Is SAMA CSF the same as NCA ECC?

No — SAMA CSF applies to entities under the Saudi central bank (banks, insurers, finance companies, PSPs). NCA ECC-2 is the broader National Cybersecurity Authority baseline for any organisation in KSA. Most SAMA-regulated entities sit under both.

What about Open Banking participants?

SAMA's Open Banking framework adds further control expectations on top of CSF — API security, consent and dispute handling. We scope all three in a single engagement.

Do you support cross-border banking groups?

Yes — including alignment with home-regulator requirements (RBI / CBUAE / others) so a single ISMS can satisfy multiple regulators.

Where does PCI DSS fit?

Card-handling banks and PSPs continue to need PCI DSS v4.0 in parallel. We deliver both with a shared evidence pack.

Saudi Central Bank · Banks · Insurers · Finance Companies

SAMA Cyber Security Framework Audit

End-to-end SAMA CSF audit — control assessment, maturity scoring, submission pack.

Full SAMA Cyber Security Framework audit for Saudi banks, insurers, finance companies and payment service providers under the Saudi central bank. Covers SAMA CSF 1.0 (May 2017) and subsequent CSF updates, IT-governance and outsourcing circulars, with maturity scoring against the four-tier SAMA scale.

Request Audit Talk to a consultant

Download sample audit report

CERT-In format · anonymised

Aligned to

SAMA Cyber Security Framework 1.0 (May 2017)
SAMA IT Governance + Outsourcing circulars (latest published version)
SAMA Business Continuity Management Framework
SAMA Counter-Fraud Framework
SAMA Open Banking framework (where applicable)
NCA Essential Cyber Controls (ECC-2:2024) overlay
PCI DSS v4.0 (mapped for card-handling banks)
ISO 27001:2022 (mapped)

Why this matters

Compliance is leverage, not paperwork.

The SAMA Cyber Security Framework (1.0, May 2017) and its later updates set the cybersecurity expectations for all entities under SABB / SAMA — banks, insurers, finance companies and payment service providers — graded on a four-tier maturity scale. SAMA inspections evaluate evidence against each control, and the central bank uses the maturity score as input to supervisory ratings. Macksofy's SAMA CSF audit is sequenced the way SAMA inspectors read it — control statements, sampled evidence, maturity score and a clean closure plan.

Applicability

Saudi licensed banks (local and foreign branches)
Insurance and reinsurance companies under SAMA
Finance companies and consumer-credit entities
Payment service providers and Saudi Payments participants
Major third-party suppliers to SAMA-regulated entities
Fintechs licensed under SAMA's Regulatory Sandbox graduating to full licence

Standards & frameworks

Aligned to the regulations that matter.

SAMA Cyber Security Framework 1.0 (May 2017)

SAMA IT Governance + Outsourcing circulars (latest published version)

SAMA Business Continuity Management Framework

SAMA Counter-Fraud Framework

SAMA Open Banking framework (where applicable)

NCA Essential Cyber Controls (ECC-2:2024) overlay

PCI DSS v4.0 (mapped for card-handling banks)

ISO 27001:2022 (mapped)

Methodology

How we run a SAMA CSF engagement.

Interactive walkthrough — every phase clickable, every activity documented, every artefact regulator-ready.

REV.01 · METHODOLOGY SCHEMATIC

NODES 05

INSPECTOR · NODE-01

1 · Scoping + tiering

Entity-type + size classification
Critical-service inventory
Target-maturity tier confirmation

Deliverables

Everything you need to satisfy auditors.

SAMA CSF scoping + tier memo
Control-by-control compliance register
Maturity heatmap on SAMA four-tier scale
Technical validation report (VAPT + config audit)
Third-party + outsourcing risk pack
SAMA submission pack + inspector Q&A deck
Closure tracker + annual recertification plan

Recent engagements

Saudi bank (Tier-1 retail)

SAMA CSF audit + maturity uplift

Outcome: Maturity score lifted from Tier-2 to Tier-3 across all four domains in one audit cycle; SAMA inspection closed with no major findings

Saudi insurer + payment service provider

SAMA CSF + NCA ECC-2 unified program

Outcome: Single control set covered both regimes; audit effort reduced by an estimated 30% in year two

At a glance

The shape of a SAMA CSF engagement.

Every number below is grounded in how Macksofy actually runs the engagement — not aspirational marketing copy.

Methodology phases

Documented activities

Auditor-ready deliverables

0 day

Day retest window

Audit pillars

What we actually examine.

Each pillar is a distinct workstream inside the engagement — scoped, evidenced, and signed off independently before the audit pack is assembled.

Coverage breakdown

Leadership & governance3 pts
Risk & compliance3 pts
Operations & technology3 pts
Third-party cyber security3 pts
Maturity scoring3 pts
SAMA submission pack3 pts

Pillar 01

Leadership & governance

Board, cyber-committee and CISO accountability validated against SAMA expectations.

Board-approved cyber-security policy
CISO charter + reporting independence
Cyber-risk metrics at board level

Pillar 02

Risk & compliance

Risk register, regulatory mapping and compliance evidence walked end-to-end.

Cyber-risk-management framework
Regulatory compliance register
Internal audit + assurance cadence

Pillar 03

Operations & technology

The largest control family in SAMA CSF — operational and technical controls.

Identity, MFA + privileged-access
Network + endpoint + cloud baselines
SOC + 24x7 monitoring evidence

Pillar 04

Third-party cyber security

Outsourcing, supplier and cloud-provider cyber controls SAMA samples aggressively.

Supplier risk + contract clauses
Cloud + outsourcing due diligence
Concentration-risk register

Pillar 05

Maturity scoring

Four-tier maturity score per control — the metric SAMA inspectors anchor on.

Per-control maturity rating
Target-tier gap analysis
Investment plan by tier delta

Pillar 06

SAMA submission pack

Artefacts assembled exactly the way SAMA inspections consume them.

Control-statement to evidence map
Maturity-heatmap deck
Inspector Q&A walk-through

Engagement timeline

From kick-off to regulator-ready report.

The horizontal flow below shows the typical week-by-week shape of a SAMA CSF engagement. Click any station for detail in the methodology section above.

Week 1

Scoping + tiering

Week 2

Control assessment

Week 3

Technical validation

Week 4

Maturity scoring

Week 5

Submission + inspector support

What clients say · Trusted India + UAE

Rated 4.9 ★ from 612 client reviews.

CERT-In Empanelled

Govt of India · MeitY

EC-Council ATC

Authorized Training

ISO 27001 Certified

Info Security Mgmt

“We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.”

Aisha Khan

Information Security Manager · Listed Fintech · BKC, Mumbai

“The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.”

Inspector K. Joshi

Cyber Cell · Maharashtra Police · Mumbai

“Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.”

Vivek Iyer

DevSecOps Lead · Healthcare SaaS · Hyderabad

Read all 612 reviews on Google →

FAQ

Things compliance leads ask before signing.

Annual at minimum. SAMA-regulated entities also run continuous internal assurance and may face tighter on-site inspection cycles based on risk profile.

Other audit engagements

Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.