Qatar National Information Assurance (NIA) certification

Qatar NIA certification overview

The National Cyber Security Agency (NCSA) Board of the State of Qatar has endorsed the National Information Assurance (NIA) Policy, which guides organizations in classifying the impact of information security threats and risk. The NIA Policy was established by the Ministry of Transport and Communications (MOTC). It helps all government entities and other organizations in Qatar with the selection of suitable mitigating controls to:

  • Protect information assets,
  • Effectively manage information security risks,
  • Achieve regulatory compliance, and
  • Ease the compliance journey for international standards certifications, for example, ISO 27001.

The NIA Policy is applicable to all business segments. It specifies a high-level information classification methodology for entities in the State of Qatar. The rationale for information classification is to apply appropriate classification levels to data, determine risks, and apply corresponding protection. The following threats are addressed in the NIA Policy:

  • Unauthorized disclosure
  • Unauthorized modification
  • Non-availability

To achieve NIA compliance, an organization must implement an Information Security Management System (ISMS) based on the NIA Policy requirements. The NIA certification process includes:

  • Scope preparation and documentation to help the NCSA Governance and Assurance Affairs understand the boundaries of compliance assessment.
  • Audit planning, including engaging an accredited auditor and agreeing on assessment activities.
  • Compliance audit and in-depth controls assessment, which enables the auditor to furnish an audit report to the NCSA Governance and Assurance Affairs upon audit completion.
  • Compliance certification decision and award, whereby the NCSA Governance and Assurance Affairs determines if the applicant has adequately implemented the necessary information security controls, leading to certification upon successful completion.

For more information, see NIA certification.

Microsoft and Qatar NIA

Microsoft completed a rigorous assessment of in-scope services, including their development, operations, and infrastructure by an accredited third-party auditing firm as part of the NIA certification process.

The scope of Microsoft Information Security Management System (ISMS) applies to the provision, operations, and management of Azure, Dynamics 365, and other online services as documented in the Azure Qatar – NIA certification scope document. These are the same cloud services that were in scope for the Azure ISO 27001 certification at the time the Qatar NIA certification assessment was conducted. During the Qatar NIA audit scope assessment phase, the Qatar NIA control requirements were mapped to the Azure ISO 27001 ISMS control implementation details based on Microsoft's assertion of compliance to NIA as mapped against the Azure ISO 27001 certification. Physical boundaries were defined as Microsoft datacenters in West Europe (Netherlands) and North Europe (Ireland) regions.

Note

Microsoft cloud services assessed during the NIA audit and the corresponding physical infrastructure are operated in accordance with the National Information Assurance Policy (NIAP) version 2.0.

To comply with national, regional, and industry specific requirements governing the collection and use of individuals' data, Microsoft seeks applicable certifications and attestations for its cloud services. Microsoft accomplishes this breadth of compliance offerings with a two-pronged approach:

  • A team of Microsoft experts works with engineering and operations teams to track existing standards and regulations, developing hundreds of controls for the product teams to build into the cloud services.
  • As regulations and standards evolve, compliance experts also plan for upcoming changes to help ensure continuous compliance.

Moreover, the Azure Qatar NIA ISMS includes the ISO 27701 control requirements for Personally Identifiable Information (PII) processors, which is in line with requirements outlined in Law No. 13 of 2016 Personal Data Privacy Protection Law and in accordance with requirements defined in the Qatar NIA Policy Manual.

Applicability

The following Azure public cloud regions that are part of the Azure Qatar program are in scope for the NIA certification:

  • West Europe (Netherlands)
  • North Europe (Ireland)

Services in scope

Microsoft online services in audit scope are shown on the Azure Qatar NIA certificate and described in more detail in the accompanying Azure Qatar – NIA certification scope document:

  • Azure
  • Dynamics 365
  • Other online services, including select Microsoft 365 and Power Platform services

The Information Security Management System (ISMS) complies with the requirements of the National Information Assurance Policy version 2.0.

Attestation documents

You can access Azure Qatar NIA audit documents from the Service Trust Portal (STP) Audit Reports – GRC Assessment Reports section. You must sign in to access audit reports on the STP. For more information, see Get started with the Microsoft Service Trust Portal. The following documents are available for download:

  • Azure Qatar – NIA certification
  • Azure Qatar – NIA certification scope

The Azure Qatar NIA certificate is valid for three years.

Frequently asked questions

To whom do the NIA Policy guidelines apply?
The policy applies to all agencies and their corresponding information assets unless specifically exempted by statute or regulation.

The following normative references apply:

  • Information Assurance Framework, 2008
  • National Information Assurance Policy, 2014
  • Critical Information Infrastructure Protection Law, 2014

Where can I get more information on NIA requirements?
The policy can be accessed from MOTC.

How has Microsoft’s response to the NIA Policy requirements been validated?
Microsoft Qatar commits to:

  • Comply with all laws and regulations applicable to the provision of Microsoft online services in scope for the NIA certification.
  • Collaborate with stakeholders and customers to understand how regional laws or regulations may impact their use of Microsoft online services.

Microsoft complies with organizational information security requirements and employs security controls in accordance with applicable laws, directives, regulations, standards, and guidance to provide proper assurances for its online services.

The scope of Microsoft Information Security Management System (ISMS) applies to the provision, operations, and management of Azure, Dynamics 365, and other online services as documented in the Azure Qatar – NIA certification scope document. Physical boundaries are defined as Microsoft datacenters in West Europe (Netherlands) and North Europe (Ireland) regions. Microsoft cloud services assessed during the NIA audit and the corresponding physical infrastructure are operated in accordance with the National Information Assurance Policy (NIAP) version 2.0.

Can I use Microsoft's response in my organization's compliance process?
Yes. If you have a certification requirement with a dependency on Microsoft in-scope cloud services, you can use Microsoft’s NIA certification to reduce the impact of compliance assessment on your IT infrastructure. However, you are responsible for evaluating your implementation for compliance and for the controls and processes within your own organization.

Resources