DUBAI - The Dubai Electronic Security Centre (DESC), part of Digital Dubai, is preparing to launch Information Security Regulation (ISR) Version 3.0, building on the success of the previous edition (ISR Version 2.0) and offering additional enhancements and features.

The Regulation outlines key practices in information security to be adopted across all Dubai Government entities and requirements for information security controls to ensure appropriate confidentiality, integrity, and availability of information handled within those entities.

The Regulation aims to provide these entities with the standards to ensure the continuity of critical business processes, minimise information security-related risks, and prevent information security incidents.

Yousuf Hamad Al Shaibani, CEO of the DESC, said, “As Dubai and the UAE continue to make strides in their comprehensive digital transformation plans, we remain committed to our mission to ensure and constantly enhance cybersecurity services in Dubai, bringing them in line with the highest international standards. The Information Security Regulation is a powerful tool for achieving our strategic objectives. Effective implementation of ISR controls can ensure resilience in dealing with risks to information security, which, in turn, can boost consumer confidence, business performance, productivity, and national security.”

The Regulation is broken down into 13 domains, each considering one or more major classes of information security: Governance, Operation, and Assurance. It applies to all Dubai government entities, including employees, consultants, contractors, and visitors who are not government employees but are engaged with the government through various means.

The new version of the ISR builds on the success of ISR Version 2.0, which recorded notable achievements.

Version 3.0 features enhancements, enabling it to address a range of key aspects; namely, it mandates that UAE Nationals be heading the information security function or be the CISO, reporting to Top Management; introduces roles and responsibilities for Information Security Champions, Internal Auditors, and the Incident Response Team; and prevents the storage or processing of critical information outside the UAE, including cloud services.

Moreover, the new version introduces a problem management process requirement as part of incident management; minimum security and compliance requirements for external party and managed services; and data centre security controls, in addition to incorporating cyber-resilience framework requirements as part of business continuity processes and aligning to relevant ISO frameworks and industry standards.