SAMA Frameworks: A Complete Guide for Saudi Banks

The Saudi Central Bank — known as SAMA — is one of the most active financial regulators in the GCC, and its framework family is the single biggest compliance obligation for any bank, insurer, payments provider or exchange operating in the Kingdom. Yet most teams reduce "SAMA compliance" to a single document — the Cyber Security Framework — and miss the other five frameworks that SAMA expects every member organisation to implement.

This guide walks through every SAMA framework, what it requires, how the frameworks relate to each other, and how to run a SAMA-aligned GRC programme without drowning in spreadsheets. It is intended for CISOs, compliance heads, internal auditors and risk officers in Saudi banks, finance companies, insurance providers and fintechs.

What is the SAMA framework family?

SAMA does not issue a single monolithic compliance standard. Instead, it issues a family of frameworks, each targeting a specific control domain. The six most important frameworks every regulated entity needs to know are:

1. SAMA Cyber Security Framework (CSF) — the cornerstone cybersecurity standard
2. SAMA Business Continuity Management Framework — operational resilience and recovery
3. SAMA IT Governance Framework — IT management, change control, project governance
4. SAMA Cyber Threat Intelligence Principles — threat intel collection, sharing and use
5. SAMA Counter-Fraud Framework — anti-fraud controls, monitoring and reporting
6. SAMA Outsourcing Regulations — third-party risk and supplier governance

On top of these, SAMA issues circulars and supervisory expectations on more specific topics — open banking, account opening, sanctions screening, AML and so on. Those circulars sit alongside the framework family rather than replacing it.

A common mistake is to write "SAMA CSF" in board reports as if it covers everything SAMA expects. It doesn't. SAMA inspectors will ask about the BCM Framework, the IT Governance Framework, your CTI capability, your fraud monitoring and your outsourcing register — and they expect each one to be evidenced separately.

1. SAMA Cyber Security Framework (CSF)

The Cyber Security Framework is SAMA's flagship cybersecurity standard. First issued in 2017 and updated since, it lays out the minimum cybersecurity controls every member organisation must implement, organised around four governance domains:

• Cyber Security Leadership and Governance — board oversight, policy, risk management, awareness
• Cyber Security Risk Management and Compliance — risk assessment, asset management, third-party risk
• Cyber Security Operations and Technology — identity, access, change management, incident response, vulnerability management
• Third-Party Cyber Security — supplier and outsourcing controls

CSF assessments are usually performed at maturity levels, with member organisations expected to demonstrate continuous improvement over time. Many Saudi banks now publish a CSF maturity roadmap as part of their annual GRC plan, and SAMA inspectors compare reported maturity to evidence on the ground.

CSF draws on NIST CSF, ISO 27001 and PCI DSS, but it is not a copy of any of them. The Saudi-specific elements include:

• A heavier emphasis on board-level governance and the role of the CISO
• Explicit requirements around insider threat
• Detailed third-party cyber security expectations that go beyond ISO 27001 Annex A
• Saudi-specific incident reporting timelines and channels

If your team already has an ISO 27001 ISMS, you have a strong head-start, but you will still need to layer CSF-specific requirements on top — particularly around board reporting, third-party assurance and incident management.

GRC Vantage's compliance module ships with a complete CSF control library and pre-built mappings to ISO 27001, NIST CSF and PCI DSS, so a single control update flows to every framework view.

2. SAMA Business Continuity Management Framework

The BCM Framework is the second pillar of SAMA's expectations — and the one most often under-resourced. It requires every member organisation to maintain a documented, tested and continuously improved business continuity programme, covering:

• Governance and policy — board-approved BCM policy, programme owner, scope definition
• Business Impact Analysis (BIA) — every critical business process documented with RTO and RPO
• Risk assessment — threats to continuity (cyber, physical, third-party, pandemic, geopolitical)
• Strategy and planning — recovery strategies, resourcing, alternate sites, third-party dependencies
• Testing and exercising — regular tabletop, walkthrough and full simulation exercises
• Awareness and training — every staff member knows their role
• Lessons learned and continuous improvement — every test and incident feeds back into the plan

SAMA's BCM Framework aligns closely with ISO 22301, but it adds Saudi-specific expectations around regulator notification, dependency on shared services (national payment systems, for example) and continuity reporting cadence. A typical SAMA inspection will cover the BIA, the most recent test report, board minutes approving the BCM policy, and evidence of remediation from the last exercise.

If you treat BCM as a once-a-year tabletop exercise to satisfy the auditor, you will fail a SAMA inspection. If you treat it as a continuously-tested capability tied to your risk register and incident response, you will pass.

3. SAMA IT Governance Framework

The IT Governance Framework targets the IT management discipline — not just security controls, but how the IT function as a whole is governed, how change is managed, how projects are delivered and how IT services are measured.

Core requirements include:

• IT strategy aligned to business strategy and approved at board level
• Defined IT operating model and organisation structure
• Project portfolio management with stage gates and post-implementation reviews
• Change management with risk assessment, approval and back-out plans
• IT service management aligned to ITIL or equivalent
• Capacity, performance and availability management
• IT risk management feeding into the enterprise risk register

This framework matters because SAMA increasingly looks at the maturity of the IT function as a leading indicator of cyber risk. A bank with weak change control or undocumented IT processes will struggle to demonstrate CSF compliance, no matter how strong its perimeter security looks on paper.

4. SAMA Cyber Threat Intelligence Principles

The CTI Principles are a more specialised framework, focused on how regulated entities collect, analyse, share and act on cyber threat intelligence. SAMA expects member organisations to:

• Maintain a CTI capability proportionate to their size and risk profile
• Subscribe to or produce intelligence relevant to the Saudi financial sector
• Share threat indicators with SAMA and with peer organisations through approved channels
• Use threat intelligence to drive security operations, vulnerability prioritisation and incident response
• Document the CTI lifecycle and report on its effectiveness

For mid-sized banks, the CTI capability is often outsourced or shared, but the governance and reporting of that capability sits with the bank itself. SAMA expects to see the CTI function feeding into the SOC, the risk register and the board cyber report.

5. SAMA Counter-Fraud Framework

The Counter-Fraud Framework covers fraud prevention, detection, investigation and reporting across the customer lifecycle. It is closely related to AML and sanctions controls but focuses on fraud-specific risks: account takeover, payment fraud, internal fraud, identity fraud, social engineering and so on.

Key requirements:

• A board-approved fraud risk management policy
• A defined fraud risk taxonomy covering customer-facing and internal scenarios
• Real-time and batch fraud monitoring across payment channels
• Fraud incident response and customer notification procedures
• Regular fraud loss reporting to SAMA
• Staff training and customer awareness campaigns

The Counter-Fraud Framework is one area where SAMA has been increasingly vocal in recent years, particularly around real-time payment fraud and authorised push payment scams. Member organisations are expected to evolve their controls in line with the threat landscape rather than treat the framework as static.

6. SAMA Outsourcing Regulations

SAMA's Outsourcing Regulations govern how member organisations engage and manage third parties — particularly material outsourcing arrangements that touch customer data, critical systems or core business processes. The regulations require:

• A board-approved outsourcing policy
• Risk-based classification of every outsourcing relationship
• SAMA prior approval for material outsourcing arrangements
• Mandatory contract clauses (audit rights, data residency, exit assistance, sub-contracting controls)
• Ongoing monitoring of supplier performance and risk
• An outsourcing register submitted to SAMA on a defined cadence

Cloud is the area where Outsourcing Regulations and CSF intersect most often — any move to a cloud service provider is treated as outsourcing, requires risk assessment, and may need SAMA prior approval. The regulations also intersect with PDPL where customer personal data is involved.

Our risk management module maintains a Saudi-context vendor risk library aligned to the Outsourcing Regulations and CSF third-party requirements.

How the SAMA frameworks fit together

The six frameworks are not independent silos. They interlock:

• CSF defines the cybersecurity controls, but BCM requires you to test how those controls hold up under stress
• IT Governance tells you how to run change management, which CSF expects to exist
• CTI feeds intelligence into both CSF (vulnerability management, incident response) and Counter-Fraud (typology updates)
• Outsourcing Regulations tell you how to govern third parties, which CSF, BCM and Counter-Fraud all assume you are doing
• All five feed the enterprise risk register that the board ultimately owns

The biggest single mistake we see Saudi banks make is treating each framework as a separate workstream with separate evidence, separate spreadsheets and separate teams. The cost is enormous — and so is the audit risk, because mismatches between the workstreams become inspection findings.

The opposite approach is what we call connected GRC: one control library, one risk register, one evidence store, one set of board reports. Every control is tagged to the frameworks it satisfies, every risk is linked to the controls that mitigate it, every test or audit finding flows back to the control owner. That is what GRC Vantage was built to deliver.

The 90-day SAMA readiness plan

If you are starting a SAMA programme from scratch — or trying to rescue one that has slipped — here is a 90-day plan that covers the essentials:

Days 0–30: Discovery

• Inventory every SAMA framework you are subject to and compare to current evidence
• Map your existing controls (ISO 27001, NIST, PCI) to SAMA CSF and identify gaps
• Run a Business Impact Analysis if you do not have one less than 12 months old
• Inventory your outsourcing register and check for missing material arrangements

Days 31–60: Build

• Stand up a single connected control library covering CSF, BCM, IT Governance and Outsourcing
• Define risk owners for every control
• Schedule the next BCM exercise and the next CSF self-assessment
• Build a board-level cyber and resilience dashboard

Days 61–90: Operate

• Run the first BCM tabletop and feed lessons learned back into the plan
• Submit your outsourcing register update to SAMA
• Present the first connected board report covering all SAMA frameworks
• Set the cadence for ongoing testing, evidence refresh and reporting

90 days is not enough to fully mature a SAMA programme — but it is enough to move from "fragmented and reactive" to "connected and predictable", which is what SAMA inspectors most want to see.

Where to go next

If you found this guide useful, the cluster posts in this series go deeper into specific frameworks:

• SAMA CSF and ISO 27001: A control-by-control mapping
• SAMA BCM Framework explained

And if you want to see how a connected SAMA programme runs day-to-day, book a demo of GRC Vantage — we will walk you through how Saudi banks use the platform to manage CSF, BCM, IT Governance, Counter-Fraud and Outsourcing from one connected control library.

Frequently asked questions

How many SAMA frameworks are there?

The Saudi Central Bank (SAMA) issues at least six core frameworks that member organisations must comply with: the Cyber Security Framework (CSF), the Business Continuity Management Framework, the IT Governance Framework, the Cyber Threat Intelligence Principles, the Counter-Fraud Framework and the Outsourcing Regulations. There are also sector-specific circulars on top of these.

Who has to comply with SAMA frameworks?

Every organisation regulated by the Saudi Central Bank — banks, finance companies, insurance and reinsurance firms, money exchangers, payment service providers and credit information companies. Compliance is mandatory and SAMA conducts regular on-site and off-site supervision.

Are SAMA frameworks the same as the NCA frameworks?

No. SAMA frameworks apply to financial institutions regulated by the Saudi Central Bank. NCA frameworks (issued by the National Cybersecurity Authority) apply more broadly across critical national infrastructure, government and many private sectors. A typical Saudi bank has to comply with both — SAMA as its primary regulator and NCA where its systems are also classified as critical.

Is SAMA CSF based on NIST?

SAMA CSF draws on NIST CSF, ISO 27001 and PCI DSS, but it is its own framework with Saudi-specific requirements around governance, third-party risk and incident reporting. A NIST or ISO 27001 implementation gives you a strong head-start, but it does not equal SAMA CSF compliance.

How often does SAMA update its frameworks?

SAMA reviews and updates its frameworks periodically — sometimes through new versions, sometimes through circulars and clarifications. CSF and the BCM Framework have both seen multiple revisions since first issue. Member organisations should monitor the SAMA bulletin board and subscribe to regulator notifications.

What happens if a bank fails a SAMA assessment?

SAMA can issue findings, require remediation plans within fixed timeframes, impose financial penalties, or in serious cases restrict business activities. Repeat findings on the same control area are treated more seriously than first-time gaps. The reputational impact inside the Saudi market is significant.

How does GRC Vantage help with SAMA compliance?

GRC Vantage ships pre-built control libraries for every SAMA framework, automated assessment workflows, evidence collection, cross-framework mapping (so a single control update flows to CSF, BCM, IT Governance and ISO 27001 simultaneously) and regulator-ready reporting. The platform is built and supported by Saudi-based teams in Riyadh and Dammam, and can be hosted inside KSA to meet data residency requirements.