What is the SAMA Cyber Security Framework?
The SAMA Cyber Security Framework (CSF) is the cornerstone cybersecurity regulation of the Saudi financial sector. Issued by SAMA in 2017 (then the Saudi Arabian Monetary Authority, today the Saudi Central Bank), it defines how banks and other SAMA-regulated financial institutions must identify, protect against, detect, and respond to cyber threats — and how they must prove it.
The framework draws on international standards such as NIST, ISO/IEC 27001, and PCI DSS, but tailors them to the Kingdom’s financial sector. Compliance is not optional: SAMA-regulated entities must periodically self-assess their maturity, submit results to SAMA, and stand ready for review and on-site examination.
SAMA CSF compliance is therefore both a regulatory obligation and a practical blueprint: institutions that implement it well don’t just satisfy the regulator — they build genuine resilience against the attacks that target the Kingdom’s financial system every day.
To Whom Does SAMA CSF Apply?
The framework applies to all SAMA member organizations, including:
- Banks — domestic and foreign banks licensed to operate in Saudi Arabia.
- Financing companies — consumer, real-estate, and SME lenders.
- Credit bureaus — custodians of the Kingdom’s most sensitive financial data.
- Financial market infrastructure — payment, clearing, and settlement services.
Subsidiaries, staff, third parties, and information assets of these organizations all fall within the framework’s scope.
Insurance companies are no longer SAMA-regulated — supervision of the insurance sector transferred to the independent Insurance Authority (operational since 23 November 2023). GRC360 supports insurers in meeting the equivalent cybersecurity expectations under the Insurance Authority’s regime.
The Four Domains of SAMA CSF
The framework organizes its requirements into four domains, each broken into subdomains with a defined principle, objective, and control considerations:
Cyber Security Leadership and Governance
Board accountability, a mandated cybersecurity function independent of IT, an approved cybersecurity strategy and policy, defined roles and responsibilities, and cybersecurity embedded in project and change management.
Cyber Security Risk Management and Compliance
A structured cyber risk management process — identification, analysis, response, and monitoring — plus regulatory compliance mapping, periodic compliance reviews, and internal and external audit of the cybersecurity control environment.
Cyber Security Operations and Technology
The technical heart of the framework: asset management, identity and access management, application and infrastructure security, cryptography, secure disposal, physical security, BYOD, vulnerability and patch management, penetration testing, security monitoring and incident management, and business continuity considerations.
Third Party Cyber Security
Contract and vendor security requirements, outsourcing governance, and assurance over cloud services and any party handling the institution’s information assets.
The SAMA CSF Maturity Model
Compliance is measured on a six-level maturity scale (0–5):
- 0 — Non-existent — no capability.
- 1 — Ad-hoc — activities happen, but informally.
- 2 — Repeatable but informal — consistent practice without formal approval.
- 3 — Structured and formalized — documented, approved, and implemented controls. This is the level SAMA expects.
- 4 — Managed and measurable — effectiveness is measured with KPIs and periodic evaluation.
- 5 — Adaptive — continuous improvement driven by enterprise-wide analysis.
The practical challenge for most institutions is not writing policies — it is producing the evidence that controls operate consistently, which is exactly what a maturity-3 rating demands.
Our Methodology for SAMA CSF Compliance
- Scoping & gap assessment — we assess your current maturity against every applicable subdomain and produce a defensible baseline score.
- Roadmap — a prioritized remediation plan with owners, dependencies, and dates, sized to your risk profile and SAMA’s expectations.
- Control design & implementation — policies, standards, procedures, and technical controls built alongside your teams, not thrown over the wall.
- Evidence engineering — for every control, we define what proof exists, where it lives, and who owns it — the difference between claiming level 3 and demonstrating it.
- Self-assessment support — we prepare and quality-review your SAMA self-assessment submission and maturity scoring.
- Audit readiness & response — mock reviews before SAMA arrives, and structured support during regulator examinations.
- Continuous compliance — periodic health checks so maturity does not decay between assessment cycles.
Why You Need SAMA CSF Compliance
- It is mandatory — SAMA supervises compliance and can direct remediation programs at institutions that fall short.
- Board-level accountability — the framework explicitly places cybersecurity ownership with senior leadership.
- Resilience, not paperwork — implemented honestly, the framework measurably reduces the likelihood and impact of cyber incidents.
- Market trust — demonstrable maturity reassures correspondent banks, partners, and customers.
- Foundation for everything else — CSF maturity accelerates related obligations, from SAMA’s BCM and CTIP requirements to PCI DSS and PDPL.
Why Choose GRC360
- Financial-sector specialists — deep, current experience with SAMA CSF, ITGF, BCM, CTIP, CRFR, and MVC engagements across the Kingdom.
- Assessor’s perspective — as a PCI SSC Qualified Security Assessor, we know exactly what evidence must look like to survive independent scrutiny.
- End-to-end delivery — from the first gap assessment to standing beside you in the SAMA review meeting.
- Fixed-fee clarity — scoped engagements with no surprises, delivered on time.
Frequently asked
Questions we hear about Cyber Security Framework (CSF)
What is the SAMA Cyber Security Framework (CSF)?+
The SAMA Cyber Security Framework is the mandatory cybersecurity standard issued by SAMA in 2017 (then the Saudi Arabian Monetary Authority, today the Saudi Central Bank) for the financial sector in Saudi Arabia. It defines cybersecurity controls across four domains — leadership and governance, risk management and compliance, operations and technology, and third-party cyber security — and measures institutions against a maturity model.
Who must comply with SAMA CSF?+
All SAMA-regulated entities, including banks, financing companies, credit bureaus, and financial market infrastructure operating in Saudi Arabia. Insurance companies are no longer SAMA-supervised — the independent Insurance Authority (operational since 23 November 2023) now regulates the insurance sector, and GRC360 supports insurers under that regime.
What maturity level does SAMA expect?+
SAMA expects member organizations to reach at least maturity level 3 (structured and formalized) out of the framework's 0–5 scale, meaning controls are defined, approved, and implemented — with evidence to prove it.
How long does SAMA CSF compliance take?+
It depends on your current maturity and scope. A gap assessment typically takes two to four weeks; reaching and evidencing level 3 across all applicable domains commonly takes several months of structured remediation. We provide a fixed roadmap after the initial assessment.
Can GRC360 help with the periodic SAMA CSF self-assessment?+
Yes. We prepare, evidence, and quality-review the self-assessment questionnaire, align maturity scoring with SAMA's expectations, and support you through any subsequent SAMA review or on-site audit.
