SAMA · Saudi Financial Sector Compliance
SAMA Compliance
Consulting
The Saudi Central Bank (SAMA) requires the financial entities it regulates — banks, insurers, financing companies, credit bureaus, and licensed payment providers — to implement its Cyber Security Framework at maturity level 3 or higher, alongside its Business Continuity Management Framework. TCSA builds the ISMS and BCMS that satisfy both, mapped to ISO 27001 and ISO 22301, in 10–16 weeks.
TCSA has delivered 500+ audits and assessments across India, USA, UK, Australia and UAE. Our consultants have prepared ADIB, Mashreq Bank, and AMEX for ISO 22301 in the Middle East. Engagements are fixed-fee — quoted after a short scoping call, in SAR or USD for Gulf engagements.
SAMA CSF & BCM Frameworks · rulebook.sama.gov.sa · Last reviewed June 2026
The SAMA CSF · Four Domains
What the SAMA Cyber Security Framework Requires
Issued in May 2017 (version 1.0) and published on the official SAMA Rulebook, the CSF organises its control objectives and considerations into four domains. It covers every information asset a member organisation holds — electronic, physical, applications, ATMs, storage, premises, and networks — and was built on industry standards including ISO 27001/27002, NIST, ISF, BASEL, and PCI DSS.
| CSF Domain | What it covers | What level 3 looks like |
|---|---|---|
| Cyber Security Leadership & Governance | Cyber security strategy, policy, roles and responsibilities, a cyber security function independent of IT operations, and staff awareness and training. | A board-endorsed strategy and policy suite, an appointed cyber security function (CISO), defined committee structures, and a running awareness programme — all documented, approved, and monitored. |
| Cyber Security Risk Management & Compliance | The cyber security risk-management process, regulatory compliance, periodic reviews and audits, and embedding risk decisions into projects and change. | A formal risk methodology with a maintained risk register, risk treatment plans with owners, compliance monitoring against SAMA requirements, and periodic internal and external reviews. |
| Cyber Security Operations & Technology | Identity and access management, application and infrastructure security, cryptography, change management, vulnerability and patch management, security monitoring, and incident management. | Implemented technical controls with evidence they operate — access reviews, hardening baselines, monitored logs (SOC), tested incident-response procedures, and managed vulnerabilities. |
| Third Party Cyber Security | Contract and vendor management, outsourcing, and cloud computing — the obligations that follow your data into supplier and cloud environments. | Cyber security requirements embedded in contracts, due-diligence and periodic review of suppliers, and explicit risk assessment before outsourcing or cloud adoption. |
Maturity Levels 0–5
The Maturity Model — and Why Level 3 Is the Bar
SAMA does not issue a pass/fail certificate. It rates each member organisation on a six-level maturity scale, and the framework sets level 3 as the operating baseline. To reach a level you must first meet every criterion of the levels below it — so the path to 3 runs through real, evidenced implementation.
| Level | Name | What it means |
|---|---|---|
| 0 | Non-existent | No cyber security controls — no awareness, no documentation. |
| 1 | Ad-hoc | Controls are partial or inconsistent and performed reactively, without definition. |
| 2 | Repeatable but informal | Practices repeat across the organisation but are not formally approved or standardised. |
| 3 | Structured and formalisedSAMA baseline | Controls are defined, approved, and implemented — and compliance with them is monitored. This is the baseline SAMA expects member organisations to operate at. |
| 4 | Managed and measurable | Control effectiveness is periodically measured and evaluated against defined metrics. |
| 5 | Adaptive | Controls improve continuously and are integrated with enterprise risk management. |
Level names and the level-3 baseline are from the framework text. How often SAMA re-assesses, and the depth of each supervisory review, varies by institution — treat review-cadence specifics as indicative.
The Second Framework · BCM
The SAMA Business Continuity Management Framework
Cyber security is only half of SAMA’s resilience agenda. The BCM Framework (February 2017) requires member organisations to keep critical operations running through disruption. It is explicitly based on ISO 22301 and ISO 27001, plus BCI and DRII good practice — and it applies to your full scope, including subsidiaries, subcontractors, and third parties.
BCM governance, strategy & policy
A board-owned BCM programme: governance structure, BCM strategy, and an approved business continuity policy covering the full organisation — subsidiaries and third parties included.
Business Impact Analysis & risk assessment
BIA to identify critical processes, recovery time and recovery point objectives, and a risk assessment that drives continuity priorities — the analytical core of the framework.
Business Continuity Plan (BCP)
Documented, approved continuity plans for critical operations and services, with clear activation criteria, roles, and recovery procedures.
IT Disaster Recovery Plan (DRP)
Technology recovery for critical systems and data — alternate sites, replication, and restoration procedures aligned to the RTOs and RPOs the BIA set.
Crisis management & communication
A crisis management plan and communication procedures so leadership, staff, regulators, and customers hear the right thing at the right time during disruption.
Testing, awareness & assurance
Periodic exercising of BCP and DRP, staff awareness and training, document review cycles, and independent assurance that the programme actually works.
Member Organisations
Who Must Comply
The CSF names its mandatory population directly. If SAMA licenses or supervises you, the framework — and the level-3 expectation — applies.
Banks
All banks operating in Saudi Arabia are member organisations under the CSF — the population SAMA supervises most closely, with cyber security and BCM expectations woven into ongoing supervision.
Insurance & reinsurance companies
All insurance and reinsurance companies operating in the Kingdom fall in scope. Policyholder data, claims platforms, and bancassurance integrations all sit inside the CSF boundary.
Financing companies & credit bureaus
Licensed financing companies and credit bureaus are named member organisations — entities whose lending books and credit data make them high-value targets.
Payment providers & financial market infrastructure
The financial market infrastructure is in scope of the CSF, and payment service providers licensed under SAMA’s payments regime are supervised against the same cyber security expectations in practice.
The first four categories are quoted from the framework’s scope on the SAMA Rulebook. TCSA is an independent consultancy: we prepare and implement, SAMA supervises — we are not affiliated with, or endorsed by, the Saudi Central Bank.
The TCSA Approach · Build Once
How ISO 27001 + ISO 22301 Accelerate SAMA Compliance
The CSF cites ISO among its sources, and the BCM Framework is built on ISO 22301. That is the opportunity: instead of running a SAMA project and an ISO project, we build one ISMS and one BCMS that satisfy SAMA supervision and pass ISO certification — every document and control doing double duty.
| SAMA requirement | ISO mechanism | What you reuse |
|---|---|---|
| CSF Domain 1 — Leadership & Governance | ISO 27001 Clauses 4–7 and 9–10 (context, leadership, planning, support, management review, improvement) | The ISMS governance you build for ISO 27001 — scope, policy, roles, committees, management review — is the same governance evidence SAMA assesses at level 3. |
| CSF Domain 2 — Risk Management & Compliance | ISO 27001 Clauses 6 & 8 (risk assessment and treatment), supported by ISO 27005 | One risk methodology, one register, one treatment plan — written once and presented to both your certification auditor and SAMA supervision. |
| CSF Domain 3 — Operations & Technology | ISO 27001 Annex A controls (per ISO 27002): access control, cryptography, operations security, monitoring, incident management | The CSF’s technical subdomains track Annex A closely — the framework itself cites ISO as a source — so control implementation is shared work, not parallel work. |
| CSF Domain 4 — Third Party Cyber Security | ISO 27001 Annex A supplier-relationship and cloud controls | Supplier due-diligence, contractual clauses, and cloud risk assessments satisfy both the CSF third-party domain and your ISO 27001 audit. |
| SAMA BCM Framework (all components) | ISO 22301 BCMS — BIA, risk assessment, BC strategy, plans, exercising, performance evaluation | SAMA’s BCM Framework is explicitly built on ISO 22301; a certified BCMS delivers the BIA, BCP, DRP, and testing evidence the framework requires, almost clause for clause. |
| Maturity level 3 evidence — “defined, approved, implemented, monitored” | ISO certification audit trail: documented ISMS/BCMS, internal audits, management reviews, corrective actions | The discipline ISO certification enforces is precisely what level 3 demands — controls that exist on paper and demonstrably operate. |
Mapping is indicative — the CSF and BCM Framework contain SAMA-specific requirements (e.g. supervisory notification expectations) that an ISO certificate alone does not discharge. We close those deltas explicitly in the gap register.
“Our consultants have prepared ADIB (Abu Dhabi Islamic Bank), Mashreq Bank, and AMEX for ISO 22301 in the Middle East.”
See verified client reviews and engagement outcomes from 500+ audits and assessments across India, USA, UK, Australia and UAE.
The Wider KSA Picture · NCA ECC
SAMA CSF vs the NCA Essential Cybersecurity Controls
Saudi Arabia runs two major cyber regimes. The National Cybersecurity Authority (NCA) issues the Essential Cybersecurity Controls (ECC-1:2018, updated as ECC-2:2024) as the kingdom-wide baseline — originally for government entities and critical national infrastructure, with the 2024 update broadening its reach. Its domains span governance, defence, resilience, third-party and cloud security, and industrial control systems.
SAMA’s CSF is the financial-sector regime, and it is more prescriptive where it counts for a bank or insurer — cyber security strategy, risk management, and third-party security. If SAMA regulates you, the CSF is your primary obligation; where NCA applicability also reaches you, we map the same control set to both frameworks so a single implementation answers two regulators.
Engagement Path
From Gap Assessment to Level 3 in 10–16 Weeks
One engagement, two outcomes: a SAMA-defensible maturity posture and — if you want the certificates — ISO 27001 and ISO 22301 audit readiness from the same work.
| Phase | Timeline | What we deliver |
|---|---|---|
| Scoping & maturity gap assessment | Weeks 1–3 | Current-state maturity rating across all four CSF domains and every BCM component; a gap register against level 3 with owners and effort estimates. |
| Design & documentation | Weeks 3–8 | ISMS and BCMS built together — policy suite mapped to CSF subdomains, risk assessment and treatment plan, BIA, BC strategy, BCP and IT DRP drafting. |
| Implementation & evidence | Weeks 8–14 | Control rollout with your teams: access reviews, monitoring, incident and change procedures, third-party reviews, BCP/DRP exercising — building the monitored-compliance trail level 3 requires. |
| Assurance & audit support | Weeks 14–16 | Internal audit, management review, SAMA self-assessment preparation, and — if you choose to certify — coordination of the ISO 27001 / ISO 22301 certification audits. |
TCSA prepares and implements; SAMA supervises and assesses. TCSA is not affiliated with, appointed by, or endorsed by the Saudi Central Bank or the NCA.
SAMA Compliance — Frequently Asked Questions
Straight answers on the CSF, the BCM Framework, maturity levels, and how ISO 27001/22301 fit — from a team with a banking-grade BCM record in the Gulf.
What is the SAMA Cyber Security Framework (CSF)?
The SAMA Cyber Security Framework is the mandatory cyber security regulation issued by the Saudi Central Bank (SAMA) in May 2017 (version 1.0) for the financial entities it regulates. It defines controls across four domains — Cyber Security Leadership and Governance, Cyber Security Risk Management and Compliance, Cyber Security Operations and Technology, and Third Party Cyber Security — and measures compliance on a 0–5 maturity model. The framework is published on SAMA’s official rulebook (rulebook.sama.gov.sa) and is explicitly built on international standards including ISO 27001/27002, NIST, ISF, BASEL, and PCI DSS.
Who must comply with the SAMA CSF and BCM Framework?
Per the framework’s own scope, member organisations are all banks, all insurance and reinsurance companies, all financing companies, and all credit bureaus operating in Saudi Arabia, plus the financial market infrastructure. Payment service providers licensed under SAMA’s payments regime are supervised against the same expectations in practice. The BCM Framework applies to the full scope of each member organisation, explicitly including subsidiaries, employees, subcontractors, and third parties — so your vendors and cloud providers are pulled into scope through the third-party domain.
What maturity level does SAMA require?
The framework sets the baseline expectation that member organisations operate at maturity level 3 or higher on its 0–5 scale. Level 3 (“structured and formalised”) means controls are defined, approved, and implemented, and compliance with them is monitored — documentation alone is level 2 territory. Levels 4 and 5 add measured effectiveness and continuous improvement; many larger banks target them for critical domains. SAMA evaluates maturity through periodic self-assessments and supervisory reviews, and the cadence and depth of those reviews can vary by institution — treat specifics beyond the framework text as indicative.
How is the SAMA CSF different from ISO 27001?
The SAMA CSF is a supervisory regulation: sector-specific, mandatory for SAMA-regulated entities, assessed on a maturity scale, with no certificate at the end — SAMA supervises you continuously. ISO 27001 is a voluntary international standard you certify against once an accredited body audits your ISMS. Because the CSF was built on ISO 27001/27002 (among other standards), the two overlap heavily: one well-built ISMS produces the governance, risk, and control evidence both require. An ISO 27001 certificate is strong supporting evidence for SAMA supervision, but it does not replace your CSF obligations.
How does the SAMA CSF relate to the NCA Essential Cybersecurity Controls (ECC)?
They are different regulators with different scopes. The National Cybersecurity Authority (NCA) issues the Essential Cybersecurity Controls (ECC-1:2018, updated as ECC-2:2024) as the kingdom-wide baseline for government entities, critical national infrastructure, and — under the 2024 update — a broader set of organisations. SAMA’s CSF is the financial-sector regime and is more prescriptive in areas like governance, risk management, and third-party security. A SAMA-regulated institution treats the CSF as its primary cyber regulation and maps to the ECC where NCA applicability also extends to it; we build one control set mapped to both so nothing is implemented twice.
How long does SAMA compliance take, and how is it priced?
For a typical financing company, insurer, or payment provider starting from partial maturity, plan on 10–16 weeks of consulting work to reach a defensible level-3 posture: scoping and gap assessment, ISMS/BCMS documentation, control implementation, and assurance. Engagements are custom-scoped to your size, regulator deadlines, and existing maturity — we provide a fixed, all-inclusive quote after a short scoping call (in SAR or USD for Gulf engagements), with no hourly billing and no scope creep. Large banks with complex estates take longer. ISO 27001/22301 certification-body fees, if you choose to certify, are billed separately. TCSA is an independent consultancy — we prepare and implement; SAMA supervises. We are not affiliated with, or endorsed by, the Saudi Central Bank.
Keep Exploring
Related Reading
ISO 22301 Overview
What a BCMS is, who demands it, and how certification works.
Read moreRegulator Mapping
One BCMS mapped to CBUAE, SAMA, APRA CPS 230 and DORA.
Read morePDPL Compliance (KSA & UAE)
Saudi Arabia's SDAIA-enforced privacy law and the UAE's federal PDPL.
Read moreMiddle East — UAE & Saudi Arabia
How we serve Gulf banks, vendors and enterprises, remote + on-site.
Read moreISO 27001 Overview
The ISMS standard — the baseline certificate global buyers ask for.
Read moreOperational Resilience Consulting
One ISO 22301-grade BCMS that answers CBUAE, SAMA, CPS 230 and DORA.
Read moreWritten By Expert Auditors
Get Started
Walk Into Your Next SAMA Review
at Level 3
One build: a CSF maturity posture you can defend to the regulator, a BCM programme that survives a real disruption, and ISO 27001/22301 certificates from the same evidence. Start with a readiness assessment.
SAMA CSF & BCM Frameworks · Serving the GCC, India, USA & UK
Get in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours