Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit

Saudi Arabia Compliance

One ISMS. Multiple Saudi frameworks.

ISO 27001 is the international standard that underpins Saudi Arabia's cybersecurity regulatory landscape. The NCA Essential Cybersecurity Controls, SAMA CSF, and every sector-specific framework are built on it. We implement the controls once in your Microsoft 365 environment — then map the evidence to every framework you're measured against.

The Saudi cybersecurity framework hierarchy

Every Saudi cybersecurity framework traces back to international standards. ISO 27001 certification is the most efficient path to compliance across all of them.

ISO/IEC 27001:2022 93 Annex A controls

The international foundation. All Saudi frameworks reference or extend it.

Extends & localises
NCA ECC-2:2024 108 controls + 92 sub-controls

Baseline for all government entities and critical national infrastructure operators.

SAMA CSF 103 objectives

Financial sector: banks, insurance, payment providers regulated by SAMA.

Sector extensions
NCA CSCC Critical systems
NCA CCC Cloud security
NCA DCC Data security

Our ISO 27001 controls cover KSA requirements

93

of 93 ISO controls map to NCA ECC

65

of 93 ISO controls map to SAMA CSF

108

NCA ECC controls covered via ISO 27001 mapping

Framework details

NCA Essential Cybersecurity Controls (ECC-2:2024)

National Cybersecurity Authority

The baseline cybersecurity framework for Saudi Arabia. ECC-2:2024 replaced ECC-1:2018 in October 2024 with explicit alignment to ISO/IEC 27001:2022 and NIST Cybersecurity Framework.

Domain 1: Cybersecurity Governance

Strategy, roles, risk management, compliance, awareness, third-party management, programme management

Domain 2: Cybersecurity Defence

Asset management, identity & access, data security, network, endpoint, application, vulnerability, monitoring, incident, cryptography, configuration

Domain 3: Cybersecurity Resilience

Business continuity, backup & recovery, physical security, secure development, change management

Domain 4: Cybersecurity Innovation

Emerging technologies, security architecture, threat intelligence, security testing, continuous improvement

Applies to: All government entities and critical national infrastructure operators

Browse controls by ECC domain

SAMA Cyber Security Framework

Saudi Arabian Monetary Authority

Mandatory for all SAMA-regulated financial institutions. Built on ISO 27001, NIST CSF, PCI-DSS, and BASEL standards. Uses a 6-level maturity model (0-5) where Level 3 ("Structured and Formalised") is the minimum compliance target.

Domain 1: Cyber Security Leadership and Governance

Governance framework, strategy, policies, organisational structure

Domain 2: Cyber Security Risk Management

Risk framework, assessments, treatment, monitoring

Domain 3: Cyber Security Operations

Asset management, identity, data protection, network, endpoint, application security, incident management

Domain 4: Cyber Security Architecture and Engineering

Architecture standards, cryptography, secure development, cloud security

Domain 5: Cyber Security Measurement and Improvement

Performance measurement, audit, compliance monitoring, continuous improvement

Applies to: Banks, insurance companies, payment service providers, and other SAMA-regulated entities

Assess your compliance across all Saudi frameworks

Our free assessment evaluates your Microsoft 365 configuration against ISO 27001 and maps findings to NCA ECC and SAMA CSF requirements — showing you exactly where you stand across all applicable frameworks.

Start Your Assessment Browse All Controls