SAMA CSF Compliance — Saudi Arabia
Saudi Central Bank Cyber Security Framework for banks, insurers, fintechs.
SAMA Cyber Security Framework Compliance — Saudi Arabian Banks, Insurers & Payment Providers
InfoSec4TC is the trusted partner for SAMA (Saudi Central Bank) Cyber Security Framework compliance across Saudi Arabia. From gap assessment to remediation to SAMA-mandated annual review, our team led by Dr. Mohamed Atef guides KSA banks, insurance companies, payment institutions, fintechs, and exchanges through the full SAMA CSF lifecycle.
Aligned with: SAMA CSF v1.0, NCA ECC-1 v1.0, Saudi PDPL (Personal Data Protection Law), and ISO/IEC 27001:2022.
Why SAMA CSF is Mandatory
- Required for all SAMA-licensed entities: banks, insurance, finance, payment, exchange
- SAMA conducts on-site audits and remote inspections
- Non-compliance leads to fines, licence restrictions, board-level accountability
- Aligns with NCA ECC-1 for SAMA-licensed entities also under NCA oversight
SAMA CSF — 4 Maturity Levels
- Level 1 — Non-Existent: No or minimal control implementation
- Level 2 — Initial: Ad-hoc, basic controls in place
- Level 3 — Defined: Standardised controls, documented processes (SAMA’s minimum requirement)
- Level 4 — Managed: Measured, continuously improved
Our 16-Week SAMA CSF Roadmap
Weeks 1-3: Maturity Assessment
Map current state against all 4 CSF domains (Cyber Security Leadership & Governance, Cyber Security Risk Management & Compliance, Cyber Security Operations & Technology, Third-Party Cyber Security). Score each control 1-4.
Weeks 4-6: Remediation Roadmap
Prioritise gaps that block Level 3 compliance. Map effort, cost, and risk.
Weeks 7-13: Control Implementation
Policy implementation, technical controls (IAM, network security, vulnerability management, SOC), third-party risk programme.
Weeks 14-15: Internal Audit
Full internal audit by InfoSec4TC Lead Auditor. Management Review.
Week 16: SAMA Submission Support
Prepare SAMA submission package, support SAMA inspection.
What’s Included
- Full SAMA CSF documentation set
- 30+ policies aligned with all 4 domains
- Risk register with treatment plans
- Internal audit report
- SAMA submission support
- 12 months post-submission support
Geographic Coverage
- Saudi Arabia — Riyadh, Jeddah, Dammam, Mecca, Medina
- SAMA-licensed entities only
Pricing
SAMA CSF programmes from SAR 245,000 (AED 240,000). Mid-size and large bank scopes custom-priced.
FAQ
What’s the difference between SAMA CSF and NCA ECC-1?
SAMA CSF applies to SAMA-licensed financial institutions only. NCA ECC-1 applies broadly to Saudi government and critical sectors. Many entities are subject to both.
What is the minimum maturity SAMA requires?
Level 3 (Defined) across all applicable controls.
How often does SAMA audit?
Annual self-assessment submission + periodic on-site SAMA inspections.
Do you cover SAMA Open Banking Framework too?
Yes — SAMA Open Banking Framework and SAMA Cyber Security Framework are addressed in parallel for licensed open banking participants.
Book a SAMA CSF Discovery Call
📞 +971 52 511 5498 — 📧 hello@infosec4tc.com
Related Services
Ready to get started?
Speak with our team — UAE, KSA, Qatar, Kuwait, Oman, EU, UK, USA.