ISO 27001 & NCA ECC Controls
93 ISO 27001:2022 controls mapped to the NCA Essential Cybersecurity Controls (ECC-2:2024). Each control page shows what it requires, how to implement it in Microsoft 365, and which ECC and SAMA CSF requirements it satisfies.
NCA ECC-2:2024 ISO/IEC 27001:2022 SAMA CSF
The NCA Essential Cybersecurity Controls are the baseline cybersecurity framework for all organisations in Saudi Arabia. ECC-2:2024 was designed with explicit alignment to ISO/IEC 27001:2022 — meaning an organisation with a mature ISO 27001 ISMS is already well-positioned for ECC compliance.
One ISMS. Multiple Saudi frameworks.
NCA ECC-2:2024
108 controls across Governance, Defence, Resilience, and Innovation. Mandatory for all government entities and critical national infrastructure operators. Built on ISO 27001 alignment.
ISO/IEC 27001:2022
93 Annex A controls across Organisational, People, Physical, and Technological categories. The international standard that underpins ECC. Certification demonstrates baseline compliance.
SAMA Cyber Security Framework
103 objectives for SAMA-regulated financial institutions. Built on ISO 27001 and NIST CSF. Banks, insurance, and payment providers must demonstrate compliance.
24 Cybersecurity Governance ECC Domain 1
A.5.1 Policies for Information Security 1-1-1, 1-1-2, 1-1-3 +5 → A.5.2 Information Security Roles and Responsibilities 1-1-1, 1-1-2, 1-1-3 +8 → A.5.3 Segregation of Duties 1-3-1, 1-3-2, 1-3-3 +2 → A.5.4 Management Responsibilities 1-2-2, 1-2-3 → A.5.5 Contact with Authorities 1-4-1, 1-4-5 → A.5.6 Contact with Special Interest Groups 1-5-1 → A.5.8 Information Security in Project Management 1-7-1 → A.5.19 Information Security in Supplier Relationships 1-6-1, 1-6-2, 1-6-3 +1 → A.5.20 Addressing Information Security within Supplier Agreements 1-6-1, 1-6-2 → A.5.21 Managing Information Security in the ICT Supply Chain 1-6-1, 1-6-2, 1-6-3 → A.5.22 Monitoring Review and Change Management of Supplier Services 1-6-1, 1-6-3 → A.5.23 Information Security for Use of Cloud Services 1-6-1, 1-6-4 → A.5.31 Legal Statutory Regulatory and Contractual Requirements 1-4-1, 1-4-2, 1-4-3 → A.5.32 Intellectual Property Rights 1-4-3, 1-4-4, 1-4-5 → A.5.33 Protection of Records 1-4-1 → A.5.34 Privacy and Protection of PII 1-4-1 → A.5.36 Compliance with Policies Rules and Standards for Information Security 1-4-2, 1-4-4 → A.5.37 Documented Operating Procedures 1-7-1 → A.6.1 Screening 1-2-1, 1-2-2, 1-2-4 → A.6.2 Terms and Conditions of Employment 1-4-1, 1-2-2 → A.6.3 Information Security Awareness, Education and Training 1-5-1, 1-5-2, 1-5-3 → A.6.4 Disciplinary Process 1-4-2 → A.6.5 Responsibilities After Termination or Change of Employment 1-2-2 → A.6.6 Confidentiality or Non-Disclosure Agreements 1-4-1, 1-6-2 →
64 Cybersecurity Defence ECC Domain 2
A.5.5 Contact with Authorities 2-9-4 → A.5.9 Inventory of Information and Other Associated Assets 2-1-1, 2-1-3, 2-1-4 → A.5.10 Acceptable Use of Information and Other Associated Assets 2-1-2, 2-3-1 → A.5.11 Return of Assets 2-1-4 → A.5.12 Classification of Information 2-1-4 → A.5.13 Labelling of Information 2-3-1 → A.5.14 Information Transfer 2-3-5, 2-4-1, 2-10-1 → A.5.15 Access Control 2-2-1, 2-2-3 → A.5.16 Identity Management 2-2-2, 2-2-3 → A.5.17 Authentication Information 2-2-3 → A.5.18 Access Rights 2-2-3, 2-2-5 → A.5.24 Information Security Incident Management Planning and Preparation 2-5-4 → A.5.25 Assessment and Decision on Information Security Events 2-9-2, 2-8-2 → A.5.26 Response to Information Security Incidents 2-8-3, 2-8-4, 2-9-1 +1 → A.5.27 Learning from Information Security Incidents 2-8-3, 2-8-4, 2-9-3 → A.5.28 Collection of Evidence 2-9-4 → A.5.29 Information Security During Disruption 2-9-5 → A.5.33 Protection of Records 2-3-3, 2-3-2 → A.5.34 Privacy and Protection of PII 2-3-2 → A.5.37 Documented Operating Procedures 2-11-1 → A.6.4 Disciplinary Process 2-9-3 → A.6.5 Responsibilities After Termination or Change of Employment 2-2-3, 2-2-5 → A.6.6 Confidentiality or Non-Disclosure Agreements 2-3-2 → A.6.7 Remote Working 2-5-2, 2-4-2, 2-2-3 → A.6.8 Information Security Event Reporting 2-9-1, 2-9-4, 2-8-2 → A.7.4 Physical Security Monitoring 2-1-4 → A.7.7 Clear Desk and Clear Screen 2-5-4 → A.7.9 Security of Assets Off-Premises 2-1-4, 2-5-2 → A.7.10 Storage Media 2-3-4, 2-1-4 → A.7.12 Cabling Security 2-4-1 → A.7.13 Equipment Maintenance 2-1-4 → A.7.14 Secure Disposal or Re-use of Equipment 2-3-4, 2-1-4 → A.8.1 User Endpoint Devices 2-5-1 → A.8.2 Privileged Access Rights 2-5-1 → A.8.3 Information Access Restriction 2-5-1 → A.8.4 Access to Source Code 2-5-1 → A.8.5 Secure Authentication 2-2-4 → A.8.6 Capacity Management 2-8-2 → A.8.7 Protection Against Malware 2-5-2 → A.8.8 Management of Technical Vulnerabilities 2-7-1, 2-7-2, 2-7-3 +1 → A.8.9 Configuration Management 2-11-1, 2-11-2, 2-11-3 +1 → A.8.10 Information Deletion 2-5-1, 2-11-1, 2-11-2 +1 → A.8.11 Data Masking 2-5-1, 2-5-3 → A.8.12 Data Leakage Prevention 2-3-2, 2-3-3, 2-3-4 +3 → A.8.15 Logging 2-5-1, 2-8-1, 2-8-2 +1 → A.8.16 Monitoring Activities 2-4-1, 2-4-2, 2-4-3 +1 → A.8.17 Clock Synchronisation 2-5-1 → A.8.18 Use of Privileged Utility Programs 2-2-4, 2-5-4 → A.8.19 Installation of Software on Operational Systems 2-5-4, 2-11-2 → A.8.20 Networks Security 2-3-5, 2-6-3, 2-7-1 +3 → A.8.21 Security of Network Services 2-6-4 → A.8.22 Segregation of Networks 2-6-4 → A.8.23 Web Filtering 2-6-2, 2-6-3 → A.8.24 Use of Cryptography 2-6-1 → A.8.25 Secure Development Life Cycle 2-6-1 → A.8.26 Application Security Requirements 2-6-1 → A.8.27 Secure System Architecture and Engineering Principles 2-6-1 → A.8.28 Secure Coding 2-6-1 → A.8.29 Security Testing in Development and Acceptance 2-6-1 → A.8.30 Outsourced Development 2-6-1 → A.8.31 Separation of Development Test and Production Environments 2-6-1 → A.8.32 Change Management 2-6-1, 2-11-4 → A.8.33 Test Information 2-6-1 → A.8.34 Protection of Information Systems During Audit Testing 2-6-1 →
32 Cybersecurity Resilience ECC Domain 3
A.5.8 Information Security in Project Management 3-4-1 → A.5.29 Information Security During Disruption 3-1-1, 3-1-2 → A.5.30 ICT Readiness for Business Continuity 3-1-1, 3-1-3, 3-1-4 → A.7.1 Physical Security Perimeters 3-3-1 → A.7.2 Physical Entry 3-3-2, 3-3-3 → A.7.3 Securing Offices, Rooms and Facilities 3-3-3 → A.7.5 Protecting Against Physical and Environmental Threats 3-3-4 → A.7.6 Working in Secure Areas 3-3-1, 3-3-2 → A.7.7 Clear Desk and Clear Screen 3-3-2 → A.7.8 Equipment Siting and Protection 3-3-3, 3-3-4 → A.7.9 Security of Assets Off-Premises 3-3-4 → A.7.10 Storage Media 3-3-4 → A.7.11 Supporting Utilities 3-3-3, 3-1-4 → A.7.12 Cabling Security 3-3-3 → A.7.13 Equipment Maintenance 3-3-4, 3-1-1 → A.8.6 Capacity Management 3-1-1, 3-5-2 → A.8.13 Information Backup 3-2-1, 3-2-2, 3-2-3 → A.8.14 Redundancy of Information Processing Facilities 3-1-1, 3-1-4, 3-2-1 → A.8.19 Installation of Software on Operational Systems 3-5-1 → A.8.22 Segregation of Networks 3-4-3 → A.8.23 Web Filtering 3-4-4 → A.8.24 Use of Cryptography 3-4-1, 3-4-2 → A.8.25 Secure Development Life Cycle 3-4-1 → A.8.26 Application Security Requirements 3-4-1 → A.8.27 Secure System Architecture and Engineering Principles 3-4-1 → A.8.28 Secure Coding 3-4-1 → A.8.29 Security Testing in Development and Acceptance 3-4-1 → A.8.30 Outsourced Development 3-4-1 → A.8.31 Separation of Development Test and Production Environments 3-4-1 → A.8.32 Change Management 3-4-1, 3-5-1, 3-5-2 +2 → A.8.33 Test Information 3-4-1 → A.8.34 Protection of Information Systems During Audit Testing 3-4-1 →
15 Cybersecurity Innovation ECC Domain 4
A.5.1 Policies for Information Security 4-5-1, 4-5-2, 4-5-3 → A.5.2 Information Security Roles and Responsibilities 4-5-1, 4-5-2, 4-5-3 → A.5.3 Segregation of Duties 4-1-1 → A.5.6 Contact with Special Interest Groups 4-3-1, 4-3-2 → A.5.7 Threat Intelligence 4-1-1, 4-1-2, 4-1-3 +3 → A.5.8 Information Security in Project Management 4-2-1 → A.5.35 Independent Review of Information Security 4-5-1, 4-5-3 → A.5.36 Compliance with Policies Rules and Standards for Information Security 4-4-3 → A.8.1 User Endpoint Devices 4-1-2 → A.8.2 Privileged Access Rights 4-1-2 → A.8.3 Information Access Restriction 4-1-2 → A.8.4 Access to Source Code 4-1-2 → A.8.20 Networks Security 4-4-1, 4-4-2, 4-4-3 → A.8.23 Web Filtering 4-4-1, 4-4-2, 4-4-3 → A.8.28 Secure Coding 4-2-1, 4-2-2, 4-2-3 →
Assess your ECC and ISO 27001 compliance gaps
Our free assessment evaluates your M365 configuration against all 93 controls and maps findings to both NCA ECC and ISO 27001 requirements.