Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Qatar NIA Certification Overview
The National Cyber Security Agency (NCSA) of the State of Qatar has endorsed the National Information Assurance (NIA) Policy, which guides organizations in classifying the impact of information security threats and risk. The NIA Policy was established by the Ministry of Communications and Information Technology (MCIT) (Previously MOTC). It helps all government entities and other organizations in Qatar with the selection of suitable mitigating controls to:
- Protect information assets,
- Effectively manage information security risks,
- Achieve regulatory compliance, and
- Ease the compliance journey for international standards certifications, for example, ISO 27001.
The NIA Policy is applicable to all business segments. It specifies a high-level information classification methodology for entities in the State of Qatar. The rationale for information classification is to apply appropriate classification levels to data, determine risks, and apply corresponding protection. The following threats are addressed in the NIA Policy:
- Unauthorized disclosure
- Unauthorized modification
- Non-availability
To achieve NIA compliance, an organization must implement an Information Security Management System (ISMS) based on the NIA Policy requirements. The NIA certification process includes:
- Scope preparation and documentation to help the NCSA Governance and Assurance Affairs understand the boundaries of compliance assessment.
- Audit planning, including engaging an accredited auditor and agreeing on assessment activities.
- Compliance audit and in-depth controls assessment, which enables the auditor to furnish an audit report to the NCSA Governance and Assurance Affairs upon audit completion.
- Compliance certification decision and award, whereby the NCSA Governance and Assurance Affairs determines if the applicant has adequately implemented the necessary information security controls, leading to certification upon successful completion.
Also, National Information Assurance (NIA) Certification is part of the National Information Security Compliance Framework (NISCF) of National Cyber Security Agency (NCSA) of the State of Qatar.
Microsoft and Qatar NIA
To comply with national, regional, and industry specific requirements governing the collection and use of individuals' data, Microsoft seeks applicable certifications and attestations for its cloud services. Microsoft accomplishes this breadth of compliance offerings with a two-pronged approach:
- A team of Microsoft experts works with engineering and operations teams to track existing standards and regulations, developing hundreds of controls for the product teams to build into the cloud services.
- As regulations and standards evolve, compliance experts also plan for upcoming changes to help ensure continuous compliance.
Microsoft completed a rigorous assessment of Microsoft Azure services, including their development, operations, and infrastructure by an accredited third-party auditing firm as part of the NIA certification process. Also, all critical business processes involved in onboarding, provisioning, and servicing entities on Microsoft Azure are covered during NIA audit.
Applicability
The following Azure public cloud regions that are part of the Azure Qatar program are in scope for the NIA certification:
- West Europe (Netherlands)
- North Europe (Ireland)
- Qatar Central (Qatar)
Attestation Documents
You can access Azure Qatar NIA audit documents from the Service Trust Portal (STP) Qatar regional resources section. For instructions on how to access audit reports, see Audit documentation.
Azure Qatar NIA certificate is valid for three years, and the maintenance audit is required to perform annually.
Frequently Asked Questions
To whom do the NIA Policy guidelines apply?
The policy applies to all agencies and their corresponding information assets unless specifically exempted by statute or regulation. The following normative references apply:
- Law No.14 of 2014: Combatting Cybercrime Law
- Law No.13 of 2016: Personal Data Privacy Protection Law
- Information Assurance Framework, 2008
- National Information Assurance Policy
- 2014 Qatar National Cybersecurity Strategy, 2014
- National Data Classification Policy
Where can I get more information on NIA requirements?
The policy can be accessed from NSCA.
How has Microsoft’s response to the NIA Policy requirements been validated?
Microsoft Qatar commits to:
- Comply with all laws and regulations applicable to the provision of Microsoft online services in scope for the NIA certification.
- Collaborate with stakeholders and customers to understand how regional laws or regulations may impact their use of Microsoft online services. Microsoft complies with organizational information security requirements and employs security controls in accordance with applicable laws, directives, regulations, standards, and guidance to provide proper assurances for its online services.
Can I use Microsoft's response in my organization's compliance process?
Yes. If you have a certification requirement with a dependency on Microsoft Azure, you can use Microsoft’s NIA certification to reduce the impact of compliance assessment on your IT infrastructure. However, you are responsible for evaluating your implementation for compliance and for the controls and processes within your own organization.
Resources
- Azure compliance documentation
- Microsoft 365 compliance offerings
- Compliance on the Microsoft Trust Center
- Microsoft Product Terms (formerly Online Services Terms)
- Microsoft Products and Services Data Protection Addendum (DPA)
- Governance and Assurance Affairs – Qatar National Cybersecurity Agency
- Qatar National Information Assurance (NIA) certification
- Qatar National Information Assurance Standard