ISO 27001:2022 is now the norm. But in MENA, compliance teams struggle with multiple entities across UAE, KSA, and Egypt, a mix of Azure UAE Central / AWS Bahrain and on-prem infrastructure, and the need to localise Annex A controls for NCA, SAMA, and the Dubai Cyber Security Strategy.
This checklist breaks down the 2026 ISO 27001 journey into 6 phases with concrete local action items for each.
Project & Scoping
Weeks 1–3- Define the Statement of Applicability (SoA) — exclude only controls irrelevant to your MENA operations.
- Map each Annex A control to local laws (e.g., A.5.34 Privacy → Saudi PDPL).
- Secure management commitment in Arabic and English.
- Assign a local management representative based in KSA or UAE for on-site audit.
- Budget for auditor travel — many global CBs still send auditors from Europe.
Risk Assessment — MENA Flavour
Weeks 4–8- Identify threats specific to your region: geopolitical supply chain risk, sandstorm data centre downtime, WhatsApp business use (not approved for official comms in many KSA entities).
- Use a quantitative risk methodology (e.g., FAIR or NIST 800-30).
- Document risks per location: Dubai (regulatory change / PDPL amendments), Riyadh (physical security / multi-tenant offices), Cairo (internet shutdown / business continuity).
- Get the risk treatment plan approved by the local board or country manager.
Policy & Control Implementation
Weeks 9–16| Clause / Annex | Status | MENA-specific evidence |
|---|---|---|
| 6.1.3 Information security roles | Done | DPO defined for UAE/KSA |
| A.8.8 Vulnerability management | In progress | Uses NCA CVSS thresholds |
| A.5.11 Return of assets | Pending | Includes leaving employee's UAE SIM |
| A.6.5 Supplier relationships | Done | Contracts include NDMO data exit clauses |
- Translate all operational policies into Arabic for non-English-speaking staff in Egypt and KSA.
- Implement vendor security reviews for all cloud providers with data in DIFC or KSA.
Internal Audit & Management Review
Weeks 17–22- Hire an internal auditor with ISO 27001 Lead Auditor + NCA/NIA knowledge.
- Audit each site separately — JAFZA, KAEC, Cairo.
- Produce a corrective action plan (CAP) with local deadlines.
- Hold management review — include country managers from each MENA office.
Local tip: Many internal auditors miss A.5.21 (ICT readiness for business continuity) — test a real scenario like "DXB data centre offline for 6 hours."
Certification Audit
Weeks 23–28Stage 1 — Documentation review
- Submit SoA, risk assessment, and local law mapping.
- Schedule an interview with your Saudi/UAE legal counsel — the auditor will ask about PDPL alignment.
Stage 2 — Implementation review
- Show evidence of controls running for a minimum of 3 months.
- Demonstrate local access reviews (e.g., Doha staff cannot access Riyadh payroll data).
- Present a real incident log — must include a MENA-related event (e.g., Arabic-language phishing attempt).
- Close non-conformities within 30 days.
- Receive ISO 27001 certificate — valid for 3 years with annual surveillance audits.
Ongoing Tracking — Surveillance Years 1 & 2
Monthly cadenceCreate a monthly tracking dashboard covering:
- Number of controls "failed" (by site — Dubai vs. Cairo vs. Riyadh).
- Vendor reassessment dates (especially Saudi hosting providers).
- Law change calendar — track PDPL, NCA, and Dubai DIFC Law No. 5 updates.
- Staff training completion — include Arabic phishing simulations.
Final word for 2026: ISO 27001 is no longer just an IT badge. In the MENA market, it is a licence to operate with banks, government entities, and oil & gas majors. Track everything, automate what you can, and localise every control.
Manage your compliance programme
GDPR Compliance Hub — Advanced & Enterprise Plans
Audit tracking, risk registers, evidence management, and vendor reviews — all in one platform.
View plans