SAMA CSF & NCA Self-Assessment: A CISO's Guide

The SAMA CSF and NCA self-assessment is the recurring tax on every Saudi CISO's year. The frameworks do not change much from one cycle to the next, but the work does not get easier — because each cycle means re-proving, control by control, that the cybersecurity programme is not just designed but operating, and doing it for two regulators whose questionnaires ask many of the same questions in different formats.

For a dual-regulated bank or critical-infrastructure operator, the self-assessment is rarely a security problem. The controls usually exist. It is an evidence-and-mapping problem: collecting the proof that each control works, scoring it honestly, and assembling it into the shape SAMA wants for the Cyber Security Framework and the shape the NCA wants for the Essential Cybersecurity Controls — without doing the same work twice. This is the CISO's guide to running that cycle efficiently.

The SAMA CSF self-assessment: what Section 2.3 requires

The requirement is explicit in the framework itself. SAMA Cyber Security Framework Section 2.3 (Self-Assessment, Review and Audit) states that implementation of the Framework "will be subject to a periodic self-assessment performed by the Member Organization based on a questionnaire," and that "the self-assessments will be reviewed and audited by SAMA to determine the level of compliance with the Framework and the cyber security maturity level."

Two things in that sentence shape the CISO's whole year. First, the assessment is questionnaire-based and SAMA does not just file it — SAMA reviews and audits it, which means the answers have to be defensible with evidence. Second, the output is a maturity level, not a pass/fail. The framework specifies a six-level model — levels 0 through 5 — and states that "the Member Organizations should at least operate at maturity level 3 or higher." Level 3 ("Structured and Formalised") requires that controls are defined, approved and implemented and that the organisation monitors compliance with its own documentation. The levels are cumulative: you cannot claim level 4 on a control without first satisfying every criterion of level 3.

The CSF self-assessment spans the framework's four domains — Cyber Security Leadership and Governance; Cyber Security Risk Management and Compliance; Cyber Security Operations and Technology; and Third Party Cyber Security — and every subdomain inside them carries a maturity score. The aggregate picture across all four domains is what SAMA's supervisors read. For the full control-by-control walkthrough, see our SAMA CSF compliance guide.

The NCA compliance assessment: ECC and the wider family

For the same organisation, the National Cybersecurity Authority runs a parallel regime. Entities demonstrate compliance by assessing themselves against every subcontrol of the Essential Cybersecurity Controls (ECC) using the NCA's assessment toolkit, and the NCA conducts its own periodic compliance assessments on top of that.

The ECC is structured differently from the CSF, and the scoring model is the first thing CISOs need to reconcile. Where SAMA produces a 0–5 maturity score, the NCA toolkit records a status for every subcontrol:

• Implemented (fully in place)
• Partially Implemented (banded by how far — broadly up to 35%, 35–85%, and 85–100%)
• Not Implemented
• Not Applicable

A subtle but important point for accuracy: the NCA tool reports the count and proportion of controls in each status, not a single headline compliance percentage. The picture an assessor reads is "how many controls are green, orange, red or grey," control by control.

The ECC baseline and the layered framework family

The ECC-1:2018 baseline comprises 5 main domains, 29 subdomains and 114 controls; the NCA updated it to ECC-2:2024, which restructured the domains (folding the industrial control systems content into a four-domain shape). Whichever version applies to your assessment cycle, the ECC is the mandatory floor, and the NCA layers additional control sets on top depending on what you operate:

• CSCC — Critical Systems Cybersecurity Controls
• CCC — Cloud Cybersecurity Controls
• OTCC — Operational Technology Cybersecurity Controls
• DCC — Data Cybersecurity Controls
• TCC — Telework Cybersecurity Controls

Most regulated entities scope ECC plus at least one layered framework, and the self-assessment applies across every applicable subcontrol. The NCA ECC compliance guide breaks the domains and family down in full.

Where the two regimes overlap — and where CISOs lose time

Saudi banks, fintechs and critical-infrastructure operators are routinely dual-regulated: in scope for SAMA's CSF and the NCA's ECC at the same time. SAMA deliberately aligned its framework with the NCA controls to reduce duplicate reporting, and industry estimates put the control overlap between the two regimes at roughly 60–70% — the same underlying control (multi-factor authentication, privileged access review, logging, third-party assurance) answers a SAMA subdomain and an NCA subcontrol.

That overlap is where the time goes — and where most of it is wasted. The control is implemented once. But in a spreadsheet-driven programme, the evidence for that control gets collected twice, pasted into two different questionnaires in two different formats, scored on two different scales, and reconciled by hand every cycle. Multiply that across a hundred-plus controls and two frameworks, and the self-assessment becomes a multi-month project that consumes the security team precisely when it should be doing security.

The expensive part of the Saudi self-assessment is almost never implementing controls. It is collecting the evidence once and then re-formatting it, re-scoring it and re-reconciling it across two regulators every single cycle.

What assessors actually ask for: evidence, not policy

The single most common reason a control scores lower than the CISO expected is that the answer was backed by a policy when the assessor wanted proof the policy operates. Reaching SAMA maturity level 3 — and a clean "Implemented" status under the NCA model — requires implementation evidence, consistently produced.

The artefacts assessors most commonly request are operational, not documentary:

• Access reviews — the output of the last privileged-access recertification, with dates and approvers.
• Configuration evidence — screenshots or exports showing the control is actually configured (MFA enforced, logging enabled, encryption applied).
• Training records — completion data for security awareness, not just the policy that mandates it.
• Logs and monitoring records — evidence that detection is running and alerts are triaged.
• Risk register, asset inventory and incident records — current, versioned, and reconciled with each other.
• Third-party risk reports — assessment status for material suppliers, satisfying the Third Party domain in both regimes.

SAMA validates through evidence review and technical interviews — typically the CISO, IT manager, compliance officer and executives — and may follow up with on-site inspection. The NCA maps the same kind of proof to its per-subcontrol status. The CISO who can produce dated, attributable evidence on demand scores higher than the one with a thicker policy binder.

The smart way: assess once, satisfy both

This is where the work either compounds or collapses. Run the two self-assessments as two projects and you pay for the overlap twice, every cycle, forever. Run them off one control library and the overlap becomes the saving instead of the cost. Here is how GRC Vantage is built to do exactly that.

One control library, mapped across both frameworks

Every control lives once and carries its mappings to both the SAMA CSF subdomain and the NCA ECC subcontrol (plus any layered NCA framework that applies). Answer the control once and it populates the SAMA maturity score and the NCA status simultaneously — the 60–70% overlap is computed for you, not re-keyed by hand. This is the control-mapping discipline applied at platform level.

Evidence collected once, reused everywhere

An access-review export or a configuration screenshot is attached to the control it proves, not to a questionnaire. Because the control maps to both regimes, the same evidence object satisfies the SAMA submission and the NCA assessment without being copied. When the evidence refreshes next cycle, it refreshes in one place. That is the difference evidence automation makes to the annual burden.

Maturity tracked year over year

The 0–5 maturity score for every CSF subdomain is stored, versioned and trended — so this year's assessment starts from last year's baseline plus the deltas, not from a blank questionnaire. The CISO can see, at a glance, which domains moved up, which slipped, and where the remediation effort needs to go before the regulator looks.

Submission packs generated from data

Because the assessment, the scores and the evidence live in one system, the SAMA maturity submission and the NCA assessment output are generated from the data rather than authored by hand at the end of the cycle. The reporting that used to consume the final month becomes an export.

The platform is deployed inside Saudi Arabia to meet PDPL and SAMA data-residency expectations, and the Riyadh and Dammam delivery teams pre-load the CSF and ECC content so the mapping is in place on day one.

Building the annual cycle: practical sequencing for a CISO

1. Establish the unified control library once. Map every control to its SAMA CSF subdomain and NCA ECC subcontrol. This is the one-time investment that pays back every cycle.
2. Run a baseline assessment and score honestly. A flattering first score produces a remediation plan that fixes nothing. The honest maturity score is the one worth having.
3. Close the evidence gaps, not just the control gaps. Many "low" scores are controls that exist but lack the evidence to prove they operate. Fix the evidence pipeline early.
4. Remediate by overlap. Prioritise the controls that move both a SAMA maturity score and an NCA status — you get two improvements for one piece of work.
5. Operate continuously, assess at a point. Keep evidence current through the year so the annual assessment is a checkpoint, not a fire drill.
6. Generate the submissions from the platform. Export the SAMA maturity pack and the NCA assessment output from the same data, reconciled by construction.

How GRC Vantage supports the Saudi self-assessment

GRC Vantage's compliance module gives Saudi CISOs a single control library pre-mapped across the SAMA Cyber Security Framework and the NCA ECC (and the layered NCA frameworks where they apply), so one assessment answers both regulators. Maturity scores are tracked and trended year over year, evidence is collected against controls and reused across every framework it satisfies, and the SAMA maturity submission and NCA assessment output are generated from the data rather than rebuilt by hand each cycle.

For the full SAMA framework family, read our SAMA frameworks pillar guide; for how the two regimes compare control-by-control, see NCA ECC vs SAMA CSF. And when you want to see a single self-assessment cycle running across both frameworks on real evidence, book a session with our team.

Frequently asked questions

Is the SAMA CSF self-assessment annual?

The framework (Section 2.3) requires a periodic self-assessment based on a SAMA questionnaire, reviewed and audited by SAMA. It does not literally use the word "annual," but in practice most member organisations run the CSF self-assessment on an annual cycle, refreshing maturity scores and evidence each year.

What maturity level does SAMA CSF require?

The CSF uses a six-level maturity model (levels 0 to 5). SAMA states that member organisations "should at least operate at maturity level 3 or higher" — meaning controls that are defined, approved, implemented and monitored for compliance, with evidence to prove they operate.

How does the NCA ECC self-assessment scoring work?

The NCA assessment toolkit records a status for each subcontrol — Implemented, Partially Implemented, Not Implemented or Not Applicable — with partial implementation banded by percentage. It reports the proportion of controls in each status rather than a single overall compliance percentage.

Do banks have to do both the SAMA and NCA self-assessment?

Many Saudi financial and critical-infrastructure entities are dual-regulated and in scope for both. Because the two frameworks overlap substantially (industry estimates suggest roughly 60–70% of controls), the efficient approach is to map controls across both regimes and assess once, satisfying both submissions from a single control library and evidence set.

What evidence do SAMA and NCA assessors ask for?

Implementation evidence, not just policies — access-review outputs, configuration screenshots, training-completion records, logs, current risk registers and asset inventories, incident records, and third-party risk reports. SAMA also validates through technical interviews and possible on-site inspection.