Use the toggle below to switch the contrast:
Read Speaker
Listen to the content of the page by clicking play on Listen:
Text Size
Use the buttons below to increase or decrease the text size:

DESC provides a framework for managing cyber risks and supporting government entities.

  1. Home
  2. /
  3. Regulations
  4. /
  5. Standards & Policies

Standards & Policies


The below standard documents are protocols and guiding principles, available to government entities, as a means of supporting best practices in safeguarding users of electronic and cyber technology.


Information Security Regulation (ISR)

The purpose of the Information Security Regulation is to provide all Dubai Government Entities with the standards to ensure continuity of critical business processes, and minimize information security related risks and damages by preventing and/or minimizing information security incidents. It intends to ensure appropriate level of Confidentiality, Integrity and Availability for information handled within Dubai Government Entities.

The Information Security Regulation is a technology neutral framework and will not handle any technological implementation. Therefore, technology specific aspects for implementation will be tackled by Dubai Government Entities reflecting specificities in their internal systems.

The Information Security Regulation presents the minimum requirements for information security controls and is applicable to all Dubai Government Entities, including but not limited to employees, consultants, contractors and visitors who are not government employees but are engaged with it through various means. Furthermore, the regulation applies to any government information regardless of its type and medium (e.g. Printed, Electronic and Non-Electronic Verbal, Written, etc.) covering all business functions and divisions of the Government entity.

The information Security Regulation is broken down into thirteen domains. Each domain takes into consideration one or more major classes of information security: Governance, Operation, and Assurance. The Governance domains set high-level requirements for structuring and managing information security. The Operation domains are technical and/or non-technical controls an entity may use depending on the results of their risk assessment study. The Assurance domains act as the quality assurance for the entity, ensuring that the implemented solution is working as intended.

Dubai Government Entities must conduct an applicability review of the Information Security Regulation domains and controls to determine which of these domains and controls are applicable to them. Dubai Government entities must commit resources to achieve the “right-fit” implementation, while considering the risk assessment results, and keeping the controls implementation cost lower than the anticipated risk or value of information, which is being protected.

Dubai Government Information Security Regulation was formalized pursuant to Resolution No. 13 of 2012 based on leading information security regulations, frameworks, policies and practices. Further, based on Dubai Law No. 11 of 2014, DESC has the responsibility of maintaining and continuously improving the Information Security Regulation (ISR) in order to address the latest information security practices and related control requirements.

Internet of Things (IoT) Security Standard

The IoT Security Standard developed by Dubai Electronic Security Center (DESC) sets out mandatory and recommended controls for the security of Internet of Things (IoT). Compliance with this standard is mandatory for all Dubai government and semi-government entities.

Electronic Biomedical Devices (EBMD) Security Standard

Biomedical Devices (BMD) are using more and more electronic means for functioning, processing and communicating. This provides many chances for medical progress, but also entails risks related to ICT security. Therefore, the Dubai Electronic Security Center (DESC) in collaboration with the Dubai Health Authority (DHA) has developed this standard to ensure the secure operation of electronic biomedical devices in Dubai.

DESC ICS Standard

The ever-increasing adoption of digital technology to achieve better operational efficiency has diluted and blurred the segregation that existed between the operational (ICS) and information technology environments. As entities go further on the ICS transformation journey towards OT/ IT Convergence to realize the benefits of such convergence, like cost reduction, operational efficiency, automation etc., the interconnection with IT and external networks also exposes the ICS to cybersecurity risks, more than ever before.

This standard is applicable to Dubai government and semi-government entities that operate critical infrastructure and/or Industrial Control Systems (Operational Technology). The standard aims to provide a framework for managing cyber risks to critical risks to Industrial Control Systems (Operational Technology) deployed in Dubai’s critical infrastructure.

Connected Vehicle (CV) Security Standard

The Connected Vehicle Security Standard aims at providing requirements and guidelines for the security of driverless cars. It is the first worldwide set to become applicable to all Dubai government and semi-government entities that are planning to use autonomous vehicles.


Web Security Policies

This Web Security Policy has been developed to support Dubai’s government in achieving higher levels of security when developing and using web applications and services. Web security is based on the well accepted thoughts of application security, but is applying those specifically to the fundamental elements:

  • Website Security
  • Security of Web Applications
  • Security of Mobile Applications
  • API Security