BlogNIA Compliance
NIA COMPLIANCE20 min reference

NIA V2.1 Full Control Hierarchy — Every NCSA Domain & Control for Qatar Organisations

The complete NCSA NIA V2.1 control hierarchy — every section, domain, and control in one searchable, expandable reference. Built for Qatar compliance leads, CISOs, auditors, and DPOs preparing for NIA certification.

Vantage GRC Team24 May 2026

NIA V2.1 — Complete Reference at a Glance

This page is a reference, not an opinion piece. It contains the complete control hierarchy of Qatar's NCSA National Information Assurance Standard, version 2.1 (NIA V2.1) — every section, every domain, and every individual control, exactly as published by the National Cyber Security Agency.

Use it to scope a NIA programme, build a control library, prepare for a certification audit, or cross-map NIA against ISO 27001, PDPPL, and ictQATAR controls. The four numbers below frame what you are looking at.

STANDARD
NIAS V2.1
Issued May 2023 by NCSA
SECTIONS
2
Governance · Security Controls
CONTROL DOMAINS
26
13 + 13 split
TOTAL CONTROLS
356
Across all domains

Two Sections, Twenty-Six Domains

NIA V2.1 is structured into two top-level sections of equal weight. Section 1 covers the organisational, managerial, and procedural foundations of information security. Section 2 covers the technical and operational security controls. Every NIA domain — and every control — belongs to exactly one of these sections.

The applicability of any specific control to your organisation is driven by your Business Impact Assessment (BIA) classification. Higher-criticality assets bring more controls into scope. Use the breakdown below to set expectations with your steering committee before diving into the full list.

01
§
Section 1 — Security Governance & Processes (13 domains)
IG · RM · TM · DL · CM · PS · SA · IM · BC · SM · DR · DC · AC. Covers governance, risk, third-party security, classification, change, personnel, awareness, incidents, BCP, monitoring, retention, documentation, audit.
02
Section 2 — Security Controls (13 domains)
CS · NS · IE · GS · PR · SS · SU · MS · AM · CY · OS · PH · VL. Covers communications, network, information exchange, gateways, products, software, system usage, media, access, cryptography, portable / off-site, physical, virtualisation.
Two sections, 13 domains each — same weight, different lens.

Where the Control Weight Sits — Top 10 Domains

Not all domains carry the same operational load. The chart below ranks NIA V2.1 domains by control count — useful for sizing audit effort, planning evidence collection, and prioritising remediation. Network Security alone contributes 66 controls, more than the next two domains combined.

If your programme treats every domain as equal, you will under-resource the heavy ones and over-engineer the light ones. Plan effort proportional to control count.

NIA V2.1 — Top 10 Domains by Control Count
NS · Network Security66 controls
AM · Access Control Security41 controls
SS · Software Security32 controls
MS · Media Security21 controls
GS · Gateway Security17 controls
IE · Information Exchange13 controls
CS · Communication Security12 controls
PS · Personnel Security12 controls
CY · Cryptographic Security12 controls
SU · System Usage Security11 controls
Top 10 domains carry 237 of NIA V2.1's 356 controls — about 67% of the total catalogue.

How to Use This Reference

Every domain below is expandable. Click any domain header to reveal its full control list with NCSA reference IDs (e.g., IG-1, NS-12, AM-37). The reference IDs are the canonical identifiers used in NCSA audits, accredited audit reports, and most Qatar GRC platforms — including Vantage's control library.

Practical uses for this reference:

- Scoping. Walk a steering committee through the full standard before approving a NIA programme budget. - Gap analysis. Print or export a domain to drive interviews with each control owner. - Cross-mapping. Tag each control with the equivalent ISO 27001 Annex A control, PDPPL article, and ictQATAR requirement to build a unified control library. - Audit evidence. Use the reference IDs as the index for your evidence vault — one folder per control. - Onboarding. Give a new CISO or DPO an at-a-glance picture of the Qatar baseline they are accountable for.

The data below is the complete published catalogue. Where the source text contained pagination artefacts, they have been cleaned for readability — the control wording is unchanged.

NIA V2.1 — Full Control Hierarchy

Below is the complete, hierarchical NIA V2.1 control catalogue. Section → Domain → Control. Click any domain to expand its controls.

NIA SECTION 1
Security Governance & Processes
NIA Section 4 — Security Governance & Security Processes (13 domains).
13
DOMAINS
97 controls
1.1Security Governance [IG]
10 controls+
  1. IG-1Appoint a person to own and manage the Information Security programme. This person will be referred to as the ‘Security Manager’ within this NIA Standard.
  2. IG-2Allocate appropriate budget to staff and operate the Information Security Programme.
  3. IG-3Ensure the Security Manager has a reporting line to the Organization’s senior management such as risk or internal audit function.
  4. IG-4Ensure that the Organization head provides documented and continuous support for the development, implementation and ongoing maintenance of ICT security processes and infrastructure within their Organization.
  5. IG-5Where the Organization head delegates their authority to approve variations from requirements in this standard the delegate must have higher authority than the Security Manager.
  6. IG-6Define information security responsibilities for the Security Manager, management, employees and/or outsourced/3rd party vendors, suppliers or contractors of the Organization.
  7. IG-7Ensure the Security Manager has: a. ready access to, and full support from, executive management b. familiarity with information security and/or ICT security c. a general knowledge of, and experience in, or necessary resources in systems used by the Organization, especially operating systems, access & authorisation control systems/facilities and auditing facilities. d. a reasonable capacity and competence to support the Security Manager role.
  8. IG-8Include the following responsibilities within the Security Manager’s role: a. identifying and recommending ICT security improvements to all business systems and business processes. b. ensuring ICT security aspects are considered as part of the change management process. c. ensuring the coordinating of development, maintenance and implementation of all ICT security documentation, in conjunction with the business managers. d. ensuring timely reporting and adequate participation in investigation for ICT security incidents, with NCSA.
  9. IG-9Ensure the Security Manager is responsible for: a. ensuring the development, maintenance, updating and implementation of security risk management plans, system security plans and any security procedures used. b. providing technical security advice involved with system development, acquisition, c. implementation, modification, operation, support, and architecture d. assisting the system manager to develop system security standards/policies e. the certification of systems, when applicable f. ensuring the Organization has an appropriate ICT security awareness and training program. g. the regular review of system security, system audit trails and logs and the integrity of system configurations.
  10. IG-10Ensure the Security Manager is familiar with all security operating procedures relating to systems, including to the roles of system managers, system administrators and system users.
1.2Risk Management [RM]
5 controls+
  1. RM-1Define a risk assessment process to identify threats and vulnerabilities to critical information assets (identified with an aggregate security level of Medium or High).
  2. RM-2Based on the assessment, define a risk treatment plan to address threats and vulnerabilities.
  3. RM-3Ensure that the risk treatment plan and residual risk selected for information assets, with an aggregate security level of High, are vetted by senior management in the Organization.
  4. RM-4Ensure that the controls chosen in RM2 & RM3 are monitored for effectiveness on a periodic basis.
  5. RM-5Risk assessments should be integrated within the business process and revised whenever there is a change. Changes in the business or legal/regulatory environment may also warrant the need to do risk assessment.
1.3Third Party Security Management [TM]
5 controls+
  1. TM-1The areas or services being outsourced remain the governance, compliance and risk management accountability of the Organization.
  2. TM-2They understand and acknowledge the risks associated with the outsourcing of their services.
  3. TM-3That the security controls specified in this NIA Standard are included in the third-party service delivery agreement or contract. This SHALL also apply to sub-contractors used by the third party.
  4. TM-4The third party SHALL be contractually required to regularly report on the outsourced service’(s) security posture, including any incidents.
  5. TM-5The services, reports and records provided by the third party should be continuously monitored and reviewed, and audits should be conducted on defined periodic intervals.
1.4Data Classification Label [DL]
5 controls+
  1. DL-1Serve as a labelling authority for the data and information that it collects or maintains.
  2. DL-2Rate all information assets in accordance with [IAP-NAT-DCLS]. All assets rated with a Confidentiality rating of C1, C2, C3, or C4 SHALL be suitably marked the data label of Internal, Restricted, Secret or Top Secret respectively.
  3. DL-3By default, label information assets as ‘Internal’ unless they are specifically for public release or consumption or rated to a higher confidentiality level.
  4. DL-4Establish the data labelling system to support the “Need-To-Know” requirement, so that information will be protected from unauthorized disclosure and use.
  5. DL-5Establish data labelling education and awareness for its staff, employees, and contractors.
1.5Change Management [CM]
6 controls+
  1. CM-1Define and adhere to a documented change management process which may include the following or similar change categories: a. Planned Major Change. Examples of planned major changes are: • Changes that result in business interruption during regular business hours • Changes that result in business or operational practice change • Changes in any system that affects disaster recovery or business continuity • Introduction or discontinuance of an information technology service b. Maintenance and Minor Changes. Examples of this type of change are: • Application-level security changes/patches • Operating system patches (critical, hotfixes, and service packs) • Regularly scheduled maintenance • Changes that are not likely to cause a service outage
  2. CM-2Establish a cross functional Change Management Committee which must include representation from security and risk divisions
  3. CM-3Document and approve all proposed changes through the relevant Change Management Committee.
  4. CM-4Ensure that upon implementing any proposed change that may impact the security of the ICT system assess whether the system will require re-certification. The system MUST comply with baseline requirements at minimum even after change implementation. Risk analysis may be required to ensure residual risk at acceptable level. the
  5. CM-5All associated system documentation is updated to reflect the change.
  6. CM-6Emergency changes may be carried out based on a verbal/informed approval from the Change management committee Head and the Business process owner. However, post emergency, the standard procedure for documenting and risk analysis is to be applied.
1.6Personnel Security [PS]
12 controls+
  1. PS-1Ensure that the Human Resources (HR) processes are aligned with information security policies and initiatives of the organization.
  2. PS-2Ensure the HR department documents security requirements and obligations and ways of working in HR standard, which is read, understood and available to all staff to ensure.
  3. PS-3Obtain, manage, and retain information related to personnel with due care and due diligence, in line with the requirements for handling Personal Information as specified in the Personal Data Privacy and Protection Law.
  4. PS-4Ensure information security responsibilities are included as part of the employees’ job responsibilities and job descriptions and are applied throughout an individual’s employment within the organization.
  5. PS-5Conduct adequate screening to ascertain the integrity of prospective candidates for employment and contractors (including sub-contracted workers). The Organization may further extend this exercise to existing employees as deemed necessary to satisfy conditions arising out of factors such as but not limited to “Change of employee responsibilities” or “Suspicion raised on the conduct of an employee”.
  6. PS-6Ensure that staff sign an agreement, on joining the Organization or when there is a change in job profile or duties, which outlines their security obligations and responsibilities. This SHALL include: a. Confidentiality and non-disclosure obligations.
  7. PS-7Ensure that adequate controls are in place to prevent personnel (employees, vendors, contractors, and visitors) from making unauthorized disclosures, misusing or corrupting information as per Organization security policies.
  8. PS-8Ensure that users access rights are restrictive to the information they need to fulfill their job requirements as per least privilege and need to have principles.
  9. PS-9Implement a split of responsibilities over sensitive security processes and tasks, using the ‘four eyes’ principles to ensure knowledge sharing and to avoid a single individual having full control over critical processes or tasks.
  10. PS-10Define, communicate, and enforce a disciplinary process and ensure that employees are made aware of the process. Disciplinary processes SHOULD be documented in the employee or HR standard.
  11. PS-11Ensure that vendors, contractors, delegates, or guests visiting Organization premises are: a. Logged with unique identifiable information including date, time and purpose of admittance. b. Provided with a visitor badge or identification tag. c. Wearing a noticeable sign displaying their status as “visitor” at all times. d. Made aware of their obligations in complying with the security policies of the Organization. e. Escorted by Organization employees while accessing secure areas.
  12. PS-12Ensure that a change request from the HR department is generated when a change of duties or termination of contract of an employee, contractor or third party occurs. This ensures that employees, contractors and third parties return Organization assets and physical & logical access are amended/removed as appropriate.
1.7Security Awareness [SA]
8 controls+
  1. SA-1A security awareness programme is defined and adequate budgets are allocated for its implementation.
  2. SA-2As a minimum, such training includes a. Baseline requirements specified in this NIA Standard b. Organization’s security requirements c. Legal and regulatory responsibilities d. Business specific processes and controls e. Acceptable use of information processing facilities, (e.g., log-on procedures, use of software packages, etc.) f. Information on the enforcement and disciplinary process g. Information on who to contact for further security advice and the proper channels for reporting information security incidents
  3. SA-3All employees of the Organization and, where relevant, contractors and third-party users receive appropriate security awareness training regarding the Organization’s policies and procedures, as relevant for their job function, roles, responsibilities and skills.
  4. SA-4Employees should be trained to recognize social engineering attempts on them and not disclose any information that could violate the Organization’s security policies, such as during social gatherings, public events, and training events.
  5. SA-5Contents of the security training and awareness are reviewed and updated regularly to reflect new trends, new threats, and changes to the Organization’s information technology infrastructure or applicable laws and regulations.
  6. SA-6New employees are provided information security awareness training as part of the employee induction process and refresher training must be conducted on periodic basis.
  7. SA-7Training is followed up with an assessment, to ascertain the effectiveness of the programme, including maintaining of records of attendance of security awareness programmes.
  8. SA-8Indirect media such as posters, intranet, email, etc. may be used effectively to support the awareness programme.
1.8Incidents Management [IM]
9 controls+
  1. IM-1Appoint a person to own and manage the Incident Management programme, including a point of contact for all information security communications.
  2. IM-2Establish an information security incident response capability, based on the [IAP-NAT-DCLS] which can make a periodic risk assessment (from threat, vulnerability, and asset value) of data, processes, systems and networks in accordance with this Information Assurance Standard.
  3. IM-3Define procedures to detect, evaluate and respond to incidents.
  4. IM-4Define procedures to report, manage and recover from information security incidents, internally, with NCSA and with other support organizations including Law Enforcement Agencies.
  5. IM-5Create awareness amongst its staff to report incidents.
  6. IM-6Categories and prioritize all incidents based on the type of attack and the criticality of the impacted systems.
  7. IM-7Co-ordinate with NCSA to create a repository of incidents in the Organization.
  8. IM-8Report all Critical incidents to NCSA within two (2) hour of incident identification.
  9. IM-9The Incident Management coordinator is responsible for developing and executing an annual Security Assurance Plan. This may include activities such as penetration testing, audit of security procedures, and incident scenario testing.
1.9Business Continuity Management [BC]
9 controls+
  1. BC-1A person is appointed to own and manage the Business Continuity Program.
  2. BC-2A Business Continuity (BC) Plan is prepared to ensure continuance of critical processes and the delivery of essential services to an acceptable level. This plan SHALL include and be based on Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for each Organization process.
  3. BC-3The BC Plan covers disaster scenarios possible and adequate and includes disaster recovery provisions.
  4. BC-4The BC Plan is maintained and updated to reflect the current status and requirements and relevant information is made available for all team members, employees and service providers.
  5. BC-5A copy of the up-to-date BC Plan along with the necessary backup data tapes media and information is stored in a fire/tamper proof safe, along with an additional copy stored in an off-site location. Best practices state that offsite location must be in a geographically different zone than the primary data centre.
  6. BC-6They identify alternate disaster recovery sites, whose readiness is determined by the RTO requirements. These sites may be Hot/Warm/Cold Sites depending upon the Organization’s requirements.
  7. BC-7They specify strong controls in contracts that involve outsourcing a portion of their business or information technology functions or business continuity services.
  8. BC-8The BC Plan is periodically tested at least on an annual basis or when significant changes take place in the business or legal/regulatory requirements.
  9. BC-9Awareness about the BC plan is created amongst its employees.
1.10Logging and Security Monitoring [SM]
9 controls+
  1. SM-1Adequate set of technical control implementations, or processes exist for logging, identification and continuous monitoring of access, changes, command execution to, any/all information assets for protection of business sensitive information.
  2. SM-2Monitoring practices are established in accordance with criticality of the infrastructure, data, and applications. It is RECOMMENDED to provide a 7/24 monitoring for C3, I3 and A3 classified infrastructures and ensure that monitoring responsibilities are allocated as specified in clause PS9, section 4 -6, Personnel Security [PS].
  3. SM-3Monitoring activity is in line with regulatory and legal frameworks such as the proposed Information Privacy & Protection Law and SHALL cover use or access to systems.
  4. SM-4They enable logging on all infrastructure and data processing equipment, and applications that are associated with the access, transmission, processing, security, storage, and/or handing of information classified with a confidentiality rating of C2 and above.
  5. SM-5They classify all security logs with a confidentiality rating of C3, while application and system logs SHALL be classified in accordance with the confidentiality rating of the system.
  6. SM-6Logs containing Personal Information have appropriate privacy protection measures in place, in accordance with the Proposed Information Privacy & Protection Legislation.
  7. SM-7These logs are retained for a minimum of hundred and twenty (120) days and a maximum depending on criticality assessments and sector specific laws and regulations.
  8. SM-8Organization’s MUST enable audit logging or log capture, to record date, time, authentication activity with unique user and system identifiers, including all failure or change actions, further including commands issued and output generated to provide enough information to permit reconstruction of incidents and move system to its original state.
  9. SM-9Exceptions are identified and reported in accordance with the Incident Handling policy, as defined in section 4- 8, Incident Management [IM].
1.11Data Retention and Archival [DR]
6 controls+
  1. DR-1They determine and document the retention periods of suitable information assets including but not limited to the critical information assets that they hold. Data retention periods SHALL, at a minimum, be governed by: a. Organization policies & needs b. Regulatory requirements c. Legal requirements
  2. DR-2Data, which needs to be retained, is stored ensuring confidentiality, integrity and availability and that it can be accessed for defined future purposes.
  3. DR-3Personal and sensitive Information is not retained for longer than it is necessary as per the Proposed Information Privacy & Protection Legislation.
  4. DR-4Processes for backup, archival and recovery of data have corresponding procedures which ensure that the integrity and confidentiality of the data is retained.
  5. DR-5Archived data retains it classification markings and is secured accordingly.
  6. DR-6The archiving technology deployed is regularly reviewed to ensure that it does not suffer from obsolescence and archived data is maintained in a state that allows successful recovery.
1.12Documentation [DC]
5 controls+
  1. DC-1Produce an organization security policy, incorporating the requirements of this NIA Standard.
  2. DC-2Ensure that every system that is determined to be critical to the Organization is covered by a system security plan/standard. Organizations SHOULD ensure that, where necessary, security operating procedures are created and documented.
  3. DC-3Ensure system security standards and procedures are aligned and consistent with the Organization’s security policies and objectives.
  4. DC-4By default, classify ICT security documentation as a minimum of C3/RESTRICTED
  5. DC-5Review and update documentation periodically to ensure that they are up to date and current.
1.13Audit & Certification [AC]
8 controls+
  1. AC-1Ensure the establishment of a governance and security improvement programme in compliance with the National Data Classification Policy [IAP-NAT-DCLS] and this NIA Standard.
  2. AC-2Comply with relevant provisions of Government Laws and regulations that exist at the time and those, which may be amended and / or added later in time.
  3. AC-3Be audited by the Accredited audit organization, designated by NCSA.
  4. AC-4Ensure that an audit of its Information System (infrastructure, people, and processes) is carried out at least once every year or whenever it undergoes a change that may impact the security of the Organization.
  5. AC-5Ensure that the identified scope of the audit process is approved by the NCSA, and includes all information assets, people, and processes.
  6. AC-6Ensure that recertification is carried out where any change or new finding invalidates or calls into question the current accreditation. Full certification is required for major changes affecting the basic security design of a system and a partial process is needed where the change is moderate or affects two or more security requirements.
  7. AC-7Ensure that all non-conformance is fixed in a defined timeline.
  8. AC-8Ensure that any exemptions are approved by the competent department within the NCSA.
NIA SECTION 2
Security Controls
NIA Section 5 — Security Controls (13 domains).
13
DOMAINS
259 controls
2.1Communication Security [CS]
12 controls+
  1. CS-1Advise users of the maximum permitted classification level for conversations of both internal and external telephone connections, as determined by the examination of the internal telephone system and the level of the encryption, if any, on external connections.
  2. CS-2Separate cabling distribution is used for systems dealing with information classified at C4 and above
  3. CS-3Conduits installed in public, or visitor areas are not labelled in a manner that attract undue attention by people who may not have the appropriate security clearances or a need-to-know of the existence of such cabling
  4. CS-4They maintain a register of cables. The register SHOULD record at least the following: a. cable identification number, b. classification, c. source, d. destination, and e. floor plan diagram.
  5. CS-5Inspect cables for inconsistencies with the cable register on a regular basis
  6. CS-6Organization’s MAY provision for redundant communication pathways to ensure continued connectivity.
  7. CS-7Advise users of the maximum permitted classification level for conversations of both internal and external telephone connections, as determined by the examination of the internal telephone system and the level of the encryption, if any, on external connections
  8. CS-8Ensure that the speakerphone feature is disabled during telephonic/video conversations where information classified at C3 or above is likely to be discussed and where it may be overheard.
  9. CS-9Ensure that remote initiation of conferencing equipment is not enabled where it is installed in a sensitive location.
  10. CS-10Ensure that rooms designated for communication of sensitive material or information, or meetings have appropriate controls for preventing the leakage of sound.
  11. CS-11Ensure that fax machines on both ends are secured using encryption devices, while sending information classified as C2 and above.
  12. CS-12Ensure that all of the standards for the use of fax machines are met at both ends for the level of classification to be sent, and the sender makes arrangements for the receiver to: a. collect the information from the fax machine as soon as possible after it is received, and b. notify the sender if the fax does not arrive within an agreed amount of time, e.g., 10 minutes.
2.2Network Security [NS]
66 controls+
  1. NS-1Details of internal network and system configuration, employee or device related directory services and other sensitive technology are not publicly disclosed or enumerable by unauthorized personnel.
  2. NS-2They remove or disable all the default accounts e.g., root, administrator, etc. or change the password as specified in section 5-6, Software Security [SS].
  3. NS-3Network configuration is kept under the control of the network manager or similar and all changes to the configurations are: a. approved through a formal change control process as defined in section B- 5, Change Management [CM] b. documented, and comply with the network security policy and security plan as defined in section 4- 12, Documentation [DC]. c. regularly reviewed. Old configurations as mandated by the Organization’s procedures are maintained as part of change revision. The frequency of reviewing configuration shall depend on the Organization risk and processes.
  4. NS-4For each managed network the Organization has: a high level diagram showing all connections into the network, and a logical network diagram showing all network devices. processes to update NS4 (a) & (b), as network changes occur include a “Current at <date>” label on each page.
  5. NS-5Networks are designed and configured to limit opportunities of unauthorized access to information transiting the network infrastructure. Organizations SHOULD use the following technologies to meet this requirement: a. switches instead of hubs, b. port security on switches to limit access and disable all unused ports c. routers and firewalls segregating parts of the network on a need-to-know basis, d. IPSEC/IP Version 6 e. application-level encryption
  6. NS-6Management networks adopt the following protection measures: a. dedicated networks are used for management devices, i.e. implement a separate management VLAN, or physically separate infrastructure, b. secure channels e.g., by using VPNs, SSH, etc.
  7. NS-7VLANs are used to separate IP telephone traffic, in business critical networks.
  8. NS-8Administrative access is only permitted from the most highly classified VLAN to one at the same level of classification or of lower classification.
  9. NS-9They implement all security measures recommended by the Organization’s risk assessment and the hardening guidelines by the vendor of the switch.
  10. NS-10Trunking/port mirroring SHALL not be used on switches managing VLANs of differing classifications.
  11. NS-11Network-connected MFDs are not used to copy documents classified above the level of the connected network
  12. NS-12Where network connected MFDs have the ability to transmit information via a gateway to another network, Organizations MUST ensure that: a. each MFD applies user identification, authentication and audit functions for all information transmitted by users from that MFD, b. these mechanisms are of similar strength to those required for workstations on that network, and c. *the gateway can identify and filter the information in accordance with the requirements for the export of data.
  13. NS-13There is no direct connection from an MFD to a telephone network of a lower classification unless the MFD has been evaluated, and the scope of the evaluation includes: a. information flow control functions to prevent unintended and unauthorized data flows, b. data export controls capable of blocking information based on information classification, c. authentication, and audit data generation and protection
  14. NS-14They deploy MFDs after developing a set of policies, plans and procedures governing the use of the equipment.
  15. NS-15Information classified at C1 or above is not retained permanently in the MFD. Where the MFD has features to schedule jobs, sufficient standard/automatic controls or configurations SHALL exist to remove the information from its memory once the job is complete.
  16. NS-16MFDs follow the procedures specified in section 5-8.3, Media Sanitization.
  17. NS-17A separate internal DNS server is set up and placed in the internal network for internal domain information that is not disclosed to the Internet.
  18. NS-18DNS information that should be made public either has a locally hosted and secured (bastion server) server. Government Organizations may also use the Government DNS which is part of the Government Network as the Primary DNS.
  19. NS-19DNS servers are deployed to ensure there is no single points of failure in their service, they are security-hardened, and security is proactively maintained.
  20. NS-20Zones files are digitally signed, and cryptographic mutual authentication and data integrity of zone transfers and dynamic updates is provided.
  21. NS-21Cryptographic origin authentication and integrity assurance of DNS data is provided.
  22. NS-22DNS services including zone transfers are provided to authorized users only.
  23. NS-23Cryptographic functions related to NS 20 and NS 21 above, use a hardware security module for both key management and cryptographic processing as specified in section 5- 10, Cryptographic Security [CY].
  24. NS-24All software and files downloaded from the Internet are screened and verified against malicious software, including mechanisms to scan HTTP traffic.
  25. NS-25The Internet gateway denies all Internet services unless specifically enabled.
  26. NS-26Web browsers running on user’s workstation are properly configured and updated. Organizations SHOULD reference the following guidelines when configuring web browsers: a. Disable any active content options, e.g. Java, JavaScript and ActiveX, in the email application/ browser, except when communicating with a trusted source b. Use up-to-date browser versions and apply latest security patches c. Disable password auto-complete/password remembering features d. Enable pop-up blocking features, except when communicating with trusted sites e. Regularly remove cache files or temporary files of the browsers to protect data privacy f. Disable automatic installation of plug-ins, add-ons, or software
  27. NS-27They have the capability needed to monitor the traffic, deduce traffic patterns, usage etc. See section 4- 10, Logging & Security Monitoring [SM] for more information.
  28. NS-28E-mail servers are hardened as per best practices and configured as a bastion server. If technically and operationally feasible, information revealing the specific details of internal systems or configurations MUST be avoided in email headers to avoid the disclosure of system information to external parties.
  29. NS-29TLS protection is used with the SMTP Mail server in line with section 5-10, Cryptographic Security [CY].
  30. NS-30They implement the email Sender Policy Framework (SPF) [RFC4408]. Organizations SHOULD only send undeliverable or bounce emails to senders that can be verified via SPF.
  31. NS-31Internal email distribution lists are secured to prevent access from external parties to reduce the risk of unsolicited email.
  32. NS-32Email gateways are employed to scan all incoming and outgoing emails to ensure it complies with the Organization’s security policy and that it is free of any malicious code.
  33. NS-33Where wireless LANs (WLANs) are used, they are used with sufficient authentication and transmission encryption measures in place, complemented by proper security management processes and practices.
  34. NS-34Strong wireless security protocols such as WPA2 and EAP-TLS are used. However, such wireless security protocol should not be solely relied upon to protect data confidentiality and integrity. Organization SHALL deploy dynamic key exchange mechanisms, secure Virtual Private Network (VPN) on top of wireless network if classified data, C3 and above, is to be communicated over wireless networks. WEP SHALL NOT be implemented within any network.
  35. NS-35A good inventory of all devices with wireless interface cards is maintained. Once a device is reported missing, consider modifying the encryption keys and SSID.
  36. NS-36Network administrators regularly scan for “rouge” or “unauthorized” wireless access points.
  37. NS-37Access points are located to minimize network tapping from publicly accessible area.
  38. NS-38The client-side settings for 802.1x MUST be secured. Some of the techniques are server certificate validation by selecting the CA certificate, specify the server address and disable it from prompting users to trust new certificates or servers.
  39. NS-39The network default name, encryption keys and Simple Network Management Protocol (SNMP) community strings (and any insecure configuration) is changed at installation. SSID SHALL NOT reflect the name of any Organization’s departments, system name or product name.
  40. NS-40For non-public wireless access points, encryption keys are regularly changed and SSID broadcasting is disabled. Where applicable MAC address filtering SHOULD also be considered.
  41. NS-41A firewall or router is in place between the access point and the Organization’s network to filter connections. Restricted firewall rules MUST be applied to allow only needed ports to pass from the wireless segment.
  42. NS-42WIPS/WIDS installation is recommended for networks with C+3 to monitor threats from wireless installations like rouge Aps, DOS attacks, etc.
  43. NS-43Use multiple SSIDs with different configurations for different VLANs, client authentication methods, etc. For example, contract staff or guest may use a different WIFI connections. Guest WIFI may have lower security and may only allow for connecting to the internet.
  44. NS-44NTP servers MUST be secured as per best practices.
  45. NS-45Where a computer or communications device has the capability to operate a real-time clock, it shall be set to an agreed standard, e.g., Universal Coordinated Time (UTC) or local standard time. As some clocks are known to drift with time, there shall be a procedure that checks for and corrects any significant variation.
  46. NS-46Government Organization’s MAY use the authorized Qatari Government time server (a part of the Government Network) as the primary NTP server.
  47. NS-47All servers and network devices are synchronized with the local Organization NTP server which is synchronized as specified in NS45 and NS46.
  48. NS-48VPNs carrying classified data at C3 or above, SHALL authenticate using two-factor authentication: • First one a one-time password authentication such as a token device or a public/private key system with a strong passphrase • Second username and password using external authentication server (LDAP, Radius, TACACS .etc.)
  49. NS-49VPNs disconnect automatically from Organization’s network after a pre-defined period of inactivity. The user SHALL be required to logon again to reconnect to the network.
  50. NS-50Dual (split) tunnelling is not permitted unless suitable controls are in place. Organizations SHOULD only permit one network connection at a time.
  51. NS-51All computers connected to a Organization’s networks via VPN are equipped with personal security software, latest security patches, anti-virus software and malicious code detection and repair software. This security software SHALL be activated at all times and with the latest virus signatures and malicious code definitions.
  52. NS-52Gateway-level firewalls are installed to control network traffic from VPN clients to authorized information systems or servers.
  53. NS-53Voice and data are separate networks. The separation SHOULD be physical, but use of Virtual LANS is permitted. The voice gateway, which interfaces with the PSTN segregates H.323, SIP, or other VoIP protocols from the data network.
  54. NS-54VoIP capable gateways and other appropriate security mechanisms are employed.
  55. NS-55They evaluate and use security enabled protocols such as Secure Real Time Protocol (SRTP) and disable unnecessary voice protocols.
  56. NS-56Proper physical counter measures are in place to protect the VoIP infrastructure.
  57. NS-57Adequate call log monitoring is implemented.
  58. NS-58Soft phones, if permitted are through a secure connection. e.g. secure VPN.
  59. NS-59Backup power is provided to POE VoIP phone devices in case of failure of power.
  60. NS-60Strong authentication and access controls are implemented to protect the voice gateway system.
  61. NS-61IPSEC or Secure Shell (SSH) is used for all remote management and auditing access.
  62. NS-62Contingency plans for making voice calls are developed if VoIP systems become unavailable.
  63. NS-63Port security features are enabled on the network LAN switches that connect VoIP devices.
  64. NS-64A proper risk assessment is conducted by the Organization to assess the security merits and demerits of IPv4 and IPv6 technology. Organizations SHOULD start considering IPv6 deployment.
  65. NS-65A proper risk assessment is conducted if the Organization decided to implement a dual-stack environment.
  66. NS-66Recertification is requested where Organizations deploy IPv6 in their network.
2.3Information Exchange [IE]
13 controls+
  1. IE-1Prior to establishing cross-domain connectivity, the Organization evaluates, understands, and accepts the structure, security, and risks of other domains. This risk review SHALL be documented for compliance requirements.
  2. IE-2When intending to connect an organization network to another secured network, they: a. obtain a list of networks to which the other network is connected from the other network’s Accreditation, Authority and System Manager, b. examine the information from both sources to determine if any unintended cascaded connections exist, and c. consider the risks associated with any identified cascaded connections prior to connecting the Organization network to the other network, particularly where a connection to an un-trusted network such as the internet may exist.
  3. IE-3Ensure that necessary agreements (specifically confidentiality agreements) between the entities exchanging information have been established prior to information exchange. Agreements SHALL provide information on responsibilities, information exchange notification procedure, technical standards for transmission, identification of couriers, liabilities, ownership, and controls. For vendors and 3rd parties a formal Non-Disclosure Agreement (NDA) SHALL be used. Appendix B provides an NDA template.
  4. IE-4Ensure media which is used to exchange information is protected against unauthorized access, manipulation, or misuse within or outside the Organization environment.
  5. IE-5Maintain the classification and protection of information that has been obtained from another Organization.
  6. IE-6Maintain appropriate levels of physical protection for media in transit and store in packaging that protects it against any hazard that would render the content unreadable.
  7. IE-7Ensure only reliable and trusted courier service or transport organization SHALL be used based on a list of known and authorized couriers.
  8. IE-8Protect information exchanged via electronic messaging from unauthorized access, change or interruption of service.
  9. IE-9Ensure secure messaging (information is digitally signed and/or encrypted) is used for all information classified at C3 or above. Organizations SHALL use Secure Multipurpose Internet Mail Extension (S/ MIME), equivalent or better protocol for secure messaging as specified in clause CY5, section 5- 10, Cryptographic Security [CY].
  10. IE-10Attach the following email disclaimer, or similar, to all outgoing email: “The information in this email, including attachments, may contain information that is confidential, protected by intellectual property rights, or may be legally privileged. It is intended solely for the addressee(s). Access to this email by anyone else is unauthorized. Any use, disclosure, copying, or distribution of this email by persons other than the designated addressee is prohibited. If you are not the intended recipient, you should delete this message immediately from your system. If you believe that you have received this email in error, please contact the sender or < Organization’s name & contact information>. Any views expressed in this email, or its attachments are those of the
  11. IE-11Exercise due diligence to ensure that any information sent/received is free of viruses, trojans and other malicious code
  12. IE-12Ensure information exchanged between systems is secured against misuse, unauthorized access, or data corruption. For transmitting information classified at C2, I2 or above, authenticated, and encrypted channels SHALL be used as specified in CY5, section 5- 10, Cryptographic Security [CY].
  13. IE-13Limit the information provided to the general public (via media outlets), to sanitized and approved information, through a designated and trained media relation spokesperson.
2.4Gateway Security [GS]
17 controls+
  1. GS-1Networks are protected from other networks by gateways and data flows are properly controlled
  2. GS-2Gateways connecting Organization networks to other Organization networks, or to uncontrolled public networks, are implemented: a. with an appropriate network device to control data flow b. with all data flows appropriately controlled c. with gateway components physically located within an appropriately secured server room.
  3. GS-3Only authorized and trained staff manage and maintain gateways
  4. GS-4Administrative or management access to gateways processing or transmitting information classified at C3 or above is only provided based on dual control and the ‘four eyes’ principles.
  5. GS-5Information exchanged through gateways is labelled as per the National Information Classification policy [IAP-NAT-DCLS] and protected as specified in this document. Gateways SHALL be classified in line with the information they are transmitting.
  6. GS-6Demilitarized zones (DMZs) are used to separate externally accessible systems from uncontrolled public networks and internal networks via usage of firewalls and other network security capable equipment.
  7. GS-7Gateways: a. are the only communications paths into and out of internal networks b. by default, deny all connections into and out of the network c. allow only explicitly authorised connections d. are managed via a secure path isolated from all connected networks e. provide sufficient audit capability to detect gateway security breaches and attempted network intrusions f. provide real-time alarms.
  8. GS-8Gateways are hardened prior to any implementation on production site and are protected against: a. Malicious code and vulnerabilities b. Wrong or poor configurations c. Account compromise and privilege escalation d. Rogue network monitoring e. Denial of service (DoS) attacks f. Information/data leakage
  9. GS-9Monitoring and supervision of gateways is in place and include threat prevention mechanisms, logging, alerts, and surveillance of equipment. Section 4- 10, Logging & Security Monitoring [SM].
  10. GS-10Gateways block or drop any data identified by a content filter as suspicious, including at least the following: a. *Offensive language or attachments b. Malware infected content c. DoS attacks d. *Categories of website/content defined as inappropriate in the proposed Cyber Crime Law including sites hosting obscene material, gambling sites, etc.
  11. GS-11System users: a. are held accountable for the data they export b. are instructed to perform a protective marking check, a visual inspection and a metadata check if relevant on whether the information can be exported
  12. GS-12Data exports are either: or a. performed in accordance with processes and/or procedures approved by the Organization; b. individually approved by the information security manager.
  13. GS-13Export of data to a less classified system is restricted by filtering data using at least checks on classification labels.
  14. GS-14Data exports are checked, ensuring: a. keyword searches are performed on all textual data b. any unidentified data is quarantined until reviewed and approved for release by a trusted source other than the originator.
  15. GS-15System users: a. are held accountable for the data they import b. are instructed to perform a protective marking check, a visual inspection and a metadata check if relevant.
  16. GS-16Data imports are either: a. performed in accordance with processes and/or procedures approved by the Organization; or b. individually approved by the information security manager.
  17. GS-17Data imported to a Organization system is scanned for malicious and active content.
2.5Product Security [PR]
9 controls+
  1. PR-1The process for product selection is carried out with due diligence and ensures product and vendor independence.
  2. PR-2Products are classified and labelled as per National Data Classification policy [IAP-NAT-DCLS].
  3. PR-3The selection process includes proper identification of vendor, screening of vendors and evaluation criteria definition which should include as a minimum: a. Vendor status and identification, including location and ownership b. Financial situation c. References from previous successful engagements d. The ability of the vendor to build and/or maintain appropriate controls as determined by a risk assessment
  4. PR-4Proper testing and effective matching between vendor’s claim and functionality are carried out, to avoid loss of confidentiality, integrity and/or availability.
  5. PR-5Security evaluation of the product is done on a dedicated evaluation configuration including functionality tests, security tests and patching to protect against potential threats and vulnerabilities.
  6. PR-6Delivery of products is consistent with the Organization’s security practice for secure delivery.
  7. PR-7Secure delivery procedures SHALL include measures to detect tampering or masquerading.
  8. PR-8Products have been purchased from developers that have made a commitment to the ongoing maintenance of the assurance of their product.
  9. PR-9Product patching and updating processes are in place. Updates to of products SHALL follow the change management policies specified in section 4- 5, Change Management [CM].
2.6Software Security [SS]
32 controls+
  1. SS-1Security is considered in all phases of the SDLC and that it is an integral part of all system development or implementation project.
  2. SS-2All applications (including new and developed) are classified using the National Data Classification Policy [IAP-NAT-DCLS] and accorded security protection appropriate to its Confidentiality, Integrity, and Availability ratings.
  3. SS-3Security requirements (functional, technical and assurance requirements) are developed and implemented as part of system requirements.
  4. SS-4Dedicated test and development infrastructure (systems and data) are available and is separate from production systems. Furthermore, information flow between the environments SHALL be strictly limited according to a defined and documented policy, with access granted only to system users with a clear business requirement and write access to the authoritative source for the software SHALL be disabled.
  5. SS-5All applications (acquired and/or developed) are available for production use only after appropriate quality and security assurance tests and checks to ensure that the system confirms and complies with the intended security requirements.
  6. SS-6Software developers use secure programming practices when writing code, including: a. complying with best practices, for example the Mitre top 25 most dangerous programming errors [Mitre] b. designing software to use the lowest privilege level needed to achieve its task c. denying access by default d. checking return values of all system calls e. validating all inputs.
  7. SS-7Software should be reviewed and/or tested for vulnerabilities before it is used in a production environment. Software SHOULD be reviewed and/or tested by an independent party and not by the developer.
  8. SS-8System (acquired and/or developed) complies with all legal requirements including license, copyrights, IPR etc.
  9. SS-9All systems (acquired and/or developed) are adequately documented.
  10. SS-10Source code of custom developed critical applications is available and in the case of commercial applications (serving critical applications / processes) a Organization SHOULD investigate options of arranging an escrow for the source code.
  11. SS-11Prior to commissioning of applications, they are certified as specified in section 4- 13, Audit & Certification [AC].
  12. SS-12All server and workstation security objectives and mechanisms are documented in the relevant system security plan.
  13. SS-13Workstations use a hardened standard operating environment (SOE) covering: a. removal of unwanted software b. disabling of unused or undesired functionality in installed software and operating systems c. implementation of access controls on relevant objects to limit system users and programs to the minimum access needed to perform their duties d. installation of software-based firewalls limiting inbound and outbound network connections e. configuration of either remote logging or the transfer of local event logs to a central server.
  14. SS-14Potential vulnerabilities in their SOEs and systems are reduced by: a. removing unnecessary file shares b. ensuring patching is up to date c. disabling access to all unnecessary input/output functionality. d. removing unused accounts e. renaming default accounts f. replacing default passwords.
  15. SS-15High risk servers e.g., Web, email, file and Internet Protocol telephony servers, etc. having connectivity to uncontrolled public networks: a. maintain effective functional separation between servers allowing them to operate independently b. minimise communications between servers at both the network and file system level, as appropriate c. limit system users and programs to the minimum access needed to perform their duties.
  16. SS-16Check the integrity of all servers whose functions are critical to the Organization, and those identified as being at a high risk of compromise. Wherever possible these checks SHOULD be performed from a trusted environment rather than the system itself.
  17. SS-17Store the integrity information securely off the server in a manner that maintains integrity
  18. SS-18Update the integrity information after every legitimate change to a system
  19. SS-19As part of the Organization’s ongoing audit schedule, compare the stored integrity information against current integrity information to determine whether a compromise, or a legitimate but incorrectly completed system modification, has occurred.
  20. SS-20Resolve any detected changes in accordance with the Organization’s information and communications technology (ICT) security incident management procedures.
  21. SS-21All software applications are reviewed to determine whether they attempt to establish any external connections. If automated outbound connection functionality is included, Organizations SHOULD make a business decision to determine whether to permit or deny these connections, including an assessment of the risks involved in doing so.
  22. SS-22All active content on their Web servers is reviewed for security issues. Organizations SHOULD follow the documentation provided in the Open Web Application Security Project (OWASP) guide to building secure Web applications and Web services.
  23. SS-23Connectivity and access between each Web application component is minimised.
  24. SS-24That Personal Information and sensitive data is protected whilst in storage and in transmission using appropriate cryptographic controls.
  25. SS-25Critical sector websites that need to be strongly authenticated, use SSL certificates provided from a Certificate Service Provider (CSP) licensed in the State of Qatar.
  26. SS-26Web application firewall (WAF) MUST be used for applications with MEDIUM or higher risk rating.
  27. SS-27All information stored within a database is associated with an appropriate classification if the information: a. could be exported to a different system, or b. contains differing classifications and/or different handling requirements.
  28. SS-28Organizations should ensure that classifications are applied with a level of granularity sufficient to clearly define the handling requirements for any information retrieved or exported from a database.
  29. SS-29Database files are protected from access that bypasses the database’s normal access controls.
  30. SS-30Databases provide functionality to allow for auditing of system users’ actions.
  31. SS-31System users who do not have sufficient privilege to view database contents cannot see associated metadata in a list of results from a search engine query. If results from database queries cannot be appropriately filtered, Organizations MUST ensure that all query results are appropriately sanitized to meet the minimum-security privilege of system users.
  32. SS-32Sensitive data in database shall be masked using data masking technology for C3 & above.
2.7System Usage Security [SU]
11 controls+
  1. SU-1System users SHALL be responsible for the information assets (systems / infrastructure) provided to them to carry out their official responsibilities. They SHALL handle the information assets with due care and operate them in line with the vendor / Organization’s Acceptable usage policy.
  2. SU-2System users will conduct due diligence when accessing the web and browsing the web SHALL strictly follow Organization principles and guidelines on accessing the internet. Organizations SHOULD consider whether usage of forums, social networks, etc is permitted or not.
  3. SU-3ICT assets are protected against web-based threats by implementing measures that will prevent downloading software programs, active content and non- business-related websites.
  4. SU-4Web access is provided through secure proxies and filtering gateways as defined in section 5-4, Gateway Security [GS].
  5. SU-5Staff is aware of the types of content permitted and restricted within the Organization, as specified in section 4- 4, Gateway Security [GS]. Organizations SHOULD consider an effective solution for monitoring content of encrypted channels.
  6. SU-6Staff use e-mail with due diligence and include necessary classification labelling depending upon the content/attachments according to National Data Classification Policy [IAP-NAT-DCLS].
  7. SU-7Appropriate measures are taken that e-mail is protected against potential threats as viruses, trojans, spam mails, forgery and social engineering.
  8. SU-8Staff is aware that web based public e-mail services are not allowed to be used to send and receive e-mails from Organization systems.
  9. SU-9Staff is aware that e-mails used to exchange confidential information SHOULD only be sent to named recipients and not to a group or distribution list.
  10. SU-10Staff is aware that the use of automatic forwarding of e-mails is dependent upon the sensitivity of their normal e-mails. Emails carrying information classified at C2 and above SHALL NOT be automatically forwarded outside to the Organization’s systems.
  11. SU-11When dealing with external parties, Organizations ensure that external recipients/originators understand and agree on the usage of classified data as defined in section 5-3, Information Exchange [IE].
2.8Media Security [MS]
21 controls+
  1. MS-1Hardware containing media is classified at or above the classification of the information contained on the media
  2. MS-2Non-volatile media is classified to the highest classification of information stored on it
  3. MS-3Volatile media that has a continuous power supply is classified to the highest classification of information stored on it while the power is on. Volatile media may be treated as classified C1 information once the power is removed from the media.
  4. MS-4Storage media is reclassified if: a. information copied onto that media is of a high classification, b. information contained on that media is subject to a classification upgrade
  5. MS-5Media holding classified information may be declassified after: a. the information on the media has been declassified by the originator, or b. the media has been sanitized in accordance with section 5-8.3, Policy & Baseline Controls - Media Sanitization
  6. MS-6If the storage media cannot be sanitized, then it cannot be declassified and MUST be destroyed.
  7. MS-7The classification of all media is readily visually identifiable. Organizations SHOULD achieve this by labelling media with a protective marking that states the maximum classification as specified in section 4-4, Data Classification Label [DL]
  8. MS-8Classification of all media is easily visually identifiable. When using non-textual representations for classification markings due to operational security, Organizations SHALL document the labelling scheme and train staff members appropriately.
  9. MS-9They document procedures for the sanitisation of media, which are regularly tested.
  10. MS-10All media types which contain information classified as C1 or above are destroyed prior to disposal: a. microfiche & microfilm b. optical discs c. printer ribbons and the impact surface facing the platen d. programmable read-only memory e. read-only memory f. faulty media that cannot be successfully sanitised.
  11. MS-11Volatile media is sanitised by: a. removing power from the media for at least 10 minutes, or b. overwriting all locations of the media with an arbitrary pattern followed by a read back for verification.
  12. MS-12Non-volatile magnetic media is sanitised by: a. overwriting the media, if pre2001- or under 15GB, in its entirety, with an arbitrary pattern followed by a read back for verification three times b. overwriting the media, if post2001- or over 15GB, in its entirety, with an arbitrary pattern followed by a read back for verification one time; or c. using a degausser with sufficient field strength for the coercivity of the media (NOTE: Degaussing may render some modern media unusable)
  13. MS-13Non-volatile EPROM media is sanitised by erasing as per the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media once in its entirety with a pseudo random pattern. Sanitization of media with rating C3 & above SHOULD be documented.
  14. MS-14Flash memory media is sanitized by overwriting the media twice in its entirety with a pseudo random pattern, followed by a read back for verification.
  15. MS-15Appropriately vetted and briefed personnel carry out repairs and maintenance for hardware containing classified information.
  16. MS-16Repairs on systems containing classified information rated C3 or above are carried out under supervision.
  17. MS-17They document procedures for the sanitisation of media, which are regularly tested.
  18. MS-18Media is destroyed by: a. Degaussing non-volatile magnetic media b. breaking up the media c. heating the media until it has either burnt to ash or melted.
  19. MS-19Staff members supervise the destruction of media: a. handling the media to the point of destruction b. ensuring that the destruction is completed successfully. c. C3 & above media destruction must be documented.
  20. MS-20Media, including faulty media, containing classified information is sanitised to the extent possible prior to disposal.
  21. MS-21The disposal of media and media waste does not attract undue attention.
2.9Access Control Security [AM]
41 controls+
  1. AM-1Users will be provided access based on the concept of “least privilege” and governed by a “Need to Know” or a “Need to Have” basis.
  2. AM-2Access will be managed and controlled through system access controls, identification and authentication, and audit trails based on the sensitivity of the information. These request s for access SHALL be authorized by a staff member’s supervisor or manager.
  3. AM-3Access rights of a user or entity to create, read, update, delete or transmit a Organization’s information assets SHALL be based on a matrix (hierarchical) model of rights defined by business rules established by the owners of that information.
  4. AM-4A process is established which, upon any employee role or status change (including termination), ensures that information system access is updated to reflect the employee’s new role
  5. AM-5System users that need additional access to bypass security mechanisms for any reason seek formal authorisation from the Security Manager
  6. AM-6Any unauthorized effort to circumvent the Organization’s access control SHALL be perceived as a security incident and SHALL be handled in accordance with established incident handling procedure and/or appropriate human resources policies and procedures.
  7. AM-7Audit logs SHALL be enabled and maintained in such a manner as to allow compliance monitoring with government policy and to assist in Incident Management.
  8. AM-8Logical access to Organization Networks is technically controlled. This MAY be by using Network Admission Control (NAC) services/devices.
  9. AM-9Secure records are maintained of: a. all authorised system users b. their user identification c. who provided the authorisation to access the system d. when the authorisation was granted e. maintain the record for the life of the system to which access is granted.
  10. AM-10A logon banner is displayed before access to the system is granted. These banners SHOULD cover: a. access is only permitted to authorised system users b. the system user’s agreement to abide by relevant security policies c. he system user’s awareness of the possibility that system usage is being monitored d. the definition of acceptable use for the system e. legal ramifications of violating the relevant policies. f. Wherever possible requires a system user response, as acknowledgement
  11. AM-11Centralised authentication repositories such as LDAP, authentication databases, etc. are protected from denial-of-service attacks and use secure and authenticated channels for retrieval of authentication data. Such repositories SHALL log the following events: a. Unauthorized update/access b. Start and end date and time of activity, together with system identifier c. User identification (for illegal logon) d. Sign-on and sign-off activity (for illegal logon) e. Session/terminal or remote connection
  12. AM-12They develop and maintain a set of policies, plans and procedures, derived from the National Data Classification Policy [IAP-NAT-DCLS], covering system users’: a. identification b. authentication c. authorisation
  13. AM-13They educate their system users of the Organization’s policies and procedures.
  14. AM-14All system users are: a. uniquely identifiable b. authenticated on each occasion that access is granted to a system.
  15. AM-15Individuals who are not employees, contractors, or consultants are not granted a user account or be given privileges to use the Organization’s information resources or communications systems unless explicitly approved by the Security Manager who SHALL check that appropriate agreements, clearance and access forms have been completed.
  16. AM-16That alternate methods of determining the identification of the system user are in place when shared/non-specific accounts are used.
  17. AM-17Unprotected authentication information that grants system access, or decrypts an encrypted device is located on, or with the system or device, to which the authentication information grants access to.
  18. AM-18System authentication data whilst in use is not susceptible to attacks including, but not limited to, replay, man-in-the-middle and session hijacking
  19. AM-19A password policy enforcing either a minimum password length of 12 characters with no complexity requirement or a minimum password length of seven characters, consisting of at least three of the following character sets: a. lowercase characters (a-z) b. uppercase characters (A-Z) c. digits (9-0) d. punctuation and special characters
  20. AM-20Passwords are changed at least every 90 days
  21. AM-21System users cannot change their password more than once a day and the system force the user to change an expired password on initial logon or if reset.
  22. AM-22Chosen passwords are checked to prevent: a. predictable reset passwords b. reuse of passwords when resetting multiple accounts c. passwords to be reused within eight password changes d. users to use sequential passwords
  23. AM-23Screen and/or session locks configured to: a. activate after a maximum of 15 minutes of system user inactivity b. activate standardly by the system user, if desired c. lock to completely conceal all information on the screen d. ensure the screen does not appear to be turned off while in the locked state e. have the system user re-authenticate to unlock the system f. deny system users the ability to disable the locking mechanism.
  24. AM-24Access to a system is suspended after a specified number of failed logon attempts or as soon as possible after the staff member no longer needs access, due to changing roles or leaving the Organization.
  25. AM-25Lost, stolen, compromised passwords are immediately: a. reported, to the Security Manager who SHALL ensure the corresponding account is suspended b. changed upon user identity verification
  26. AM-26Accounts that are inactive for more than three (3) months are suspended.
  27. AM-27Accounts on systems processing information rated C2, I2, A2 or above are audited for currency on a six (6) monthly basis.
  28. AM-28Security policies document any access requirements, security clearances and briefings necessary for system access.
  29. AM-29System users have been vetted as specified in section 4- 6, Personnel Security [PS], before being granted access to a system.
  30. AM-30System users have received any necessary briefings before being granted access to a system.
  31. AM-31The use of privileged accounts is documented, controlled and accountable and kept to a minimum. Privileged accounts SHALL only be used for administrative work
  32. AM-32System administrators are assigned an individual account for undertaking their administration tasks
  33. AM-33Only Qatari nationals have privileged access to systems processing information classified at C4 and above unless explicit authorisation for exemption to this policy is given.
  34. AM-34System management log is updated to record the following information: a. sanitisation activities b. system start-up and shutdown c. component or system failures d. maintenance activities e. backup and archival activities f. system recovery activities g. special or out of hours activities.
  35. AM-35Remote access SHALL NOT be provided unless authorized explicitly by the department head and only if it is warranted by business requirements and only after due diligence has been performed to analyse associated risks and suitable controls are implemented to mitigate the identified risks.
  36. AM-36Two factor authentication, using a hardware token, biometric control or similar is used when accessing systems processing data classified at C3 or above.
  37. AM-37Remote access sessions are secured by using suitable end-to-end encryption as specified in section 5-10, Cryptographic Security [CY].
  38. AM-38Remote access computers are equipped with at a minimum, a personal firewall and anti-malware software. These security controls SHALL be activated at all times.
  39. AM-39Software, including security software on these computers SHALL be patched and kept up to date.
  40. AM-40Users do not access Organization internal systems from public computers e.g., Cyber Cafes etc. or print material to any public computer.
  41. AM-41Vendor remote access is limited to situations where there are no other alternatives. In this case, initiation of the connection SHALL be controlled and monitored by the Organization. Vendor remote access SHALL only be for a defined period of time, dictated by the duration of the task being undertaken.
2.10Cryptographic Security [CY]
12 controls+
  1. CY-1Cryptographic algorithms, encryption hardware/software, key management systems and digital signatures shall demonstrate compliance with the Approved Encryption/ Cryptographic Algorithms and Systems as specified by the competent authority within the Law No. (16) of 2010 on the Promulgation of the Electronic Commerce and Transactions Law.
  2. CY-2The lifetime of the key SHALL be determined by the primarily by the application and the information infrastructure it is used in. Keys SHALL be immediately revoked and replaced if it has been or suspected of being compromised.
  3. CY-3Information assets classified as C3 [IAP-NAT-DCLS] are encrypted and protected against unauthorized disclosure when stored and/or in transit regardless of the storing format or media. Organizations MAY apply these cryptographic controls to assets with lower confidentiality requirements, if determined necessary by their risk assessment.
  4. CY-4Information assets classified as I3 [IAP-NAT-DCLS] have assured integrity using cryptographic hashing. Organizations MAY apply these cryptographic controls to assets with lower integrity requirements, if determined necessary by their risk assessment.
  5. CY-5The following protocols or better, with approved algorithms outlined in “Qatar National Cryptographic Standard - English v1.0 (or higher)” issued by the competent authority, are used for securing data classified as C3 when in transit: a. For securing web traffic: TLS (+128 bits) [RFC4346] b. For securing file transfers: SFTP [SFTP] c. For secure remote access: SSH v2 [RFC4253] or IPSEC [RFC 4301] d. Only S/MIME v3 [RFC3851] or better are used for securing emails. See CY11 for associated requirement.
  6. CY-6Passwords must always be encrypted/hashed and protected against unauthorized disclosure when they are stored and/or in transit regardless of the storing format or media. Privileged passwords SHALL be encrypted and stored off-site with backup files each time the password is changed to ensure complete recovery.
  7. CY-7Where Hardware Security Modules (HSMs) are used, they are certified to at least FIPS 2-140 Level 2 [FIPS2-140-] or Common Criteria [CC3.1] EAL4.
  8. CY-8Cryptographic keys are only physically moved in HSMs meeting CY5
  9. CY-9Suitable key management processes are defined, as per [ISO1-11770] and used to manage the lifecycle of cryptographic keys, covering the following functions: • • • • • • • • • • • Key Custodians Roles and Responsibilities Key Generation Dual Control and Split Knowledge Secure Key Storage Key Usage Secure Key Distribution and in Transit Key Backup and Recovery Periodic Key Status Checking Key Compromise Key Revocation and Destruction Audit Trails and Documentation
  10. CY-10Organization’s SHALL ensure the digital certificates are compliant to standards in use by the CSP- PMA, MCIT. Organizations SHALL use online revocation systems to minimize the risk of fraudulent use of digital certificates.
  11. CY-11Security token/smartcard provisioning systems of CSPs meet the requirements for Subject Device Provision Services as specified in [CWA1-14167].
  12. CY-12Any digital certificates used in a production system SHALL be issued by a CSP licensed in Qatar.
2.11Portable Devices & Working Off-Site Security [OS]
10 controls+
  1. OS-1They develop policies governing if, and how, Mobile Devices (MDs) and laptops can be used in their organisation.
  2. OS-2They do not conduct classified conversations using MDs and laptops capable of conducting phone conversations while using Bluetooth-enabled peripherals.
  3. OS-3MDs and laptops with Bluetooth serial port connections do not have the port enabled if the device is to hold classified information.
  4. OS-4MDs with recording facilities are not allowed into high-risk areas without prior approval from the Security Manager.
  5. OS-5All laptops and MDs SHALL encrypt the information they carry and be password protected.
  6. OS-6MDs and laptops SHALL be kept under continual direct supervision when in use or kept secured when not in use.
  7. OS-7MDs and laptops not directly owned or controlled by the Organization are not used with the Organization’s systems. MDs and laptops not owned or controlled by the Organization SHALL be managed, accounted for and accredited in the same manner as Organization owned devices. Organization MD’s and laptops MAY be temporary connected to a non- Organization network provided a suitable firewall is used to protect the device from any potential threats originating from the non- Organization controlled network.
  8. OS-8Unaccredited MDs and laptops do not connect to the Organization’s systems or store Organization information. However, temporary connected MDs and laptops are permitted provided they are segregated from the main networks by a firewall.
  9. OS-9In case of loss or theft of the MDs or laptops, the incident should be immediately reported to the Information Security Manager / Office and the concerned Law enforcement Organizations. The loss / theft SHALL be handled as per the B8- Incident Management [IM]
  10. OS-10Emergency destruction/locking plan /remote wipe/auto destruct is in place for any MDs and laptops.
2.12Physical Security [PH]
7 controls+
  1. PH-1Appropriate protection for physical space is determined based on an assessment of risk. This assessment SHALL occur during the design phase of a new construction or, for existing workplaces, as part of an on-going risk management process.
  2. PH-2Physical spaces are zoned depending upon their security requirement. Each zone is designated a physical security level. The table below specifies the levels: Minimal Protection This provides a level of security designed to control assets with no classification (e.g. C0I0A0). It is generally unsuitable for (non-public) government operations. Baseline Protection This provides a level of security designed to control assets of moderate value or classified as ‘Low‘. It is generally used as the baseline for government operations.
  3. PH-3Each zone has the appropriate physical security controls implemented. Appendix A provides details of these minimal and baseline protection controls, together with recommendations for additional controls. Medium protection requires one additional class of control, whereas High protection requires two additional class of control. An Organization MAY incorporate additional controls in addition to those mandated by this standard
  4. PH-4Implementation of a “clean desk” and “clean screen” policy.
  5. PH-5Server/Data rooms meet at least the medium protection requirement
  6. PH-6Cabling carrying information at levels C-1C3 is physically separate (including for fibre optic cabling) and is in separate ducting to that carrying Nationally Classified information
  7. PH-7A site security plan and where necessary standard operating procedures (SOPs) for each secure area are developed and implemented. Information to be covered includes, but is not limited to: a. a summary of the protective security risk assessment b. roles and responsibilities of facility or ICT security officer and staff members. c. the administration, operation, and maintenance of the electronic access control system and/or security alarm system d. key management, the enrolment and removal of system users and issuing of personal identification e. staff member clearances, security awareness training and regular briefings f. inspection of the generated audit trails and logs g. end of day checks and lockup h. reporting of ICT security incidents and breaches.
2.13Virtualization [VL]
8 controls+
  1. VL-1Evaluate the risks associated with the virtual technologies. a. Evaluate the risks in context of relevant legal, regulatory policies and legislations. b. Evaluate how the introduction of virtual technology will change your existing IT infrastructure and the related risk posture.
  2. VL-2Harden the hypervisor, administrative layer, the virtual machine and related components as per the industry accepted best practices and security guidelines and the vendor recommendations.
  3. VL-3Enforce least privilege and separation of duties [Refer to section 5-9 Access Management] for managing the virtual environment. a. Define specific roles and granular privileges for each administrator in the central virtualization management software. b. Limit direct administrative access to the hypervisor to the extent possible c. Depending on the risk and the classification of the information processed, Organizations
  4. VL-4Ensure adequate physical security to prevent unauthorized access to the virtual technology environment.
  5. VL-5Virtualized technology environment should be augmented by third party security technology to provide layered security controls (defence in depth approach) to complement the controls provided by the vendor and technology itself.
  6. VL-6Segregate the Virtual Machines based on the classification of data they process and / or store.
  7. VL-7A change management [Refer to Section 4-6 Change Management] process encompasses the virtual technology environment. a. Ensure that virtual machine profile is updated, and the integrity of the Virtual Machine image is maintained at all times. b. Care should be taken to maintain and update VM’s which are not in active state (dormant or no longer used).
  8. VL-8Logs from the virtual technology environment SHALL be logged and monitored along with other IT infrastructure. [Refer to Section 4-10 Logging and Security Monitoring]. 6. Compliance and Enforcement 6.1. Compliance and Enforcement The standard provides the security requirements and controls necessary for implementing an Information Security Management System within the organization based on the National Data Classification Policy V3.0. 6.2. Transitioning and effective date 6.2.1. Transitioning The Cyber Assurance Department is currently accepting applications for its newly offered Certification against National Information Assurance (NIA) Standard V 2.1. Cyber Assurance Department will continue to accept applications for Certificate of Compliance against NIAP V2.0 until December 2023 , 31 . Previously issued certificates and/or certificates issued during this period against NIAP V 2.0 will continue to be valid for their defined period of validity mentioned in the certificate. Certified entities against NIAP V 2.0 could only request Re Certification against National Information Assurance (NIA) Standard V 2.1 6.2.2. Effective date The standard is effective upon publication on NCSA official channels (May 2023) along with the publication of the National Data Classification Policy v3.0 6.3. Exceptions and deviations The standard mandates that organizations within the scope of the National Data Classification Policy, classify their data and implement the relevant security controls specified within this standard to secure the data Any deviations to this standard shall be communicated to the National Cyber Security Agency by the organization, through an official correspondence explaining the justifications and rational, along with a risk management plan identifying the risks, assessment of the risk, mitigating controls, and communication and acceptance of the risk by senior management. Based on this, the NCSA will provide an assessment of the exception request in coordination with sector regulator (where applicable).
Source: National Cyber Security Agency (NCSA), State of Qatar — NIA Standard V2.1 (May 2023). Use as a working reference; the NCSA register remains the authoritative source.

From Reference to Operational Compliance

A control list — even a complete one — is the starting point of a NIA programme, not the destination. Turning the 356 controls above into operational compliance requires:

- A Business Impact Assessment to determine which controls apply to your organisation. - A Statement of Applicability (SoA) documenting every applicable control, its implementation status, and any exclusions. - A control library that maps each NIA control to the equivalent ISO 27001, PDPPL, and ictQATAR requirements — so evidence collected once satisfies multiple frameworks. - An evidence vault with per-control freshness tracking, owner accountability, and auditor-ready packaging. - An internal audit cycle that pre-tests every applicable control before NCSA-accredited audit fieldwork begins.

Vantage's GRC platform ships with the full NIA V2.1 control library pre-loaded and pre-mapped to ISO 27001, PDPPL, ictQATAR, and SOC 2. If you would like to walk through how that mapping accelerates your NIA certification timeline, our team can scope a 90-day Wave 1 engagement focused on your highest-priority audit.

RELATED VANTAGE PAGES

Authoritative Sources & Further Reading

The references below are the primary sources for the regulations, frameworks, and standards cited in this article. Use them when scoping a compliance programme, drafting policy, or validating an audit finding.

Frequently Asked Questions

Is this the complete NIA V2.1 control list?

Yes. The hierarchy on this page contains every NIA V2.1 section, domain, and control as published by Qatar's National Cyber Security Agency (NCSA) in May 2023. It is a 356-control reference covering both Security Governance & Processes (Section 1) and Security Controls (Section 2).

How are the NIA control reference IDs structured?

Each control is identified by a two-letter domain prefix plus a sequence number — for example IG-1 (Security Governance control 1), NS-12 (Network Security control 12), AM-37 (Access Control Security control 37). These IDs are used in NCSA audit reports, accredited audit service provider working papers, and most Qatar GRC platforms.

Do all 356 NIA controls apply to my organisation?

No. Applicability is determined by a Business Impact Assessment (BIA) that classifies your information assets by criticality. The BIA outcome drives which controls are mandatory at baseline level and which require enhanced implementation. Most mid-size Qatar organisations end up with a working scope of 180 to 280 applicable controls depending on the asset profile.

How does NIA V2.1 differ from the previous NIA V2.0?

NIA V2.1 (May 2023) updates and consolidates the earlier NIA Policy V2.0 by aligning with international best practice from ISO 27001, PCI DSS, and NIST while retaining Qatar-specific governance and reporting expectations. The 26-domain structure was preserved; specific controls were refined, added, or reworded.

Can I use this NIA control list to start mapping to ISO 27001 or PDPPL?

Yes. The reference IDs on this page are the canonical NCSA identifiers — they are designed to support cross-framework mapping. A unified control library typically maps each NIA control to one or more ISO 27001 Annex A controls, plus PDPPL articles and ictQATAR requirements where relevant. Vantage's compliance module ships with this mapping pre-built.

Need Help With Compliance?

Vantage combines GRC software with senior consulting to help Qatar organisations achieve and maintain compliance. Book a demo or request a consultation.

Book a DemoExplore the Platform

Related Articles

NIA COMPLIANCE

What Is NIA Compliance in Qatar? A Complete Guide for Organisations

A comprehensive guide to Qatar's National Information Assurance (NIA) framework — who must comply, w...

Read article →NIA COMPLIANCE

Qatar NIA Controls Guide — All 26 Domains Explained

A domain-by-domain breakdown of Qatar's NIA framework — covering all 26 control areas across securit...

Read article →NIA COMPLIANCE

NIA Compliance Checklist for Qatar Organisations

A practical NIA compliance checklist for Qatar organisations — covering governance foundations, tech...

Read article →