AQURIS Consulting supports Dubai Government entities, semi-government organisations, and their service providers in achieving structured, practical, and audit-ready compliance with the Information Security Regulation (ISR) issued by the Dubai Electronic Security Centre (DESC).
The current version of the ISR is Version 3.1, which builds on the foundations of Version 3.0 and strengthens governance, supply-chain security, and continuous compliance obligations across all Dubai Government entities.
AQURIS Consulting works with organisations at every stage of the compliance journey — from initial gap assessment through to implementation, internal audit, and sustained compliance.
What Is the Information Security Regulation (ISR)?
The Information Security Regulation is issued by the Dubai Electronic Security Centre (DESC) under Dubai Law No. 11 of 2014, which gives DESC the responsibility of maintaining and continuously improving the ISR to address the latest information security practices and related control requirements.
The purpose of the ISR, as defined by DESC, is to provide all Dubai Government Entities with the standards to ensure continuity of critical business processes, and minimise information security related risks and damages by preventing and/or minimising information security incidents. It ensures an appropriate level of Confidentiality, Integrity, and Availability for information handled within Dubai Government Entities.
The ISR is a technology-neutral framework. It presents the minimum requirements for information security controls and is applicable to all Dubai Government Entities — including employees, consultants, contractors, and visitors engaged with the government through various means. The regulation applies to any government information regardless of its type and medium, covering all business functions and divisions.
The ISR is broken down into thirteen domains. Each domain addresses one or more major classes of information security across three categories:
Governance
High-level requirements for structuring and managing information security across the organisation.
Operation
Technical and non-technical controls applied based on the results of a risk assessment.
Assurance
Quality assurance mechanisms ensuring that implemented controls are working as intended.
Dubai Government Entities must conduct an applicability review of the ISR domains and controls to determine which apply to them, and must commit resources to achieve a right-fit implementation — keeping control costs proportionate to the risk and value of the information being protected.
Who Must Comply
ISR Version 3.1 is mandatory for:
- All Dubai Government departments and authorities
- Semi-government organisations
- Employees, consultants, contractors, and visitors engaged with Dubai Government entities
- Professional services providers and consultancies engaged with Dubai Government entities
Non-compliance carries direct consequences — including removal from Dubai Government procurement and contract termination.
Our ISR Compliance Services
AQURIS Consulting supports organisations across the full ISR Version 3.1 compliance lifecycle — from applicability review through to implementation, audit readiness, and sustained compliance.
Gap Assessment and Applicability Review
- Domain-by-domain gap analysis across all 13 ISR Version 3.1 domains
- Applicability review to determine which controls apply to the entity
- Risk-rated findings with prioritised remediation roadmap
- Baseline review of existing policies, procedures, and controls
Framework Design and Documentation
- ISR Version 3.1 aligned information security policies and procedures
- Roles and responsibilities framework — CISO, Information Security Champions, Internal Auditors, Incident Response Team
- Control documentation and evidence templates structured for DESC audit expectations
- Documentation aligned to the ISR’s Governance, Operation, and Assurance domains
Implementation Support
- Governance structure design — review cycles, executive reporting, and escalation mechanisms
- Data residency compliance — critical information storage within the UAE
- Third-party and supplier security alignment with ISR Version 3.1 domain requirements
Internal Audit and Audit Readiness
- Internal audit programme design and facilitation
- Pre-DESC audit readiness review against ISR Version 3.1 requirements
- Evidence portfolio structuring and document control
- Management review facilitation and reporting
Ongoing Compliance Support
- Periodic control effectiveness reviews
- Documentation updates aligned with DESC regulatory changes
- Support for DESC-directed assessments and follow-up actions
The AQURIS Approach
We work from ISR Version 3.1 itself — not standard templates. Every deliverable is designed to meet DESC’s specific requirements: right-fit implementation structured for audit readiness, and embedded into how the organisation actually operates — not documentation prepared for a single review and then set aside.
Where organisations operate under existing ISO management systems or integrated frameworks, we align ISR Version 3.1 work with those structures to reduce duplication and build a coherent, sustainable compliance posture.