New personal data protection guidelines mandated for auditors
Published: 03:06 PM,Jun 17,2025 | EDITED : 07:06 PM,Jun 17,2025
The document aims to “establish clear standards for the accreditation of external auditors to ensure high-quality, ethical, and lawful data audit services in Oman.
MUSCAT, JUNE 17
The Ministry of Transport, Communications and Information Technology (MoTCIT) has unveiled new standards and requirements for the accreditation of external personal data auditors in the Sultanate of Oman.
The document, issued in April of 2025, aims to” establish clear standards for the accreditation of external auditors to ensure high-quality, ethical, and lawful data audit services in Oman.” “In light of the increasing challenges of personal data protection in the digital age, the importance of ensuring private sector institutions' compliance with relevant laws and regulations grows,” the Ministry said in the document.
This document provides the necessary technical and administrative standards for accrediting external auditors to ensure they possess the qualifications, methodology, and resources required to deliver high-quality and reliable audit services. This ensures their ability to conduct compliance audits for institutions (controllers and processors) to verify that personal data processing procedures are in accordance with the provisions of the Personal Data Protection Law and its executive regulations,” the Ministry added.
In order to qualify as external auditors, companies must adhere to several administrative, security and compliance, and quality assurance requirements.
In regards to administrative and technical standards, auditors are required to have an active commercial registration for no less than 12 months and possess the necessary licenses to operate in the Sultanate of Oman. In addition to holding essential certifications including ISO/IEC 27001 for Information Security Management and ISO/IEC 27701 for Privacy Information Management.
Furthermore, external auditing companies must have a qualified technical team with practical experience and recognized certifications such as ISO 27000 Lead Auditor or CISA, and CIPP. In addition to previous auditing experience, with a demonstrated and credible track record in providing auditing services.
Moreover, companies must maintain comprehensive documentation of procedures covering all audit phases (planning, execution, and reporting) in addition to a record retention policy of audit records, activities, results, and correspondence for no less than five years.
Finally, the regulations require a minimum Omanisation rate of 30% within the technical teams of companies.
In regards to security and compliance, the standard requires auditors to adhere to all laws and regulations related to personal data protection. Companies must also have comprehensive Data Protection and Confidentiality Policy, which outlines how data is managed and safeguarded against unauthorized access, modification, or disclosure Furthermore, companies must have the ability to conduct risk assessment audits and security gap assessments. They are also required to maintain an incident reporting policy, which clearly outlines the procedures for reporting any security incidents that occur during the audit process.
Finally, auditors are required to implement defined standards to regularly assess performance and ensure adherence to the required quality levels .
The Ministry of Transport, Communications and Information Technology (MoTCIT) has unveiled new standards and requirements for the accreditation of external personal data auditors in the Sultanate of Oman.
The document, issued in April of 2025, aims to” establish clear standards for the accreditation of external auditors to ensure high-quality, ethical, and lawful data audit services in Oman.” “In light of the increasing challenges of personal data protection in the digital age, the importance of ensuring private sector institutions' compliance with relevant laws and regulations grows,” the Ministry said in the document.
This document provides the necessary technical and administrative standards for accrediting external auditors to ensure they possess the qualifications, methodology, and resources required to deliver high-quality and reliable audit services. This ensures their ability to conduct compliance audits for institutions (controllers and processors) to verify that personal data processing procedures are in accordance with the provisions of the Personal Data Protection Law and its executive regulations,” the Ministry added.
In order to qualify as external auditors, companies must adhere to several administrative, security and compliance, and quality assurance requirements.
In regards to administrative and technical standards, auditors are required to have an active commercial registration for no less than 12 months and possess the necessary licenses to operate in the Sultanate of Oman. In addition to holding essential certifications including ISO/IEC 27001 for Information Security Management and ISO/IEC 27701 for Privacy Information Management.
Furthermore, external auditing companies must have a qualified technical team with practical experience and recognized certifications such as ISO 27000 Lead Auditor or CISA, and CIPP. In addition to previous auditing experience, with a demonstrated and credible track record in providing auditing services.
Moreover, companies must maintain comprehensive documentation of procedures covering all audit phases (planning, execution, and reporting) in addition to a record retention policy of audit records, activities, results, and correspondence for no less than five years.
Finally, the regulations require a minimum Omanisation rate of 30% within the technical teams of companies.
In regards to security and compliance, the standard requires auditors to adhere to all laws and regulations related to personal data protection. Companies must also have comprehensive Data Protection and Confidentiality Policy, which outlines how data is managed and safeguarded against unauthorized access, modification, or disclosure Furthermore, companies must have the ability to conduct risk assessment audits and security gap assessments. They are also required to maintain an incident reporting policy, which clearly outlines the procedures for reporting any security incidents that occur during the audit process.
Finally, auditors are required to implement defined standards to regularly assess performance and ensure adherence to the required quality levels .