SAMA IT Governance Framework
Complete compliance guide to the Saudi Central Bank's mandatory IT governance standard — all 4 domains, 25 subdomains and 514 controls, the six-level maturity model explained, and an implementation checklist for every SAMA-supervised bank, insurer, payment provider and finance company.
What the SAMA IT Governance Framework covers
The SAMA IT Governance Framework is issued by the Saudi Central Bank as the mandatory technology governance standard for every entity it licenses. It is not a checklist of cybersecurity controls — it is the framework that governs how those entities manage technology at a strategic, risk, and operational level. Board engagement with IT strategy, the independence of the IT audit function, how IT risks are escalated and treated, and whether service levels are actively managed are all assessed under this framework.
The framework is structured around four domains. Domain 1 — IT Governance & Leadership sets the governance foundation: Board and committee oversight, IT strategy aligned to Vision 2030, enterprise architecture, and policy lifecycle management. Domain 2 — IT Risk Management requires a formal IT risk methodology integrated with the enterprise risk register, with documented treatment plans and regular Board-level reporting. Domain 3 — IT Operations Management is the largest domain — 11 subdomains and 68+ controls covering assets, SLAs, availability, data centre, network, incident, problem, backup, and virtualisation management. Domain 4 — System Change Management governs the change advisory board, classification, impact assessment, and post-implementation review.
Every one of the 514 controls is assessed against a six-level maturity scale from 0 (Non-existent) through 5 (Adaptive). SAMA expects entities to operate at a minimum maturity commensurate with their size and risk, and to demonstrate continuous improvement year on year. The complete domain and subdomain structure appears below, with each subdomain's scope described so your team can map evidence directly against the framework and build an audit-ready control register.
SAMA IT Governance Framework — all domains & subdomains
IT Governance & Leadership
9 subdomains · 189+ controls
Board and executive oversight structures for technology decision-making, IT committee charters, and governance model alignment to SAMA requirements.
Documented IT strategy aligned to business strategy and Saudi Vision 2030, covering investment planning, IT budgeting, and strategic review cycles.
Documented enterprise architecture domains (business, application, data, technology), governance of architecture decisions, and roadmap management.
Complete lifecycle management of IT policies, standards, and procedures — ownership assignment, version control, Board approval, and periodic review.
Defined and communicated IT roles including CIO accountability, segregation of duties, and technology ownership across the organisation.
Monitoring and evidencing compliance with SAMA, NCA, and other applicable IT-related regulatory requirements across the licence lifecycle.
Independent IT audit function, risk-based audit programme for IT domains, findings management, and reporting to the Audit Committee.
Competency frameworks for IT roles, structured training programmes, and certification tracking for key technology personnel.
IT KPIs and KRIs, performance reporting cycles, balanced scorecard for IT, and escalation thresholds for Board and senior management.
IT Risk Management
4 subdomains · 102+ controls
IT risk management framework — methodology, risk appetite alignment, integration into enterprise risk management, and governance oversight.
Systematic identification of IT risks (cyber, operational, project, third-party, concentration), assessment of likelihood and impact, and risk register maintenance.
Risk response options (accept, mitigate, transfer, avoid), treatment plans, control effectiveness monitoring, and residual risk tracking.
Regular IT risk reporting to senior management, Board, and SAMA; monitoring of risk metrics, KRIs, and escalation of emerging risks.
IT Operations Management
11 subdomains · 197+ controls
Hardware and software asset lifecycle from procurement to disposal, software licence management, and asset inventory accuracy.
Mapping and monitoring of interdependencies between IT systems, services, and third parties — critical path analysis and resilience planning.
Service level agreements (SLAs) and operational level agreements (OLAs) for IT services, service catalogue management, and performance reporting.
Planning and monitoring of system availability, capacity forecasting, performance thresholds, and proactive capacity remediation.
Data centre physical security, environmental controls, power and cooling management, and certification against applicable standards.
Network architecture, configuration management, monitoring, change control, and network performance reporting.
Scheduling, monitoring, and incident management for batch processing operations critical to banking services.
Incident classification, escalation, resolution, and post-incident review processes — aligned to SAMA supervisory notification requirements.
Root-cause analysis, known-error management, and systematic elimination of recurring incidents driving operational risk.
Backup policies, testing schedules, offsite storage, and verified restoration procedures aligned to recovery time and point objectives.
Governance and security controls for virtualised infrastructure including hypervisor hardening, VM lifecycle, and resource segregation.
System Change Management
1 subdomains · 26+ controls
Change advisory board (CAB) structure, change classification (standard, normal, emergency), impact and risk assessment, release management, and post-implementation review.
Six-level maturity model
Every control in the SAMA IT Governance Framework is scored against a six-point maturity scale. SAMA examiners expect entities to operate at Level 3 (Structured & Formalised) as a minimum and to show a credible improvement trajectory toward Level 4 and above. Simply reaching Level 3 and standing still is itself an examination finding.
| Level | Label | Description |
|---|---|---|
| 0 | Non-existent | No awareness of the need for IT governance controls; no related processes or documentation. |
| 1 | Ad-hoc | Governance activities performed inconsistently; results depend on individual knowledge rather than documented processes. |
| 2 | Repeatable but Informal | Governance practices are in place and largely followed but not formally documented or approved; procedures exist informally. |
| 3 | Structured & Formalised | Defined, documented, approved, and demonstrably implemented controls; evidence of consistent operation available for examination. |
| 4 | Managed & Measurable | Governance effectiveness is periodically assessed, measured against targets, and subject to continuous improvement cycles. |
| 5 | Adaptive | Continuous improvement is embedded; the organisation proactively adapts governance practices to emerging risks and regulatory changes. |
Who must comply
The SAMA IT Governance Framework applies to all financial institutions licensed or supervised by the Saudi Central Bank, regardless of size. Foreign bank branches operating in the Kingdom are in scope for their Saudi operations.
All SAMA-licensed banks including foreign branches operating in KSA
Locally-incorporated and foreign branch insurers/reinsurers
Consumer and real-estate finance companies licensed by SAMA
Licensed payment operators and fintechs supervised by SAMA
Exchange centres licensed to operate in the Kingdom
Entities holding and processing Saudi credit bureau data
SAMA IT Governance Framework vs SAMA CSF
Both frameworks are mandatory for SAMA-supervised entities and use the same maturity scale. They complement rather than duplicate each other — IT Governance covers the strategic and operational governance layer while CSF covers the cybersecurity execution layer. Most SAMA-licensed entities must comply with both.
| Dimension | SAMA IT Governance Framework | SAMA CSF |
|---|---|---|
| Primary focus | IT governance, strategy, risk and operations | Cybersecurity controls and defences |
| Issuer | Saudi Central Bank (SAMA) | Saudi Central Bank (SAMA) |
| Version | Version 1 — November 2021 | Version 1 — May 2017 |
| Domains | 4 domains | 4 domains |
| Controls | 514 | ~250 |
| Maturity scale | 0–5 (six levels) | 0–5 (five levels, non-existent to adaptive) |
| Board oversight | Central requirement — board committee charters, reporting | Required but operationally focused |
| IT Risk | Dedicated domain (D2) — 31 controls | Covered within Risk Management domain |
| Key output | IT governance attestation, Board KPI pack, examination evidence | Maturity assessment score, control evidence |
| Use together? | ITGF provides the governance layer | CSF provides the cybersecurity execution layer |
How GRC Vantage supports SAMA IT Governance compliance
The complete SAMA IT Governance control library is pre-loaded inside GRC Vantage. Each subdomain ships with structured evidence templates, ownership workflow, maturity scoring, and Board-ready reporting — hosted inside Saudi Arabia for data residency compliance with SAMA, NCA, and PDPL requirements.
All 155+ controls pre-loaded with reference IDs, maturity criteria, and evidence requirements.
Score each control from 0 to 5 with structured evidence questionnaires that produce examination-ready artefacts.
Draft, review, approve, and version IT policies with Board approval workflows and renewal alerts.
Push IT risk findings from the IT Risk Management domain directly into the enterprise risk register.
Auto-generate IT performance reports and committee packs from live control and risk data.
Map SAMA IT Governance controls to SAMA CSF, NCA ECC, COBIT 2019, and ITIL 4 simultaneously.
Frequently asked questions
- What is the SAMA IT Governance Framework?
- The SAMA IT Governance Framework is a mandatory standard issued by the Saudi Central Bank. It defines how SAMA-supervised entities must govern technology — covering IT strategy, IT risk management, IT operations, and system change management. The framework is assessed using a six-level maturity model (0 Non-existent through 5 Adaptive) and forms part of the SAMA framework family alongside the Cyber Security Framework and BCM Framework.
- Who must comply with the SAMA IT Governance Framework?
- All organisations licensed or supervised by the Saudi Central Bank must comply — banks (domestic and foreign branches), insurance and reinsurance companies, finance companies, payment service providers, money exchangers, and credit information companies. Compliance is assessed as part of SAMA's regular examination cycle.
- How many controls does the SAMA IT Governance Framework contain?
- The framework covers 4 main domains, 25 subdomains, and 514 controls. Domain 1 (IT Governance & Leadership) is the largest governance domain with 9 subdomains and 189 controls. Domain 3 (IT Operations Management) covers 11 subdomains and 197 controls. Domain 2 (IT Risk Management) covers 4 subdomains and 102 controls, and Domain 4 (System Change Management) covers 1 subdomain and 26 controls.
- How does the SAMA IT Governance maturity model work?
- Every control is assessed on a six-point scale: 0 Non-existent (no awareness), 1 Ad-hoc (inconsistent execution), 2 Repeatable but Informal (practiced but undocumented), 3 Structured & Formalised (defined, approved, and demonstrably operating), 4 Managed & Measurable (effectiveness assessed and tracked), and 5 Adaptive (continuous improvement embedded). Entities are expected to operate at a minimum maturity appropriate to their size and risk profile and to demonstrate year-on-year improvement.
- How is SAMA IT Governance different from SAMA CSF?
- The SAMA IT Governance Framework focuses on how technology is governed — strategy, IT risk, operations, service management, and Board oversight. The SAMA Cyber Security Framework (CSF) focuses on cybersecurity controls and defences — identity, access, network, vulnerability management, and incident response. The two frameworks complement rather than duplicate each other. Many SAMA-supervised entities must comply with both, and controls frequently cross-reference; IT risk findings from the Governance Framework feed directly into the cyber risk register managed under the CSF.
- What does a SAMA IT Governance examination look like?
- SAMA examiners typically review four areas: (1) IT governance structures — Board IT committee charter, CIO reporting lines, IT strategy document, and Board-approved IT policies; (2) IT risk management — IT risk register, risk appetite linkage, and treatment tracking; (3) IT operations — SLA performance, incident and problem management records, backup test results, and data centre certifications; (4) system change management — CAB minutes, change records, and post-implementation reviews. The most common findings are in the IT Governance domain — Board oversight that is nominal rather than substantive, absent or outdated IT strategy documents, and policies that have not been reviewed on schedule.
Run your SAMA IT Governance assessment with GRC Vantage
The complete SAMA IT Governance control library is pre-loaded inside GRC Vantage with evidence templates, ownership workflow and submission-ready reporting. Hosted inside Saudi Arabia for data residency.