SAMA CSF Compliance Checklist 2026 (Free Template)

The most-requested artefact in any first-time SAMA CSF readiness engagement is the same: a complete, structured checklist of every CSF expectation, organised so a Saudi bank can work through it methodically and know whether the programme is complete. The framework itself is a substantial document and the maturity model adds a layer of nuance that is easy to lose track of. A clean checklist — used consistently across the team — closes that gap.

This post is the structured SAMA CSF compliance checklist for 2026. It covers every domain, the key sub-controls, the evidence types SAMA inspectors typically request, and the maturity expectations the framework lays out. A downloadable copy is available at the end.

How to use this checklist

Run through the checklist as a team. For each line item:

1. Mark the current state — non-existent, ad-hoc, repeatable, defined and managed, or adaptive.
2. Identify the owner.
3. Note the evidence reference.
4. Record the date the assessment was made.
5. Identify the gap to the target maturity and the action required to close it.

The checklist is a working document. It is most useful when it is updated quarterly with the current state and used as the input to a recurring management review. It is least useful when it is filled in once and put in a folder.

Domain 1 — Cyber Security Leadership and Governance

The Leadership and Governance domain is where first-time inspections produce the most findings. Work through it carefully.

1.1 Cyber security policy. Documented policy approved at the highest level (typically the board), reviewed on a defined cadence (annually at minimum), communicated to all relevant staff, and supported by sub-policies for each material area (acceptable use, access control, data handling, incident response, business continuity, third-party).

1.2 Cyber security strategy. Documented strategy aligned to the organisation's overall strategy, approved by the board, with measurable objectives and a defined review cadence.

1.3 Cyber security organisation. Defined cyber security function with named leadership, clear reporting line independent of the IT function, documented roles and responsibilities, defined escalation paths, and resourcing appropriate to the organisation's risk profile.

1.4 CISO independence. The CISO reports to the CEO, the CRO or directly to a board committee — not to the CIO. This is one of the clearest prescriptive requirements in CSF and a repeatable first-inspection finding.

1.5 Board cyber engagement. Board receives cyber security reporting on a defined cadence with metrics meaningful to a board audience. Board minutes evidence engagement (questions asked, decisions made, budget approved, actions tracked) — not just noting.

1.6 Risk management framework. Documented cyber risk management methodology with identification, analysis, evaluation and treatment, aligned to ISO 27005 or NIST SP 800-30, with risk acceptance criteria approved at board level.

1.7 Compliance management. Defined compliance function (or function with cyber compliance responsibility), documented approach to identifying and tracking applicable laws and regulations, evidence of regular compliance reporting.

1.8 Internal audit of cyber security. Documented internal audit of the cyber security function on a defined cadence, with findings tracked to closure and reported to the audit committee.

Domain 2 — Cyber Security Risk Management and Compliance

2.1 Cyber risk register. Documented cyber risk register with structured entries — owner, inherent score, controls, residual score, treatment plan, KRIs, framework linkage. Updated quarterly at minimum.

2.2 Risk treatment. Treatment plans for every risk above appetite, with named owners, deadlines and current status. Aging analysis on overdue actions.

2.3 Risk acceptance. Documented rationale for accepted risks, approval at appropriate governance level (risk committee or board for material risks).

2.4 Compliance with legal and regulatory requirements. Inventory of applicable laws and regulations, mapped to controls that demonstrate compliance, reviewed on defined cadence.

2.5 Third-party assurance. Right-to-audit clauses in material contracts, evidence of audits performed, follow-up on findings.

Domain 3 — Cyber Security Operations and Technology

This is the largest domain by control count. The checklist below is structured by control family.

Asset management

3.1 Asset inventory. Complete inventory of information assets — hardware, software, data, services. Owners assigned. Classification applied. Updated as assets change.

3.2 Asset disposal. Documented secure disposal process for hardware and storage media, with evidence of execution.

Identity and access management

3.3 Identity lifecycle. Documented joiners-movers-leavers process with evidence of execution. Time-bounded SLAs for provisioning and de-provisioning.

3.4 Authentication. Multi-factor authentication enforced for all administrative access and all remote access. Password policy aligned to current good practice (NIST SP 800-63B or equivalent).

3.5 Privileged access. Privileged access management solution in place. Privileged accounts inventoried. Time-bounded privileged sessions where appropriate. Logging and monitoring of privileged actions.

3.6 Access reviews. Recertification of access on a defined cadence (typically quarterly for privileged, annually for general). Evidence of action on review outcomes.

Network and infrastructure security

3.7 Network segmentation. Documented network architecture with segmentation between corporate, production and management environments. Firewall rule reviews on defined cadence.

3.8 System hardening. Documented hardening standards for each platform, evidence of compliance, exception handling.

3.9 Vulnerability management. Vulnerability scanning on defined cadence (internal weekly, external monthly is common). Documented patch SLAs by criticality. Evidence of compliance with SLAs.

3.10 Penetration testing. External penetration testing on defined cadence (typically annually for the perimeter, more often for critical applications). Findings tracked to closure.

Application and data security

3.11 Secure software development. Documented secure development lifecycle. Evidence of security review at design, code review, security testing, secure deployment.

3.12 Cryptography. Documented cryptographic standards. Inventory of keys. Key management process. Evidence of approved algorithms in use.

3.13 Data classification and protection. Data classification scheme. Controls applied per classification (encryption, access control, retention, disposal).

3.14 Backup. Documented backup approach for critical data. Evidence of regular backups. Periodic restoration tests.

Logging, monitoring and incident response

3.15 Centralised logging. Centralised log collection from in-scope systems. Defined retention period. Integrity protection on logs.

3.16 Security monitoring. Defined use cases for security monitoring. SIEM in place. Alerting and triage process. Defined SLAs for alert response.

3.17 Incident response plan. Documented incident response plan with severity classification, escalation paths, runbooks for common scenarios, defined SAMA notification decision point and channel.

3.18 Incident response exercises. Documented exercise programme. Evidence of recent exercises. Lessons learned tracked to closure.

Security awareness

3.19 Awareness programme. Documented awareness programme with role-based training, completion tracking, refresher cadence, measurable outcomes (phishing simulation results, completion rates).

Domain 4 — Third-Party Cyber Security

4.1 Third-party inventory. Complete inventory of third parties with cyber dependencies. Tiering by criticality and material outsourcing classification.

4.2 Onboarding due diligence. Documented onboarding process with cyber due diligence. Risk-based depth.

4.3 Contractual cyber requirements. Standard cyber clauses in vendor contracts — confidentiality, security, audit, incident notification, termination. Evidence of inclusion in current contracts.

4.4 Material outsourcing. Identification of material outsourcing arrangements per the SAMA Outsourcing Regulations. Evidence of SAMA notification and prior approval where required.

4.5 Ongoing monitoring. Ongoing monitoring of third-party cyber posture. Periodic reassessment. Evidence of action on findings.

4.6 Termination controls. Documented termination process including data return and destruction. Evidence of execution on completed terminations.

Maturity expectations

For each item above, SAMA expects member organisations to operate at a defined minimum maturity appropriate to their size, complexity and risk profile, and to demonstrate year-on-year improvement. The five maturity levels are:

• Non-existent — no evidence the control exists.
• Ad-hoc — control exists informally; not documented; not consistently applied.
• Repeatable — control documented; applied consistently; evidence available.
• Defined and managed — control documented; applied consistently; measured; reviewed; improved.
• Adaptive — control adapts to changing threats; metrics drive continuous improvement.

A practical first target for most Saudi banks running their second or third CSF cycle is to have every domain operating at "defined and managed" with selected high-priority areas reaching "adaptive". An honest assessment that scores some controls at "repeatable" with a credible improvement plan is much stronger than a self-assessment that claims "adaptive" everywhere with no supporting evidence.

Get the downloadable checklist

The full checklist — formatted as a working spreadsheet with maturity rating, owner, evidence reference and target date columns — is available on request. Contact us to receive a copy.

For the wider regulatory context that the checklist sits within, read our SAMA frameworks guide and our deep-dive SAMA CSF compliance guide. To see the same checklist running as a live, audit-trailed control library inside a unified GRC platform — with evidence collected once and inherited by every framework view — read about GRC Vantage's compliance module, supported from our offices in Riyadh and Dammam.