What is the SAMA Cyber Security Framework?

The SAMA Cyber Security Framework (SAMA CSF) is the mandatory cybersecurity framework issued by the Saudi Central Bank. It applies to every SAMA-supervised entity — banks, insurance and reinsurance companies, finance companies, payment service providers, fintechs, money exchangers and credit information companies — and defines the cybersecurity controls each entity is expected to operate, assessed against a five-level maturity model.

What are the four domains of SAMA CSF?

The four main domains are: (1) Cyber Security Leadership and Governance — strategy, organisation, awareness, training and policies; (2) Cyber Security Risk Management and Compliance — risk methodology, regulatory compliance, internal audit and review; (3) Operation and Technology — identity and access, asset management, network security, cryptography, vulnerability management, logging and incident response; (4) Third-Party Cyber Security — supplier lifecycle, contracts, monitoring and outsourcing intersection.

How does the SAMA CSF maturity model work?

Every control is assessed on a five-level scale: 0 Non-existent (no documentation or attention), 1 Ad-hoc (controls performed inconsistently), 2 Repeatable but informal (standard but unwritten practice), 3 Structured and formalised (defined, approved and demonstrably implemented), 4 Managed and measurable (effectiveness periodically assessed and improved), and 5 Adaptive (continuous improvement embedded). Member organisations are expected to operate at a defined minimum maturity appropriate to their size and risk, and to show year-on-year improvement.

Who is required to comply with SAMA CSF?

All organisations licensed or supervised by the Saudi Central Bank, regardless of size: full banking sector, Saudi insurance and reinsurance market, finance companies, money exchangers, payment service providers, fintechs, credit information companies and the national payment infrastructure. Foreign bank branches operating in the Kingdom are in scope for their Saudi operations.

How is SAMA CSF different from NCA ECC?

SAMA CSF is principle-led, maturity-scored and applies only to SAMA-supervised financial entities. NCA ECC is more prescriptive, applies to government and critical national infrastructure, and assesses whether controls exist and operate (compliant / partially compliant / non-compliant) rather than a maturity level. The two frameworks share significant overlap and many controls map across both, but each has its own assessment cadence, evidence format and supervisor.

What does a SAMA CSF inspection look like?

SAMA inspectors typically assess governance and leadership first (board-level engagement, CISO independence, defined roles), then risk management and compliance (risk register, regulatory compliance evidence, internal audit), then operations and technology (control implementation and operational evidence), then third-party (supplier lifecycle and outsourcing). The most common findings are in the Leadership and Governance domain — board-level engagement that doesn't show real challenge, CISO under the IT function, and undocumented roles.

SAMA CSF Compliance Guide — Cyber Security Framework for Saudi Banks 2024

What SAMA CSF covers

The SAMA Cyber Security Framework is issued by the Saudi Central Bank as the load-bearing cybersecurity standard for every Member Organization the regulator supervises. It is not optional, it is not advisory — it is the yardstick SAMA inspectors measure compliance against, year after year, and the maturity rating it produces has direct supervisory consequences.

The framework draws structural DNA from NIST CSF and ISO/IEC 27001 but layers Saudi-specific expectations on top. It is organised around four domains — Leadership and Governance, Risk Management and Compliance, Operations and Technology, and Third-Party Security — and each control is assessed against a five-level maturity scale from Non-existent (0) through Adaptive (5). SAMA expects year-on-year improvement in maturity; standing still is itself a finding.

The complete control library below covers every CSF domain, subdomain and assessable control with the canonical SAMA reference IDs. Each control includes the requirement text exactly as published, so cybersecurity programmes can map evidence directly against the framework.

Control library

Complete SAMA CSF controls

The Saudi Central Bank Cyber Security Framework — mandatory cybersecurity controls for all SAMA-supervised entities (banks, insurers, payment providers, fintechs, money exchangers). Assessed against a five-level maturity model from Non-existent (0) to Adaptive (5).

4
Domains: 36
Subdomains: 250
Controls: 250
Assessable

SAMA CSF · Domain 1

Cyber Security Leadership and Governance

subdomains

controls

SAMA CSF · Domain 2

Cyber Security Risk Management & Compliance

subdomains

controls

SAMA CSF · Domain 3

Operation & Technology

subdomains

132

controls

SAMA CSF · Domain 4

Third Party Security

subdomains

controls

Reference

Frequently asked questions

What is the SAMA Cyber Security Framework?: The SAMA Cyber Security Framework (SAMA CSF) is the mandatory cybersecurity framework issued by the Saudi Central Bank. It applies to every SAMA-supervised entity — banks, insurance and reinsurance companies, finance companies, payment service providers, fintechs, money exchangers and credit information companies — and defines the cybersecurity controls each entity is expected to operate, assessed against a five-level maturity model.
What are the four domains of SAMA CSF?: The four main domains are: (1) Cyber Security Leadership and Governance — strategy, organisation, awareness, training and policies; (2) Cyber Security Risk Management and Compliance — risk methodology, regulatory compliance, internal audit and review; (3) Operation and Technology — identity and access, asset management, network security, cryptography, vulnerability management, logging and incident response; (4) Third-Party Cyber Security — supplier lifecycle, contracts, monitoring and outsourcing intersection.
How does the SAMA CSF maturity model work?: Every control is assessed on a five-level scale: 0 Non-existent (no documentation or attention), 1 Ad-hoc (controls performed inconsistently), 2 Repeatable but informal (standard but unwritten practice), 3 Structured and formalised (defined, approved and demonstrably implemented), 4 Managed and measurable (effectiveness periodically assessed and improved), and 5 Adaptive (continuous improvement embedded). Member organisations are expected to operate at a defined minimum maturity appropriate to their size and risk, and to show year-on-year improvement.
Who is required to comply with SAMA CSF?: All organisations licensed or supervised by the Saudi Central Bank, regardless of size: full banking sector, Saudi insurance and reinsurance market, finance companies, money exchangers, payment service providers, fintechs, credit information companies and the national payment infrastructure. Foreign bank branches operating in the Kingdom are in scope for their Saudi operations.
How is SAMA CSF different from NCA ECC?: SAMA CSF is principle-led, maturity-scored and applies only to SAMA-supervised financial entities. NCA ECC is more prescriptive, applies to government and critical national infrastructure, and assesses whether controls exist and operate (compliant / partially compliant / non-compliant) rather than a maturity level. The two frameworks share significant overlap and many controls map across both, but each has its own assessment cadence, evidence format and supervisor.
What does a SAMA CSF inspection look like?: SAMA inspectors typically assess governance and leadership first (board-level engagement, CISO independence, defined roles), then risk management and compliance (risk register, regulatory compliance evidence, internal audit), then operations and technology (control implementation and operational evidence), then third-party (supplier lifecycle and outsourcing). The most common findings are in the Leadership and Governance domain — board-level engagement that doesn't show real challenge, CISO under the IT function, and undocumented roles.

Get started

Run your SAMA CSF assessment with GRC Vantage

The complete SAMA CSF control library is pre-loaded inside GRC Vantage with evidence templates, ownership workflow and submission-ready reporting. Hosted inside Saudi Arabia for data residency.

Start free assessment Book a demo