NIA Compliance Checklist for Qatar Organisations

How to Use This Checklist

This checklist is designed for compliance managers, CISOs, and IT risk managers at Qatar organisations preparing for NIA compliance. It covers the key activities across four phases: foundation, governance, technical controls, and certification readiness.

Use it as a planning tool to scope your compliance programme, identify gaps in your current posture, and track progress toward NIA certification. The checklist is aligned to NIAS V2.1 and reflects current NCSA expectations.

Note that the specific controls applicable to your organisation depend on your Business Impact Assessment (BIA). This checklist covers the common baseline requirements that apply to most mandated organisations.

Phase 1 — Foundation

The foundation phase establishes the scope and context for your NIA compliance programme.

Business Impact Assessment (BIA) - Identify all information assets across the organisation - Classify assets by confidentiality, integrity, and availability requirements - Determine criticality levels that drive control applicability - Document the BIA methodology and results

Scope Definition - Define the organisational boundaries for NIA certification - Identify in-scope systems, processes, locations, and business units - Document exclusions with justifications - Prepare a draft Statement of Applicability

Compliance Roadmap - Conduct an initial gap assessment against applicable NIA controls - Prioritise gaps by risk severity and regulatory impact - Estimate resources, timelines, and budget for remediation - Secure executive sponsorship and budget approval

Project Governance - Appoint a compliance programme lead - Establish a steering committee with senior management representation - Define reporting cadence and escalation procedures - Assign domain owners for each NIA control area

Phase 2 — Security Governance and Processes

This phase addresses the 13 governance domains of the NIA framework.

Governance Structure - Establish a formal information security governance framework - Define CISO role, security committee, and reporting lines - Document board-level oversight mechanisms for cybersecurity - Implement a security policy framework (policy, standards, procedures, guidelines)

Risk Management - Implement a formal risk management methodology - Conduct an information security risk assessment - Maintain a risk register with scoring, ownership, and treatment plans - Schedule regular risk reviews and post-change reassessments

Third-Party Security - Inventory all third-party relationships involving data access - Assess third-party security posture and risk - Include security clauses in vendor contracts - Implement ongoing supplier monitoring

Personnel Security - Implement pre-employment screening and background checks - Define security responsibilities in employment contracts - Establish secure offboarding procedures (access revocation, asset return) - Maintain personnel security records

Security Awareness - Design a role-based security awareness programme - Deliver training to all personnel (at least annually) - Conduct phishing simulations and measure results - Track completion rates and behavioural metrics

Incident Management - Develop and approve an incident response plan - Define incident classification, escalation, and notification procedures - Establish an incident response team with defined roles - Conduct tabletop exercises at least annually

Business Continuity - Develop business continuity and disaster recovery plans for critical systems - Define recovery time objectives (RTOs) and recovery point objectives (RPOs) - Test plans at least annually and document results - Update plans based on test outcomes and organisational changes

Additional Governance Domains - Implement data labelling and classification scheme - Establish formal change management procedures - Deploy centralised logging and security monitoring - Define data retention and archival policies - Maintain comprehensive, version-controlled security documentation - Prepare for audit by maintaining continuous evidence collection

Phase 3 — Security Controls

This phase covers the 13 technical control domains.

Network and Communication Security - Implement network segmentation aligned to asset classification - Deploy and configure firewalls with documented rule sets - Enable intrusion detection and prevention systems - Encrypt data in transit using approved protocols

Gateway and Perimeter Security - Establish DMZ architecture for internet-facing services - Deploy web application firewalls for critical applications - Implement email security controls (SPF, DKIM, DMARC) - Monitor and log all gateway traffic

Access Control - Implement identity and access management (IAM) with centralised directory - Enforce multi-factor authentication for privileged and remote access - Apply least-privilege and role-based access models - Conduct access reviews at least quarterly

Cryptographic Security - Define a cryptographic policy specifying approved algorithms - Implement encryption at rest for sensitive data stores - Establish key management procedures (generation, rotation, revocation) - Manage digital certificates with a defined lifecycle

Endpoint and Software Security - Harden workstations and servers against a defined baseline - Implement endpoint detection and response (EDR) - Maintain a patch management programme with defined SLAs - Apply secure SDLC practices for in-house development

Media and Physical Security - Encrypt removable media containing sensitive data - Implement secure media disposal procedures - Control physical access to data centres and server rooms - Deploy CCTV, environmental controls, and visitor management

Remote Working and Virtualisation - Deploy mobile device management (MDM) for corporate devices - Require VPN for all remote access to corporate networks - Harden hypervisors and isolate virtual networks - Manage VM lifecycle (provisioning, patching, decommissioning)

Phase 4 — Certification Readiness

The final phase prepares your organisation for the formal NIA certification audit.

Evidence Compilation - Verify that evidence exists for every applicable control - Ensure evidence demonstrates operation over time (not just a point in time) - Organise evidence by NIA domain for efficient auditor access - Validate that policies are current, approved, and disseminated

Internal Audit - Conduct a comprehensive internal audit against all applicable NIA controls - Document findings, classify by severity, and track remediation - Verify that all critical and major findings are closed before the external audit - Retain internal audit report as evidence for the NCSA

Certification Application - Prepare and submit the certification application to the NCSA - Include the Statement of Applicability, scope definition, and supporting documentation - Pay the Certification Application Fee

Auditor Engagement - Select and engage an NCSA-accredited audit service provider - Verify the auditor's accreditation status with the NCSA - Agree on audit scope, timeline, and logistics

Audit Preparation - Brief all domain owners and process owners on audit expectations - Ensure key personnel are available during the audit window - Prepare a document index mapping NIA controls to evidence locations - Conduct a final readiness review one week before the audit

Post-Certification Planning - Plan for annual maintenance audits - Implement continuous compliance monitoring using GRC software - Assign ongoing ownership for each NIA control domain - Schedule regular management reviews of the ISMS

Frequently Asked Questions