Your principal contractor holds ISO 27001. Now they want you to hold it too.

To understand why ISO 27001 is moving through the GCC supply chain, you need to understand the regulatory environment that created the pressure in the first place.

The UAE Personal Data Protection Law came into force in 2022. It applies to any organisation that processes personal data of individuals in the UAE, regardless of where the organisation is headquartered. For a construction or industrial business operating in the UAE, this covers employees, subcontractors, clients, project stakeholders and visitors. Personnel records, payroll data, safety induction records, health assessments and access control logs all constitute personal data under the law.

The PDPL requires organisations to implement appropriate technical and organisational measures to protect personal data. It does not mandate a specific standard, but ISO 27001 has become the accepted framework for demonstrating that those measures are in place. Regulatory bodies and auditors recognise ISO 27001 as the practical standard for this purpose. Businesses that hold the certification can demonstrate compliance with PDPL obligations through the evidence base their certification produces. Businesses that do not hold it have no equivalent mechanism for demonstrating the same level of control.

For businesses operating under DIFC or ADGM regulation, the position is more specific. The DIFC Data Protection Law No. 5 of 2020 and the ADGM Data Protection Regulations both set detailed requirements for data handling, breach notification, data subject rights and security measures. Both frameworks effectively treat ISO 27001 as the baseline standard. DIFC and ADGM-regulated businesses are expected to hold ISO 27001 certification or to be actively working toward it, and their suppliers who access or handle regulated data are subject to the same expectation.

In Saudi Arabia, the Personal Data Protection Law of 2021 and its implementing regulations create equivalent obligations. The National Cybersecurity Authority has published a set of Essential Cybersecurity Controls that map closely to ISO 27001 Annex A. Government ministries, semi-government entities and major state-owned enterprises are referencing these controls in their procurement requirements. ISO 27001 certification is becoming the accepted method for demonstrating that the NCA controls are in place.

An EPC contractor holding ISO 27001 certification has a scope that includes the management of information security across its supply chain. Clause 5.23 of ISO 27001:2022 specifically addresses information security for the use of cloud services. More broadly, Clause 6.1.2 requires the organisation to identify information security risks associated with external parties, and Annex A controls under the supplier relationships category require the organisation to assess, monitor and manage information security obligations with suppliers who handle or can access organisational information.

When a certifying body conducts a surveillance audit of an EPC contractor's ISO 27001 system, they look at how the contractor manages information security across its supplier base. They look for supplier assessment processes, supplier security requirements in contracts, evidence that supplier compliance is monitored, and records of incidents involving supplier access. If the contractor cannot demonstrate that critical subcontractors meet comparable information security standards, that becomes a non-conformance in the contractor's own audit. The contractor's certification is at risk.

The practical resolution is to pass the requirement into subcontract conditions. An EPC contractor can demonstrate supply chain control most efficiently by requiring that subcontractors hold ISO 27001 certification themselves. It converts a monitoring and assessment obligation into a straightforward certification requirement. The certifying body auditing the EPC contractor can verify compliance by checking subcontractor certificates, rather than auditing each subcontractor's information security controls individually.

The businesses affected are not only IT or data-intensive suppliers. Any subcontractor who accesses the principal contractor's project management systems, handles personnel data, receives client-sensitive project documentation or uses the principal contractor's communication infrastructure is within the information security scope. In a major construction or industrial project in the UAE or Saudi Arabia, this covers most subcontractors of any significance.

Most businesses in the GCC first encounter the ISO 27001 requirement in one of three ways, and understanding the difference between them matters for how you respond.

The most common first encounter is a prequalification questionnaire. Major clients, government entities and principal contractors use prequalification processes to assess suppliers before awarding work. The questionnaire typically includes a section on quality management systems, a section on health and safety management systems, and an increasingly common section on information security management. The information security section asks for your ISO 27001 scope statement, your certification body, your certificate number, your last audit date and your statement of applicability. Some questionnaires also ask for your information asset register summary and evidence of your most recent management review. If you cannot answer these questions, you do not proceed in the evaluation.

The second encounter is a vendor approval or approved supplier list requirement. Clients maintain approved supplier lists, and suppliers are periodically reviewed for continued qualification. Businesses that hold ISO 9001 and ISO 45001 but not ISO 27001 are increasingly being placed on conditional status with a requirement to achieve certification within a defined period, often twelve months. Failure to meet the condition results in removal from the approved list and loss of access to work opportunities with that client.

The third encounter is a direct contract clause. This is becoming more common in new subcontracts placed by major EPC contractors in the UAE and Saudi Arabia. The clause typically requires the subcontractor to hold current ISO 27001 certification throughout the contract period, to make the management system available for client review on request, and to notify the principal contractor within a defined timeframe of any information security incident affecting project data or personnel information.

What all three scenarios have in common is that by the time the requirement arrives, there is very little time to respond. A prequalification closes in weeks. A vendor approval review has a fixed deadline. A contract condition cannot be negotiated away. Businesses that have started their ISO 27001 programme are in a position to respond. Businesses that have not are not.

In Abu Dhabi, the ADNOC supply chain is where the requirement is moving fastest. ADNOC holds ISO 27001 certification itself and has extended information security requirements through its In-Country Value programme. Suppliers working with ADNOC Group companies on operational technology, project management systems, personnel data or client information are subject to information security requirements that ISO 27001 satisfies. Suppliers who cannot demonstrate ISO 27001 certification are at a competitive disadvantage in ADNOC procurement processes regardless of their other qualifications.

In Dubai, the DIFC and ADGM regulatory environments mean that professional services, financial services and the businesses supplying them have been subject to ISO 27001 expectations for several years. The requirement is now moving into the construction and facilities management sectors that service these regulated entities. Facilities management companies contracted to operate buildings in DIFC are subject to the same information security expectations as their clients.

In Saudi Arabia, the pace is driven by Vision 2030 programme procurement. NEOM, the Red Sea Project, Diriyah Gate and the major infrastructure programmes are procured through mechanisms that include information security requirements in their supplier qualification processes. EPC contractors working on these programmes are passing the requirements into their subcontract conditions. The construction and industrial services businesses supplying into these programmes, directly or at one remove, are discovering the requirement in their contracts.

In Qatar, QatarEnergy's contractor management framework and the infrastructure investment associated with major industrial projects create comparable pressure. Contractors and subcontractors working in the Qatari energy sector are subject to information security requirements that align with ISO 27001.

A traditional ISO 27001 implementation using a specialist consultant in the GCC typically costs between USD 20,000 and USD 60,000 for initial certification, depending on the size and complexity of the organisation. This covers gap analysis, policy development, Annex A control implementation support, internal audit preparation and Stage 1 and Stage 2 certification audit support. The certification audit itself, conducted by an accredited certification body, costs between USD 3,000 and USD 8,000 for most businesses of this size. Annual surveillance audits are typically USD 2,000 to USD 5,000.

Ongoing maintenance, if it relies on annual consultant visits to prepare for surveillance audits, costs a further USD 10,000 to USD 25,000 per year. The system often degrades between visits, and a significant portion of each engagement is spent reconstructing what has changed rather than moving the programme forward.

The cost of not having ISO 27001 when it becomes a contract requirement is harder to quantify but often much larger. A single failed prequalification that results in losing access to a major project opportunity can represent lost revenue that dwarfs the cost of certification. A principal contractor relationship that ends because you cannot demonstrate ISO 27001 certification has compounding commercial consequences.

For businesses that already hold ISO 9001, 14001 or 45001, adding ISO 27001 to an existing Vissibl workspace is priced as a combination. The programme runs continuously, evidence is maintained automatically and the surveillance audit is not a separate preparation exercise.