Compliance · Saudi Arabia + International

Every framework.
Every control.
Mapped, assessable, current.

The complete library of Saudi regulatory frameworks and international standards GRC Vantage supports — with the full control hierarchy of each framework published on its own page.

15
Frameworks supported
15
Live now
1200+
Controls mapped
100%
Saudi-first
National Cybersecurity Authority

NCA frameworks

The Saudi cybersecurity authority issues a family of cross-sector frameworks. NCA ECC is the baseline; sector-specific frameworks layer additional requirements on top.

NCA ECC
Live

Essential Cybersecurity Controls (ECC – 2 : 2024)

The national cybersecurity baseline for Saudi government and CNI. Mandatory.

Scope
Government · CNI · Sensitive data holders
Library
108 controls · 232 nodes
View framework
NCA CSCC
Live

Critical Systems Cybersecurity Controls (1:2019)

Hardened controls layered on top of the ECC for systems whose disruption would impact national security.

Scope
Critical-system operators
Library
32 controls · 130 nodes
View framework
NCA CCC
Live

Cloud Cybersecurity Controls (CCC – 1 : 2020)

Mandatory cybersecurity controls for cloud service providers and cloud customers operating in Saudi Arabia.

Scope
Cloud providers · Cloud customers
Library
80+ controls · 4 domains
View framework
NCA OTCC
Live

Operational Technology Cybersecurity Controls (OTCC – 1 : 2022)

OT-specific cybersecurity controls for ICS, SCADA, and industrial environments in Saudi Arabia.

Scope
Energy · Oil & Gas · Utilities · ICS/SCADA
Library
85+ controls · 5 domains
View framework
NCA DCC
Live

Data Cybersecurity Controls (DCC)

Cybersecurity controls for entities handling classified or national-level sensitive data assets.

Scope
National data handlers · CNI · Government
Library
70+ controls · 4 domains
View framework
NCA TCC
Live

Telework Cybersecurity Controls (TCC)

Controls for securing remote-work environments — devices, networks, identity, and governance.

Scope
All organisations with remote workforces
Library
50+ controls · 4 domains
View framework
Saudi Central Bank

SAMA frameworks

The financial-sector regulator's cybersecurity, IT and continuity frameworks. Mandatory for all SAMA-supervised entities.

SAMA CSF
Live

Cyber Security Framework (1.0)

Mandatory cybersecurity framework for all SAMA-supervised financial entities. Five-level maturity model.

Scope
Banks · Insurers · Fintech · PSPs
Library
250 controls · 5-level maturity
View framework
SAMA BCM
Live

Business Continuity Management Framework

Continuity, BIA, DRP, cyber-resilience and crisis-management controls for the financial sector.

Scope
SAMA-supervised entities
Library
75 controls · 15 disciplines
View framework
SAMA IT Gov
Live

IT Governance Framework (Version 1, 2021)

IT governance, strategy, risk, and operations framework for Saudi-licensed financial entities. Six-level maturity model.

Scope
Banks · Insurers · Fintech · PSPs
Library
514 controls · 4 domains · 25 subdomains
View framework
SAMA TPRM
Live

Third-Party Risk Management Framework

Outsourcing due diligence, contract requirements, ongoing monitoring and exit planning for SAMA-supervised entities.

Scope
All material outsourcing arrangements
Library
55+ controls · 5 domains
View framework
SAMA CRFR
Live

Cyber Resilience Fundamental Requirements (Ver 1, 2022)

Minimum cyber security baseline for fintechs, sandbox participants and new SAMA licence applicants.

Scope
Fintech · Sandbox · New licences
Library
24 controls · 3 domains
View framework
International standards

International frameworks

Globally-recognised standards that Saudi-regulated entities are routinely expected to certify against alongside the national frameworks.

ISO/IEC 27001
Live

Information Security Management Systems (ISO 27001:2022)

International ISMS standard — 93 Annex A controls across 4 themes plus Plan-Do-Check-Act management clauses.

Scope
All sectors · International
Library
93 Annex A controls · 4 themes
View framework
SOC 2
Live

Service Organization Control 2 (Trust Services Criteria 2017 rev. 2022)

AICPA attestation standard — 5 Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy.

Scope
Technology & cloud service organisations
Library
5 TSC · 33 Common Criteria
View framework
PCI DSS
Live

Payment Card Industry Data Security Standard (v4.0)

Mandatory controls for any entity storing, processing or transmitting cardholder data. 12 requirements, 250+ sub-requirements.

Scope
Payment ecosystem · Banks · PSPs · Merchants
Library
12 requirements · 250+ sub-requirements
View framework
Data protection

Privacy & data protection

Data protection legislation applicable in Saudi Arabia and the implementing regulations enforced by SDAIA.

PDPL Saudi Arabia
Live

Personal Data Protection Law (with Implementing Regulations)

Saudi PDPL obligations — lawful basis, DPO, RoPA, breach notification (72h to SDAIA), fines up to SAR 5M.

Scope
All data controllers processing Saudi resident data
Library
PDPL + Implementing Regulations · SDAIA
View framework
GDPR
Live

EU General Data Protection Regulation (2016/679)

EU GDPR — extraterritorial scope, 6 lawful bases, data subject rights, 72-hour breach notification, fines up to 4% global turnover.

Scope
EU residents · Saudi companies with EU customers
Library
99 Articles · 11 Chapters
View framework
Get started

Map your evidence to every framework — once.

GRC Vantage's Unified Control Framework links every piece of evidence you collect to all the frameworks it satisfies. Deployed inside Saudi Arabia for data residency.

Book a demoSee NCA ECC controls