Lesson 12: SAMA Cyber Security Framework (CSCC) — Structure, Domains, and Requirements

What You Will Learn in This Lesson

• The origin and purpose of the SAMA Cyber Security Common Controls (CSCC) framework
• How the framework is structured across its 4 main domains and 29 subdomains
• What each domain requires from your organization in practical terms
• How to map your existing security controls to CSCC and identify gaps

Why SAMA Built the CSCC — And Why You Cannot Ignore It

If your organization holds a license from the Saudi Central Bank (SAMA) — whether you are a bank, insurance company, fintech, or payment service provider — the Cyber Security Common Controls framework is not optional. SAMA issued the CSCC to establish a mandatory baseline of cybersecurity controls across every entity it regulates. Unlike voluntary standards such as ISO 27001, non-compliance with the CSCC can trigger regulatory action: fines, license conditions, or restrictions on new product launches.

The framework was designed with Saudi financial sector realities in mind. It draws from international standards (NIST CSF, ISO 27001, PCI-DSS, COBIT) but packages them into a single, unified structure that SAMA uses during its periodic assessments. Think of it as SAMA telling regulated entities: "We have taken the best of global standards and defined exactly what we expect from you — no guesswork."

The 4 Domains of the CSCC Framework

The CSCC is organized into four top-level domains. Each domain contains multiple subdomains, and each subdomain specifies individual controls. Understanding this hierarchy is critical because SAMA assessments are structured around it — assessors walk through domain by domain, subdomain by subdomain.

Domain 1: Cyber Security Leadership and Governance

This domain establishes the foundation. It requires your organization to have a formal cybersecurity strategy approved by the board, a dedicated cybersecurity function with clear reporting lines, and documented policies covering every aspect of information security. Governance is where most institutions stumble — not because they lack firewalls, but because they lack documented accountability.

Key subdomains include: Cyber Security Strategy, Cyber Security Governance, Regulatory Compliance, Cyber Security Roles and Responsibilities, and Cyber Security Awareness. Each one demands documented evidence — approved policies, signed role descriptions, training completion records, and board-level reporting minutes.

Practical Example: A mid-sized Saudi insurance company passed its technical controls assessment easily but received a non-compliance finding because its cybersecurity strategy had not been formally reviewed and re-approved by the board within the last 12 months. The document existed — but the governance cycle around it did not. SAMA does not only check that documents exist; it checks that they are alive.

Domain 2: Cyber Security Risk Management and Compliance

Domain 2 requires you to identify, assess, and treat cyber risks using a formal methodology. This is not about running a vulnerability scan — it is about maintaining a cyber risk register that links threats to business impact, assigning risk owners, defining risk appetite, and reviewing residual risk on a scheduled basis. SAMA expects your risk management to align with its published risk management guidelines and to feed into your organization's enterprise risk management (ERM) framework.

Subdomains here cover: Risk Assessment, Risk Treatment, Compliance Management, and Cyber Insurance (where applicable). The compliance management subdomain is particularly important — it requires you to track all applicable regulations (SAMA circulars, NCA directives, PDPL) and maintain evidence of compliance against each one.

Domain 3: Cyber Security Operations and Technology

This is the largest domain and the one most security teams are naturally drawn to. It covers the technical controls: identity and access management, network security, endpoint protection, application security, data protection, cryptography, infrastructure security, and security monitoring. Each subdomain maps to specific technical implementations.

For example, the Identity and Access Management subdomain requires: role-based access control, privileged access management (PAM), multi-factor authentication for critical systems, periodic access reviews, and automated deprovisioning of terminated employees. The Security Monitoring subdomain requires a 24/7 security operations capability — either an internal SOC or a contracted Managed Security Service Provider (MSSP) — with defined use cases, alert triage procedures, and documented incident escalation paths.

# Example: Checking PAM compliance indicators
# These are the types of evidence SAMA assessors request:

1. PAM tool deployment evidence (CyberArk, BeyondTrust, etc.)
2. List of all privileged accounts with assigned owners
3. Session recording configuration for privileged sessions
4. Password rotation policy — max 90 days for privileged accounts
5. Quarterly access review reports with sign-off
6. Emergency (break-glass) account procedure and audit trail

Domain 4: Third-Party Cyber Security

Domain 4 addresses the risk introduced by vendors, outsourcing partners, and cloud service providers. SAMA requires a formal third-party risk assessment process that evaluates vendors before onboarding and monitors them throughout the relationship. This includes: security requirements in contracts, right-to-audit clauses, incident notification obligations, and periodic vendor security assessments.

This domain has become increasingly important as Saudi financial institutions migrate to cloud platforms and depend on fintech partners. SAMA now expects documented evidence that you assess the cybersecurity posture of every third party with access to your data or systems — and that you maintain a centralized register of all such relationships.

How Maturity Levels Work in the CSCC

SAMA does not simply check whether a control exists or not. Each control is assessed on a maturity scale, typically from Level 1 (Initial/Ad-hoc) to Level 5 (Optimized). During assessments, SAMA assigns a maturity score per subdomain. Your organization is expected to achieve a minimum maturity level — and SAMA communicates target levels based on your institution's size, complexity, and risk profile.

Practical Example: A Saudi bank may be told its target maturity for Security Monitoring is Level 4 (Managed), meaning it must not only have a SOC with defined use cases (Level 3) but also demonstrate metrics-driven optimization — measuring mean time to detect (MTTD), mean time to respond (MTTR), and continuously tuning detection rules based on threat intelligence. A smaller payment service provider may have a target of Level 3 for the same subdomain.

Mapping Your Existing Controls to the CSCC

If your organization already holds ISO 27001 certification or is PCI-DSS compliant, you have a head start — but not a free pass. The CSCC overlaps significantly with these standards, but it also introduces Saudi-specific requirements that neither ISO nor PCI cover. The most practical approach is to build a control mapping matrix.

Create a spreadsheet with the following columns: CSCC Subdomain, CSCC Control ID, Control Description, Your Existing Control (if any), Evidence Available, Gap Identified, and Remediation Owner. Populate it subdomain by subdomain. This exercise typically reveals that governance and third-party controls are the weakest areas, while technical controls have the highest existing coverage.

# Simplified control mapping structure (CSV format):

CSCC_Subdomain,CSCC_Control_ID,Description,Existing_Control,Evidence,Gap,Owner
"Identity & Access Mgmt","OT-3.1","MFA for critical systems","Azure AD MFA","Config screenshot","None","IT Security"
"Security Monitoring","OT-5.2","24/7 SOC capability","MSSP contract","SLA document","MTTD not measured","SOC Manager"
"Third-Party Risk","TP-1.3","Vendor security assessment","Manual checklist","Spreadsheet","No continuous monitoring","Vendor Mgmt"

Connection to the Saudi Regulatory Landscape

The CSCC does not exist in isolation. It is one layer in a multi-regulator environment. The National Cybersecurity Authority (NCA) issues its own Essential Cybersecurity Controls (ECC), which apply to all government and critical infrastructure entities — including SAMA-regulated organizations. This means Saudi banks must comply with both SAMA CSCC and NCA ECC simultaneously. Additionally, the Personal Data Protection Law (PDPL) enforced by SDAIA imposes data privacy requirements that intersect with CSCC's data protection controls. Understanding how these frameworks overlap — and where they diverge — is essential for building an efficient compliance program rather than duplicating efforts across three separate audit tracks.

Common Mistakes to Avoid

• Treating CSCC as a checkbox exercise: Organizations that focus on producing documents to pass the assessment rather than implementing effective controls will fail eventually. SAMA assessors are experienced — they probe beyond documentation into actual implementation and operational evidence.
• Ignoring maturity targets: Achieving Level 2 across all subdomains may feel like progress, but if SAMA has communicated a target of Level 3 or 4 for your institution, Level 2 is a finding. Always align your remediation plan to your specific target maturity, not to a generic baseline.
• Underestimating Domain 1 (Governance): Technical teams often invest heavily in tools and monitoring while neglecting strategy documents, board reporting, and policy lifecycle management. Domain 1 findings are among the most common in SAMA assessments — and among the easiest to prevent with proper document management.

Lesson Summary

• The SAMA CSCC framework is structured into 4 domains: Governance, Risk Management, Operations & Technology, and Third-Party Security — with 29 subdomains containing individual controls.
• Each control is assessed on a maturity scale, and SAMA assigns institution-specific target maturity levels that you must meet.
• Building a control mapping matrix against your existing ISO 27001, PCI-DSS, or NCA ECC controls is the most efficient way to identify gaps and prioritize remediation.

Next Lesson

In the next lesson we will cover: NCA Essential Cybersecurity Controls (ECC) 2-2024 — What Changed and How to Comply — a detailed walkthrough of the updated NCA controls, how they differ from the previous version, and a practical compliance checklist for organizations that must satisfy both NCA and SAMA requirements.

Ready to apply these concepts in your organization? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and find out exactly where your institution stands across all four CSCC domains.