identifies what's already covered and focuses on the DESC-specific additions.
Upload evidence for each control. AI validates whether your documentation meets DESC expectations. Security policies, risk assessments, access control configurations, incident response records, and training evidence - each mapped to the specific domain and control.
AutoMatch reads your existing security documentation and maps it to DESC ISR controls automatically. Evidence from ISO 27001, NIST CSF, or NCA ECC is cross-referenced.
DESC assessments can occur at any time. CyberHeed ensures your evidence is always current - policies reviewed, controls tested, incidents documented, and training records up to date. When DESC assesses your entity, your compliance posture is demonstrable.
Dashboard reporting provides security leadership with real-time visibility across all twelve domains.
The DESC ISR is deliberately aligned with ISO 27001, NIST CSF, and other international frameworks. If you're already certified or compliant with these standards, significant portions of DESC ISR are already addressed. CyberHeed maps the overlaps automatically.
DESC ISR's twelve domains map closely to ISO 27001's Annex A control themes. Governance, risk management, access control, cryptography, operations security, and incident management requirements overlap substantially.
NIST CSF's five functions provide coverage across DESC ISR domains. Identify maps to risk management and asset management. Protect maps to access control and cryptography. Detect and Respond map to incident management.
Saudi Arabia's NCA ECC and Dubai's DESC ISR share significant common ground as Gulf region cybersecurity frameworks. Governance, defence, resilience, and third-party management domains overlap meaningfully.
Other frameworks: [Links to: nca-ecc.html], [Links to: dfsa.html], [Links to: iso-27001.html], [Links to: nist-csf.html], [Links to: essential-eight.html], [Links to: cps-234.html], [Links to: pci-dss.html], [Links to: cps-230.html]
Twelve security domains. Comprehensive control mapping. AI-guided assessment with evidence management.
Book a Demo