SISA · GRC · MOCKUP
High-fidelity static mockup · Dubai Electronic Security Center
🔒 sisa.desc.gov.ae/dashboard
🔔
▦  Dashboard

DESC Oversight Dashboard

Real-time visibility across all tenant entities — compliance, risk indicators, audit progress and critical issues, with drill-down to entity level.
Entity: All DGEs ▾+ New Audit Plan
62
ENTITIES OVERSEEN
14
AUDITS PLANNED 2026
3
IN FIELDWORK
18
OPEN NON-COMPLIANCES
2
CII SYSTEMIC ALERTS

Audit lifecycle progress

Open audit plans →
Dubai Municipality — Compliancereport issued
RTA — Stage-1 documentationfieldwork · 64%
DHA — Follow-up auditscheduled Q3
DEWA — Special audit (SOC)planned

Recent activity

View all →
🔎
Major NC recorded — D2.04 risk methodology · DMFindings · 12 min ago
📤
CAP submitted by Dubai Municipality (NC-26-014)Follow-up · 1 hr ago
AI flagged 3 inadequate documents in RTA Stage-1Fieldwork · 2 hrs ago
📄
Exemption approved — D9.02 cloud DR · DMExemptions · yesterday

Compliance & maturity — Dubai snapshot

Full report →
D1 · IS GovernanceCompliance 88% · Maturity 3.2
D2 · IS Risk ManagementCompliance 54% · Maturity 1.8
D5 · Communications SecurityCompliance 81% · Maturity 3.0

Collaboration & announcements

Moderate →
📢
Threat advisory shared to Energy sector — credential-stuffing waveDESC moderated forum · 3 sector entities acknowledged
🤝
Best practice published: DM 24×7 SOC purple-team drillsInter-entity library · 11 downloads
👥
Working group: Health sector ISR v3 readiness — ThuJoint working groups · moderated by DESC
💬
🔒 sisa.desc.gov.ae/audits/plans/2026
🔔
▦  Audit Plans  ›  2026 Annual Plan

Audit Plan — 2026

Select entities from the audit universe and assign an audit type per engagement. Program templates can be based on entity category or control weightage.
✉ Notify entity contacts+ New plan entry
EntityAudit typeScope basisPeriodTeam leaderStatus
Dubai MunicipalityComplianceISR v3 · full universe · 2 exemptions applyQ1A. Rahmanreport issued
Roads & Transport AuthorityStage-1Documentation readiness · AI-assessedQ2S. Khanfieldwork
Dubai Health AuthorityFollow-upNC / CAP register (Q3 2025)Q2M. Haddadscheduled
DEWASpecialD8 selective controls (SOC) · ISR basisQ3A. Rahmanplanned
Dubai CustomsDGEPKPI framework · scoring methodologyQ3L. Faroukplanned

Audit program — Dubai Municipality · Compliance 2026

Save as master template →
Division / DepartmentDate & timeAuditorScoped controls
Corporate Support · IT DeptMon 12 Jan · 09:00S. Khan31 · A×9 B×13 C×6 R×3
Corporate Support · IT SecurityTue 13 Jan · 09:00S. Khan, N. Saeed28 · A×11 B×10 R×3
Operations · SCADA / OTThu 15 Jan · 09:00M. Haddad18 · A×8 B×7 R×3
General (default org level)Fri 16 Jan · 09:00A. Rahman5 · B×3 C×2
Template: one control can map to multiple departments — the department→control mapping is saved as a reusable master template for future audits.

Audit team & roles

Auditor universe →
👤
A. RahmanTeam LeaderCISA · CISSP · 22 audits
👥
S. Khan · N. Saeed · M. HaddadAuditorsroles assigned per audit engagement
🧑‍⚖️
R. Al AliReviewerindependent review workflow

Exempted controls

Exemption register →
⚠ 2 approved exemptions auto-listed for this program:
D5.03 wireless (exp. 05/2027) · D9.02 cloud DR (exp. 01/2028) — excluded from the checklist.
💬
🔒 sisa.desc.gov.ae/audits/dm-2026/fieldwork/it-department
🔔
▦  Fieldwork  ›  DM Compliance 2026  ›  IT Department

Control checklist — IT Department

31 scoped controls · 12 verified · distinct fieldwork processes per audit type. All evidence actions are logged to an immutable audit trail.
⇪ Bulk evidence upload+ Record finding
ControlStatementImplementationEvidenceFinding (library ▾)AI adequacy
D2.04-S1 ARisk assessment methodology definedNot implementedgov-tor.pdf v1 · 🔒“No documented risk assessment methodology.” #RA-0225% gap
D2.01-S1 ASecurity Risk Mgmt framework approvedPartially impl.risk-fw-v2.pdf v2 · 🔒“Framework lacks treatment process.” ✎ edited62% partial
D5.01-S2 BNetwork segmentation enforcedFully implementednet-arch.vsdx, fw-rules.xlsx— none —91% ok
D8.02-S1 RSOC monitoring 24×7 with escalationLargely impl.soc-roster.pdf, siem-report.pdf“Escalation matrix untested 12 months.” #SOC-0478% ok

⚡ AI Stage-1 adequacy assessment

Assessment report →
Self-hosted AI: entity submitted 14 of 17 required documents against the standardized, version-controlled Stage-1 template. AI verified adequacy against ISR criteria: 11 adequate · 3 inadequate. Missing sections are auto-listed per document; inadequate items auto-populate as minor NC findings. Assessment report generated on the regulator template on completion.
Documents adequate11 / 17

Immutable evidence trail

Full log →
upload risk-fw-v2.pdf — DM Officer14:22:07 · v2 · sha256 9f2c…
👁
viewed — S. Khan14:31:44
modify attempt blocked — DM Officer14:40:12 · original evidence is immutable
AI re-scored after version v215:02:31
💬
🔒 sisa.desc.gov.ae/audits/dm-2026/findings
🔔
▦  Findings & Review  ›  DM Compliance 2026  ›  Consolidation

Findings consolidation — Dubai Municipality

19 findings by 3 auditors, consolidated by domain / control. Only findings selected by the Team Leader appear in the audit report.
Generate initial summaryUpdate universesSend for independent review
Finding — grouped: D2 · IS Risk ManagementClassificationRiskDept · AuditorReviewer
D2.04-S1 — No documented risk assessment methodology. consolidates F-012 + F-017 · evidence: gov-tor.pdfNC · MajorHIT · S. Khanrevise wording
D2.01-S1 — Risk framework lacks treatment & acceptance criteria. evidence: risk-fw-v2.pdfNC · MinorMIT · S. Khanagreed
D2.02-S3 — Risk register not reviewed quarterly. duplicate scope — excluded from reportObservationLSCADA · M. Haddad
D8.02-S1 — SOC escalation matrix untested for 12 months. library #SOC-04 · text edited by auditorNC · MinorMIT Sec · N. Saeedagreed

★ Good practices (per domain)

Report annex →
D8: 24×7 SOC with MSS augmentation and monthly purple-team drills.
D1: IS committee meets monthly with tracked actions.

Independent review workflow

Comment thread →
🧑‍⚖️
R. Al Ali — Reviewer · 2 comments open, 6 resolvedcontrol-level comments · Team Leader updates status before approval
🔄
Post-audit updates queued: Entity, Risk & NC universes + audit process feedbackapplied automatically on report approval
💬
🔒 sisa.desc.gov.ae/remediation/nc-register
🔔
▦  Follow-up & CAP  ›  NC register

Non-compliance register

NCs maintained separately after report finalization — the primary source for follow-up audits (minimum 6 months post compliance audit).
Follow-ups due reportGenerate follow-up report
18
OPEN NCs (ALL ENTITIES)
3
CAPs AWAITING SUBMISSION
4
FOLLOW-UP AUDITS DUE
12/30
NCs CLOSED THIS CYCLE
6
AUTO REMINDERS SENT
NC refEntity · ControlCategoryCAP statusTarget dateFollow-up outcome
NC-26-014Dubai Municipality · D2.04-S1Majorsubmitted 12 Feb30 Jun 2026follow-up Q3
NC-26-015Dubai Municipality · D2.01-S1Minorsubmitted 12 Feb31 May 2026pending
NC-25-102Dubai Health Authority · D3.02-S2Minorsubmitted15 Mar 2026closed — verified
NC-25-104Dubai Health Authority · D6.01-S1Majorsubmitted15 Apr 2026partially addressed
NC-25-118Roads & Transport Authority · D5.02-S1Minornot updated reminder → TL, 01 Juloverdue 30 Jun

Follow-up outcome — DHA

Auto-generated report →
NC-25-102 closed — evidence verified on-siteoutcome recorded against the reported NC
🟡
NC-25-104 partially addressed — kept open, new target setfeeds auto-generated follow-up report (regulator template) · same review & approval flow

Automated reminders

Schedule →
CAP status digests: team leaders receive scheduled email reminders (available / not updated). 6 sent this month · escalation after 2 ignored cycles. Entities have a 1-month CAP window from report issue via the Entity Portal.
💬
🔒 sisa.desc.gov.ae/universes
🔔
▦  Universes  ›  Master data

Universes — controls, entities, auditors

Central versioned master data. Every record type supports custom fields (text / date / numeric); import & export in CSV, Excel and XML.
⤓ Import / Export+ New record

Control Universe — ISR v3 · Domain › Main › Sub › Statement

Standards: ISR v3 · DGEP · IoT · ICS ▾
D1 — IS Management and Governance (3 main · 21 stmts)
D2 — IS Risk Management (2 main · 14 stmts)
2.1 — Risk Governance · group RG-01
2.1.1 — Risk framework establishment
D2.01-S1 — SRM framework approved A Governance
D2.01-S2 — framework reviewed annually B Assurance
2.1.2 — Risk assessment methodology (4 stmts)
D3 — Human Capital Management (2 main · 12 stmts)
D2.01-S1 · weight 9/10 (Cat. A) · evidence linked many-to-many (3 items, shared with D2.02-S1, D1.03-S2) · mapped to ISO 27001 6.1 / A.5.1, NIST CSF GV.RM-01, DGEP KPI 2.3 · version v3.1 with tracked diffs.

KPI-based frameworks

Configure scoring →
Governance KPIsscore 3.4 / 4
Operations KPIsscore 2.9 / 4
Assurance KPIsscore 2.2 / 4
DGEP support: custom frameworks with criteria & evidence requirements per KPI. Scores and maturity auto-calculated from auditor input — AI-based scoring supported. Reports auto-generated per framework template.

Entity Universe · 62 entities

+ New entity
EntityGroupOrg structureCertificationsLast audit
Dubai Municipality
2 exemptions · 4 ISR contacts · staff directory
GovtSector › Division › Dept › Section + processes · 'General' defaults27001 22301Jan 2026
DEWA
SOC 24×7 · MSS: Help AG · OT registry
CII4 sectors · 12 divisions · people & awareness maturity tracked27001 62443Jul 2025
Emirates NBD
providers: pen test, MDR
PrivateIT / IS / internal audit functions recorded27001

Auditor Universe

Roles master list →
AuditorCertsTop skillAuditsRole now
A. Rahman
Senior · D-1042
CISA · CISSPGovernance 22Team Leader
M. Haddad
OT Specialist · D-1213
GICSP · 62443OT / ICS 11Auditor
R. Al Ali
Principal · D-0961
CISA · CRISCRisk 28Reviewer
Roles (Audit Manager · Team Leader · Auditor · Reviewer · Approver) come from a configurable master list and are assigned per audit. Audit-history counts update dynamically.
💬
🔒 sisa.desc.gov.ae/risk/register
🔔
▦  Risk Register

Risk Register

Risks consolidated from audit findings across departments & business processes, plus manually added risks and consolidated scenarios.
Methodology: Qualitative 5×5 ▾+ New risk
Risk IDRiskSourceEntity · DeptL × IScoreTreatment
R-2026-031Unassessed IS risks in OT environmentFinding NC-26-014 (auto)DM · SCADA/OT4 × 520 · HighCAP in progress
R-2026-032Risk framework gaps delay treatment decisionsFinding NC-26-015 (auto)DM · IT3 × 412 · MediumCAP in progress
R-2026-027Incident escalation failure during off-hoursFinding (D8.02)DM · SOC3 × 412 · Mediummitigation planned
R-2026-019Sector-wide dependency on a single MSS providerManual (DESC analyst)Cross-entity2 × 510 · Mediumunder assessment

Risk scenario — “Ransomware on shared municipal infrastructure”

Scenario library →
Scenario assessment: High. Linked register risks R-2026-031 · R-2026-027 · R-2026-019, assessed on a consolidated basis across 3 entities. Mitigations tracked via linked CAPs; results feed CII impact modeling.

Assessment methodology

Configure →
🧮
Qualitative 5×5 matrix (default) or quantitative (ALE)auto score = L×I · manual override with justification
💬
🔒 sisa.desc.gov.ae/cii/energy/dewa
🔔
▦  CII Management  ›  Energy sector  ›  DEWA

Critical Information Infrastructure

Sector & entity registry, critical services with recovery objectives, asset catalog and cross-sector interdependency & impact modeling.
▶ Impact simulation+ Register entity
6
CII SECTORS
21
CII ENTITIES
54
CRITICAL SERVICES
9
CROSS-SECTOR DEPENDENCIES
2
SYSTEMIC RISKS FLAGGED
Energy sector Dependent sectors
DEWA
Power SCADA · RTO 15m
📡
du / e&
Telecom backbone
🏥
DHA
Hospital systems
🚇
RTA
Metro control
💧
DM
Water services
Cascade simulation: a 4-hour DEWA SCADA outage impacts 3 sectors and 7 critical services (2 breach RTO). Scenario planning per threat vector; results feed CII-specific risk scoring in the Risk Register.

Critical services — DEWA

Asset & dependency catalog →
ServiceCriticalityRTO
Power distribution SCADANational15 min
Water network telemetryNational30 min
Billing & customer portalHigh4 h
Smart meter data platformHigh8 h
Asset catalog: hardware, software, data, personnel and third parties per service — with dependency mapping and sector-specific threat libraries for specialized CII risk assessment.
💬
🔒 sisa.desc.gov.ae/reports/dm-2026
🔔
▦  Reports & Analytics  ›  Dubai Municipality — Compliance 2026

Audit report — dual-dimension results

Compliance calculated from NCs · maturity from the implementation scale (FI-4 / LI-3 / PI-2 / NI-1), maintained at domain / main / sub-control level. Report access is role-based.
⤓ XLSX · DOCX · PDFGenerate report (regulator template)
DomainCompliance %Maturity (1–4)NCs Maj/MinRiskTrend
D1 · IS Governance
88%
3.2 · Largely impl.
0 / 1L▲ +4
D2 · IS Risk Management
54%
1.8 · Partially impl.
1 / 1H▼ −6
D5 · Communications Security
81%
3.0 · Largely impl.
0 / 1M▲ +2
D8 · Operations Security
76%
2.8 · Largely impl.
0 / 1M— stable

Graphical summaries

Custom dashboards →
Audits planned vs completed9 / 14
NC closure rate12 / 30
Follow-up coverage4 due · 2 done

Auto-generated report rules

Templates →
Regulator format: domain-wise & main-control-wise compliance + maturity · controls without findings excluded · every finding carries its evidence reference · domain-wise risk summary at entity / domain / consolidated level for any selected period or sector.
💬
🔒 sisa.desc.gov.ae/portal/dm/my-audits
🔔
▦  Entity Portal  ›  My Audits — Dubai Municipality

My Audits — Dubai Municipality

Access limited to this entity's data and selective fields. Original audit findings are read-only; saved evidence cannot be removed or modified.
CAP due in 9 days⇪ Upload evidence
AuditTypeScheduleDocumentsStatus
Compliance Audit 2026Compliance12–23 Jan 2026 · dept schedule sharedreport issued
Follow-up AuditFollow-upQ3 2026 · dates TBCCAP window open
Stage-1 AssessmentStage-1Oct 2025completed
DGEP AssessmentDGEPQ1 2027upcoming
Develop and approve a risk assessment methodology aligned to ISR D2.04; run the first assessment cycle on IT & OT assets.
RA-methodology-draft-v0.9.pdf ⇪
30 Jun 2026
Submit CAP Save draft 💬 Review with AI first
AI pre-submission guidance: the conversation is stored and visible to DESC during review. Submitted CAPs feed the follow-up audit.
Exemption requestsScopeStatus
EX-26-007 · D9.02 cloud DRISRapproved · exp 01/2028
EX-26-011 · D5.03 wirelessISRpending DESC review
+ New request (control refs, justification, attachments)ISR / DESC standards

Audit history — by year & type

Dashboard →
2024Compliance 76% · Maturity 2.7
2025Compliance 79% · Maturity 2.9
2026Compliance 74% · Maturity 3.0
NC closure: 12 closed · 4 open · 2 overdue · summaries by period / sector / entity / domain(s)
💬
🔒 sisa.desc.gov.ae/admin/security
🔔
▦  Admin & Security

Admin & Security

Multi-tenant with logical isolation per entity and DESC cross-tenant oversight. Granular RBAC/ABAC, SSO/SAML/MFA, PAM, and full user-activity logging.
Branding: DESC theme ▾+ New user
UserRoleTenantMFALast active
A. Al Marri
a.almarri@desc.gov.ae
Audit ManagerDESC (cross-tenant read)SSO + MFA2 min ago
A. Rahman
a.rahman@desc.gov.ae
Team LeaderDESCSSO + MFA18 min ago
DM Security Officer
iso@dm.gov.ae
Entity userDubai Municipality (isolated)SAML1 hr ago
svc-integration
service account
API · scopedDESCPAM vaulted · auto-rotate5 min ago

Security posture

Logs & monitoring →
🔐
SSO / SAML / MFA enforced for all tenantsidentity-centric Zero Trust · continuous verification
🗝
PAM: just-in-time access · session recording · credential rotationall privileged activity monitored & recorded
🛡
Encryption at rest & in transit · TDE + row-level securityDLP on email, uploads & API · Dubai Data Law classification
📜
Immutable audit & user-activity logsweekly vuln scans · SLAs: Crit 24h / High 7d / Med 30d

Integrations & extensibility

API docs (REST) →
🛰 SIEMSplunk connector · audit & auth events streamed
🧭 Identity ProviderAzure AD / SAML 2.0 · SCIM user lifecycle
🎫 TicketingServiceNow sync for findings & CAP tasks
🩻 Vulnerability scannerNessus import → evidence & risk register
👥 HR systemstaff directory & awareness training feed
⤓ Import / ExportCSV · Excel · XML — frameworks, controls, findings, users, entities

Helpdesk & SLA tickets

All tickets →
TicketPrioritySLAStatus
#4211 · evidence upload error — RTAHighresolve < 8hin progress
#4207 · workflow clarification — CAP windowLowresolve < 3dresolved
#4198 · report template change requestMediumresolve < 24hresolved
Auditable support: full trail of interactions, escalations and resolutions — exportable for compliance reviews. Automated assignment & SLA-adherence reporting.
💬
🔒 sisa.desc.gov.ae/assistant
🔔
▦  AI Assistant  &  Automation

AI Assistant & Automation

Self-hosted AI: no evidence, control context or assessment output leaves DESC's infrastructure. Intent-routed to the right specialist on every page.
Sovereign · self-hosted LLM
Why did D2.04 get a minor NC in the RTA Stage-1 audit?
Adequacy engine: the submitted Risk Framework v2 does not meet the defined adequacy criteria for D2.04 — sections on risk treatment and acceptance criteria are missing. Per configuration, unmet adequacy auto-populates as a minor non-compliance in the audit. The missing-items report lists both gaps with page references.
Draft the finding text for the report.
Suggested (from findings library #RA-02, editable): “The entity's risk framework documentation lacks a defined risk treatment process and risk acceptance criteria, as required by ISR v3 control D2.04.”
What is missing in each policy?Predict high-risk domains for RTASuggest control mappings ISR ↔ ISO 27001
Type a message…

AI capabilities for audit enhancement

Configure criteria →
📑
Policy adequacy auto-verificationmissing-items report per document · auto minor-NC on failure
📈
Risk prediction & anomaly detectionflags unusual patterns in audit data across entities
🔗
Control mapping suggestionsISR ↔ ISO 27001 / NIST overlap detection
🧾
Evidence analysis suggestionsrelevancy scoring per control on every upload

Workflow automation engine

Designer →
Beyond reminders: multi-stage approval workflows (finding → review → approval), conditional task routing by severity or entity category, and automated evidence collection from integrated source systems for control testing.
💬