UAE DESC CSP Security Standard

UAE DESC CSP Security Standard overview

The United Arab Emirates (UAE) Dubai Electronic Security Center (DESC) was founded in 2014 with the aim to develop and implement information security practices across the Dubai Emirate. The Cloud Service Provider (CSP) Security Standard produced by DESC sets out requirements and guidance for CSPs and organizations using any cloud services. Compliance with this standard is mandatory for all CSPs wishing to offer cloud services to Dubai government and semi-government entities.

The DESC CSP Security Standard is based on the following standards:

  • ISO/IEC 27001:2013
  • ISO/IEC 27002:2013
  • ISO/IEC 27017:2015
  • Dubai Government Information Security Regulation (ISR) 2017
  • Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) 3.0.1

The CSP Security Standard contains mandatory requirements for CSPs offering their services to government and semi-government entities in Dubai. It also provides guidance for customers of these CSPs. Government and semi-government organizations in Dubai must ensure that any CSP they're using complies with this standard.

Throughout the development of the CSP Security Standard, DESC sought strong alignment with established international standards to streamline the certification process. Consequently, if a CSP is already certified against ISO/IEC 27001:2013, this part of the CSP Security Standard wouldn't be audited again; instead, the ISO/IEC 27001:2013 certificate would be simply accepted. The same logic applies for other existing standards on which the CSP Security Standard is based. For example, if a CSP is already certified against CSA STAR Level 2, this certificate would be accepted without any further audit.

To facilitate this process, DESC has issued a set of requirements for certification bodies seeking DESC accreditation to perform certification work against the CSP Security Standard. A certification body approved by DESC can then check the validity of CSPs existing certifications and inform DESC about the status. In case certification is warranted, the certification body should inform DESC after completing all required activities. Extra audit work by a certification body may be needed, for example, physical on-site inspection of datacenter facilities or other examination as required by DESC.

Microsoft and DESC CSP Security Standard

Microsoft was the first global cloud services provider to obtain the DESC CSP Security Standard certification. Microsoft Azure, Dynamics 365, and Office 365 are already certified under ISO/IEC 27001:2013 and ISO/IEC 27017:2015. Moreover, Azure maintains both CSA STAR Level 2 Certification and CSA STAR Level 2 Attestation.

To support Dubai government and semi-government entities that are concerned about data residency, Microsoft has established two UAE data centers in Abu Dhabi and Dubai. These data centers add in-country data residency, failover, and disaster recovery for customer data and applications.

Microsoft retained an independent third-party auditing firm (certification body) accredited by DESC to perform the CSP Security Standard certification of Microsoft Azure, Dynamics 365, and Office 365, including the physical inspection of datacenter facilities in two Azure UAE regions. Following the completion of these activities, Microsoft was granted the CSP Security Standard certification.


  • Azure

The DESC CSP Security Standard certificate applies to two Azure UAE regions: UAE Central (Abu Dhabi) and UAE North (Dubai).

Services in scope

Microsoft cloud services in audit scope are shown in the CSP Security Standard certificate:

  • Azure Core Services
  • Dynamics 365 Core Services
  • Office 365 Services

For a detailed list of Microsoft Core Online Services, see Microsoft Privacy & Security Terms.

Attestation documents

You can access Azure UAE DESC audit documents from the Service Trust Portal (STP) UAE regional resources section. For instructions on how to access audit reports, see Audit documentation.