The UAE is committed to the further development of its digital infrastructure, as well as its cyberspace, to support economic development and provide an environment where the interests of its government, businesses, and citizens can thrive. The National Cybersecurity Accreditation Program (NCAP) is an initiative that aims to cultivate trust in the UAE cyber ecosystem through raising its security maturity in a transparent way. Based on international best practices, the program balances security and efficiency in this national-level assurance effort.

The NCAP will enable UAE government and entities to demonstrate their conformity to baseline cybersecurity requirements and grant the ability to work with provider entities who also conform to baseline cybersecurity requirements.

The NCAP will enable UAE government and Entities the ability to demonstrate their conforming to baseline cyber security requirements, and grant the ability to work with provider entities who also conform to baseline cyber security requirements. This national level baseline will provide assurance to stakeholders that these entities adhere to best practices and will continue to maintain a minimum standard of cyber security maturity. This will ensure a consistent level of cyber security services are provided across the country, driving up standards and quality of service across the UAE.

Mandatory Track

The section outlines the mandatory participation of specific entities in the UAE's National Cybersecurity Accreditation Program (NCAP). These include UAE government organizations, those under the UAE Critical Information Infrastructure Protection (CIIP) Policy, and entities providing cybersecurity services, training, and audit services to the government. These entities must comply with NCAP requirements and demonstrate competence in their respective fields through industry-recognized certifications. The NCAP process involves an attestation procedure managed by the National Lead Agency, with support from independent assessors. The goal is to ensure that these entities meet relevant cybersecurity controls and conform to the UAE's Information Assurance Regulation.
 

Voluntary Accreditation Track (Self Assessment)

Outlines the Voluntary Accreditation Track of the NCAP, allowing entities not covered by the CIIP Policy to self-assess their cybersecurity maturity. These entities can voluntarily participate to meet regulatory requirements or gain a certification for stakeholders. The self-assessment is signed by the CEO and registered with the National Lead Agency. Successful entities receive a Voluntary Certificate and Self-certification Report, with random audits conducted by the National Lead Agency to ensure process integrity.

Outlines the implementation of the NCAP, led by the UAE Cyber Security Council as the National Lead Agency. The Council will develop processes, procedures, and tools to enhance the program's capabilities and maturity, including the roll-out of the Independent Assessor Program. The Council will collaborate with national stakeholders to establish and continually improve the NCAP, ensuring its ongoing development through regular revisions.

Outlines the system for monitoring and performance management of the NCAP. The National Lead Agency will implement a monitoring system to measure the program's effectiveness, gather key metrics on entities' performance, and identify common deficiencies or gaps. This data will provide situational awareness of the UAE's cybersecurity posture and maturity. Performance management will use these metrics to evaluate the program against pre-set Key Performance Indicators (KPIs) based on international standards, helping to inform risk management and governance. The goal is to ensure the NCAP's efficiency and support continuous improvement.

Highlights the process and activities for the entities to gain accreditation via Mandatory and Voluntary accreditation track. The section also presents the NCAP Maturity Model which establishes a unified method of tracking maturity across Entities.

The section focuses on the auditing and compliance processes for NCAP certification. It covers the methods for auditing mandatory and voluntary track entities, ensuring ongoing compliance through regular re-assessments and random audits, and maintaining certification in line with evolving technology and regulations.

The section provides the Cyber Security Accreditation Controls Framework, which is a key component of the UAE NCAP, regularly reviewed to stay aligned with evolving technology and threats. It includes mandatory controls to maintain a consistent cybersecurity baseline across the UAE, while offering optional controls tailored to an entity's specific risk profile and operational context. These optional controls help address unique risks and should be applied in line with industry best practices.