NCA CCC

Cloud security on Saudi terms

Assess every cloud provider, prove data residency, and capture shared-responsibility evidence — all aligned to the NCA Cloud Cybersecurity Controls.

Cloud Governance & Strategy

Cloud strategy aligned to NCA CCC and PDPL
Approved CSP register and exception management

Tenant & Data Protection

Encryption in transit, at rest, and key custody
Identity, access, and privileged user controls

Operations & Assurance

Cloud logging, monitoring, and SOC integration
Incident response, breach notification, and CSP coordination

Everything you need for NCA CCC compliance

Cloud assurance from CSP intake to exit-plan testing — pre-mapped to NCA examiner expectations.

CSP Assessment Library

Pre-built questionnaires for hyperscalers and regional providers, mapped to every NCA CCC control with evidence linking.

Data Residency Tracking

Verify and document data residency for PDPL-classified, bank, and government data across all cloud providers and regions.

Shared Responsibility Mapping

Make the customer-vs-provider boundary explicit per workload, with control accountability captured at the contract level.

Continuous Cloud Posture

Schedule annual CSP re-assessments, track contractual security obligations, and trigger alerts on expiry or material change.

NCA CCC control coverage

Pre-mapped controls across cloud governance, tenant protection, and operations.

Cloud Governance & Strategy

  • Cloud strategy aligned to NCA CCC and PDPL
  • Approved CSP register and exception management
  • Workload classification and cloud-suitability assessment
  • Concentration and exit risk analysis

Tenant & Data Protection

  • Encryption in transit, at rest, and key custody
  • Identity, access, and privileged user controls
  • Tenant isolation, network, and segmentation controls
  • Data residency, sub-processor, and cross-border safeguards

Operations & Assurance

  • Cloud logging, monitoring, and SOC integration
  • Incident response, breach notification, and CSP coordination
  • CSP attestations, audit reports, and continuous evidence
  • Exit, portability, and data return testing
Implementation Roadmap

Your path to NCA CCC examination readiness

Phase 1

Cloud Inventory

Catalogue all cloud workloads, services, and CSPs in use, classifying each by data sensitivity and NCA CCC scope.

2 weeks
Phase 2

CSP Assessment

Issue NCA CCC questionnaires to providers, capture attestations and SOC reports, and document residency.

Per CSP
Phase 3

Control Implementation

Tune tenant configuration, encryption, IAM, and logging — capturing evidence against shared responsibility lines.

6–12 weeks
Phase 4

Contractual Anchoring

Embed NCA-aligned clauses, SLAs, exit terms, and audit rights into CSP contracts with version-controlled approvals.

Per contract
Phase 5

Continuous Posture

Run continuous monitoring, annual CSP re-assessments, and exit-readiness checks with examiner-ready packs.

Ongoing

NCA CCC — common questions

Quick answers from Saudi cloud security and compliance leads running GRC Vantage.

Related compliance frameworks

Cloud teams typically also manage these on GRC Vantage.

NCA ECC

Foundation cybersecurity controls — CCC builds on these for cloud-specific risks.

NCA DCC

Data Cybersecurity Controls — pairs with CCC to govern cloud-stored classified data.

SAMA Outsourcing

Apply SAMA outsourcing requirements to cloud providers in one combined workflow.

Explore all NCA frameworks

Ready to put your cloud estate on NCA-ready rails?

Talk to our Riyadh and Dammam teams about a CSP scan, residency baseline, and continuous monitoring plan.