“Cybercrime is the greatest threat to every company in the world”

We are using multiple security standards and regulations to assess the security posture of an organization and answer the question of how secure it is right now. The assessment is based on CMM and RA which are proven, practical, proactive, comprehensive and cost effective methodologies. We also help organisations avoid devastating breaches by delivering high-quality cyber security training and innovative solutions that reduce risk across UAE.

The regulations and standards that we use are the foundation of our CARAT approach and some are mandatory for critical information infrastructure (CII) entities:

UAE Information Assurance Regulation​

The UAE Information Assurance Regulation v1.1 (March 2020, replacing the UAE Information Assurance Standards v1.0) provides requirements for raising the minimum level of information security across all relevant entities in the UAE. The UAE IAR controls are mapped with controls of the following standards:

  • ISO 27001, ISO 27002, ISO 27010, to ensure that standard best practices are followed when implementing an ISMS across multiple sectors and all types of organizations (public, private, semi-private, enterprises, and SMEs)
  • ISO/IEC 27005, to ensure that standard best practices are followed when implementing a risk management framework and performing risk assessment
  • ISO/IEC 27032, to ensure that organizations implementing an ISMS in accordance with ISO/IEC27001 will be aligned to the Governance guidelines of ISO/IEC 27032 once the scope of the ISMS is extended to include cyber security
  • NIST 800-53, to ensure alignment with industry best practices and technical controls for information and cyber security
  • ADISS v2 (see below)
  • SANS 20 Critical Security Controls for Effective Cyber Defense
Abu Dhabi Information Security Standards

Abu Dhabi Information Security Standards (ADISS) are issued in suport of the Abu Dhabi Information Security Policy, and aims at providing protection to the information assets owned and managed by the government of Abu Dhabi. ADISS v2.0 seeks to support the government’s vision of delivering services that are effective, efficient and which add tangible value.

Dubai Information Security Regulation

The Dubai Information Security Regulation (Dubai ISR) encompasses 13 information security domains composed of specific controls and sub-controls, and is closely aligned with other International Information Security related Standards reflecting Dubai Government’s acknowledgement and recognition of the information security best practices stated therein. The Dubai ISR v2 has also includes distinctive items reflecting specific requirements within the context of The Dubai Government.


ISO/IEC 27001 sets out the requirements for an information security management system (ISMS). An ISMS includes people, processes and IT systems by applying a risk management process, and is a systematic approach to managing sensitive company information so that it remains secure.

ISO 22301 BCMS

ISO 22301 provides requirements for a best-practice business continuity management system (BCMS). A BCMS is a framework for organizations to update, control and deploy an effective BCM programme that helps them prepare for, respond to and recover from disruptive incidents. Implementing a BCMS includes the development of business continuity plans, taking into account organizational contingencies and capabilities, as well as the organisation’s individual business needs.


ISO/IEC 27005 is a guide for information security risk management which complies with the concepts, models, and general processes specified in ISO/IEC 27001.

Secure Software Development

A secure software development process covering the entire life cycle (S-SDLC) ensures that security assurance activities such as penetration testing, code review, and architecture analysis are an integral part of the development effort, and are performed regularly in production, and after major changes.

ISO/IEC 27032 CS

ISO/IEC 27032:2012 sets out the baseline security practices for stakeholders in the Cyberspace, and provides guidance for improving the state of Cybersecurity drawing out the unique aspects of that activity and its dependencies on other security domains, in particular: information security, network security, internet security, and critical information infrastructure protection (CIIP).


The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.

Data Protection, GDPR

Data security refers to protective digital privacy measures that are applied to prevent unauthorized access to computers, databases and websites. Data protection is the process of safeguarding important information from corruption, compromise or loss. Data privacy is the process concerned with the proper handling of data – consent, notice, and regulatory obligations.

ISO 9001

ISO 9001 sets out the criteria for a quality management system that can be used by any organisation, large or small, regardless of its field of activity.