SAMA CSF and ISO 27001: A Control-by-Control Mapping

Most Saudi banks already run an ISO 27001 Information Security Management System (ISMS) — and most assume that ISO 27001 certification gets them most of the way to SAMA Cyber Security Framework (CSF) compliance. The truth is more nuanced. The two frameworks share a great deal of structural DNA, but SAMA CSF carries Saudi-specific expectations that ISO 27001 simply does not address. Understanding where the overlap is — and where it ends — is the difference between a smooth SAMA inspection and a costly remediation programme.

This post walks through how the two frameworks line up, where the genuine gaps are, and how to run a single connected control library that satisfies both at once.

The two frameworks at a glance

ISO/IEC 27001:2022 is the international standard for information security management systems. It is structured around the management system clauses (4–10) plus Annex A, which lists 93 controls grouped into four themes: Organizational, People, Physical and Technological. ISO 27001 is certifiable by accredited third-party bodies, and the certificate is recognised globally.

SAMA Cyber Security Framework (CSF) is the Saudi Central Bank's flagship cybersecurity standard for member organisations — banks, insurers, finance companies, payment service providers, exchanges and credit bureaus. It is organised around four governance domains: Cyber Security Leadership and Governance, Cyber Security Risk Management and Compliance, Cyber Security Operations and Technology, and Third-Party Cyber Security. Member organisations are assessed against a multi-level maturity model and are expected to operate at a defined minimum maturity, demonstrating continuous improvement over time.

The two frameworks share a common ancestor in NIST CSF and ISO 27001 itself — SAMA explicitly drew on both during the original drafting of CSF — so the structural overlap is high. But SAMA layered Saudi-specific governance, third-party and incident requirements on top, which is where the gaps appear.

Where the frameworks overlap

The good news first: roughly 70–80% of the control intent in SAMA CSF is already covered by a well-implemented ISO 27001 ISMS. The clearest overlaps include:

Information security policy and governance. Both frameworks require a board-approved information security policy, defined roles and responsibilities, and a documented risk management approach. ISO 27001 clauses 5 and 6 map almost directly to CSF's Cyber Security Leadership and Governance domain.

Risk management. CSF's risk management requirements are conceptually identical to ISO 27001 clause 6.1 plus ISO 27005 — risk identification, analysis, evaluation, treatment and ongoing monitoring. A bank with a mature ISO 27005 risk register can usually present the same artefacts to a SAMA inspector with minimal rework.

Asset management. ISO 27001 Annex A 5.9–5.14 covers inventory of information and assets, ownership, acceptable use, return of assets and information classification. CSF's asset management requirements sit comfortably on top of these.

Access control. ISO 27001 controls 5.15–5.18 and 8.2–8.5 cover identity, authentication, privileged access and access reviews — all of which are mirrored in CSF's Operations and Technology domain.

Operations and communications security. Vulnerability management, malware protection, logging, monitoring, change management, backup and cryptography are covered in both frameworks. The intent is the same; the depth of expected evidence differs (more on that below).

Supplier relationships. ISO 27001 Annex A 5.19–5.23 introduces supplier security requirements. SAMA CSF expects more — but a bank running ISO 27001 supplier controls already has the foundation in place.

Incident management. Both frameworks require a documented incident response process, defined roles, post-incident review and lessons learned. The ISO 27001 approach is fully compatible with SAMA's expectations at the process level.

Continuity and resilience. ISO 27001 Annex A 5.29–5.30 cover information security during disruption and ICT readiness for business continuity. These are necessary but not sufficient for SAMA — the BCM Framework adds significant expectations.

If you have a mature ISO 27001 ISMS with current internal audit reports and management reviews, you should be able to satisfy somewhere between two-thirds and three-quarters of the CSF control population without writing a single new policy.

Where SAMA CSF goes beyond ISO 27001

This is the part most teams underestimate. SAMA layered specific Saudi requirements on top of the ISO 27001 / NIST CSF foundation, and these are exactly the areas SAMA inspectors focus on.

Board-level cyber governance. ISO 27001 requires top management commitment but does not prescribe how often the board sees cyber metrics or what those metrics should be. SAMA CSF expects a defined board cyber report cadence, named board sponsorship, and evidence that the board actively engages with cyber risk — not just receives a quarterly slide.

The role of the CISO. SAMA CSF is explicit that the CISO must report independently of the IT function and have direct access to the board or a board committee. ISO 27001 leaves the organisational structure open. Many Saudi banks were caught out by this requirement on first inspection, because their CISO sat under the CIO.

Insider threat. CSF carries explicit insider-threat requirements — background screening, behavioural monitoring, segregation of duties, joiners-movers-leavers controls — that ISO 27001 only touches on indirectly. Banks that pass ISO 27001 but never built a dedicated insider-threat capability tend to find this gap on their first SAMA assessment.

Third-party cyber security depth. ISO 27001 supplier controls are principle-based. SAMA CSF is much more prescriptive: a documented third-party cyber risk methodology, risk-based tiering, mandatory contractual clauses, ongoing monitoring, and the ability to demonstrate that your third parties operate at an appropriate maturity level. The expectations also intersect with the SAMA Outsourcing Regulations, which add prior-approval requirements for material arrangements.

Saudi-specific incident reporting. SAMA expects member organisations to notify the regulator of significant cyber incidents within defined timeframes and through defined channels. ISO 27001 says nothing about regulator notification — that is a national requirement layered on top.

Maturity model. ISO 27001 is binary at the certification level: you are either certified or you are not. SAMA CSF measures maturity on a multi-level scale and expects member organisations to show year-on-year improvement. Your second SAMA inspection should look better than your first. There is no equivalent expectation in ISO 27001.

Cloud and outsourcing controls. ISO 27001:2022 added cloud-specific controls (5.23) but at a high level. SAMA's expectations on cloud are more detailed and intersect with the Outsourcing Regulations — any move to a cloud provider is treated as outsourcing and may require SAMA prior approval for material arrangements.

Awareness and training depth. ISO 27001 requires awareness; CSF expects role-based training, measurable outcomes, board cyber education and ongoing campaigns tracked at a programme level.

Data residency and sovereignty. Although primarily a PDPL concern, SAMA inspectors increasingly ask about where regulated data is stored and processed. ISO 27001 is silent on residency.

A practical mapping approach

The wrong way to map the two frameworks is to start with a spreadsheet listing every CSF control on the left and every ISO 27001 Annex A control on the right, then manually cross-reference them. Teams that do this end up with a static document that ages out within months and never gets re-used.

The right way is to build one connected control library in your GRC platform, where each control is tagged with every framework it satisfies. When you update a control — say, you tighten your privileged access procedure — the change flows automatically into both your ISO 27001 Statement of Applicability and your CSF self-assessment. Evidence is collected once and presented in the format each audience needs.

A connected control library typically has three layers:

Layer 1 — the control statement. A single, plain-English description of what the control does and who owns it. This is the source of truth.

Layer 2 — framework tags. Each control is tagged with the framework references it satisfies: ISO 27001 Annex A 5.15, SAMA CSF 3.3.5, NIST CSF PR.AC-1, PCI DSS 7.1, and so on. One control, many tags.

Layer 3 — evidence and testing. The evidence supporting the control (a policy excerpt, a system screenshot, a log query, a test result) is attached once and inherited by every framework view.

When a SAMA inspector asks for evidence of CSF 3.3.5, the platform produces it from the same store that the ISO 27001 internal auditor used last quarter. The two audiences see the framing they expect, but the underlying control and evidence are unified.

Where the real effort goes

If you start from a mature ISO 27001 ISMS and build toward SAMA CSF, our experience is that the genuine effort splits roughly like this:

About a quarter of the work is policy and governance uplift — re-positioning the CISO, formalising the board cyber report, writing a Saudi-specific incident response runbook, and aligning to SAMA's reporting channels.

About a third is third-party and outsourcing depth — building a proper vendor risk methodology, classifying every outsourcing arrangement, identifying material arrangements that need SAMA prior approval, and instrumenting ongoing monitoring.

Roughly a fifth is insider threat and personnel security — joiners-movers-leavers, behavioural monitoring, segregation of duties uplift.

The remainder is maturity demonstration — collecting the evidence, running the self-assessment, and producing a credible improvement roadmap to show year-on-year progress.

The single biggest predictor of how long this takes is whether you have a connected control library or a folder of disconnected spreadsheets. Banks that start the SAMA journey on spreadsheets typically take 12–18 months to reach a defensible position. Banks that start on a unified GRC platform routinely cut that to 6–9 months.

How GRC Vantage handles the mapping

GRC Vantage's compliance module ships with a pre-built control library covering SAMA CSF, ISO 27001:2022, NIST CSF, PCI DSS and SOC 2, with cross-framework mappings already in place. When you run a CSF self-assessment, the platform automatically pulls evidence from controls that you have already tested for ISO 27001 — and flags the controls where SAMA expects more depth than ISO 27001 requires. The Statement of Applicability and the SAMA self-assessment report are produced from the same underlying data, so there is no risk of the two telling different stories.

The platform is built and supported in Riyadh and Dammam, can be deployed inside KSA to satisfy data residency expectations, and is used by Saudi banks and finance companies to run connected SAMA, NCA and ISO programmes from a single workspace.

Where to go next

For the complete picture of every SAMA framework — not just CSF — read our pillar guide on the SAMA framework family. It walks through CSF, BCM, IT Governance, CTI, Counter-Fraud and Outsourcing in the same level of practitioner detail.

If you want to see a connected SAMA + ISO 27001 control library running on real data, book a demo and we will walk through how Saudi banks use GRC Vantage to retire spreadsheets and pass inspections faster.