← Frameworks / Financial Regulation

SAMA Cyber Security Framework

Saudi Central Bank mandatory cybersecurity framework for all financial institutions regulated by SAMA. 4 domains covering cyber security leadership and governance, risk management and compliance, operations and technology, and third-party cyber security. Built on NIST CSF with augmentations from ISO 27001, NIST 800-53, PCI DSS, and SWIFT CSCF.

Clauses: 23

Avg Coverage: 80.5%

Publisher: Saudi Central Bank (SAMA) Version: 2017

SAMA CSF → SP 800-53 SP 800-53 → SAMA CSF Coverage Analysis

Clause	Title	SP 800-53 Controls
1.1	Cyber Security Governance	PM-01 PM-02 PM-03 PM-09 PM-10 PM-29 PL-01 PL-08 PL-09 PS-09
1.2	Cyber Security Policy	PM-01 PL-01 PM-09 PM-10 PM-11 PM-24 AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PT-01 PS-01 RA-01 SA-01 SC-01 SI-01 SR-01
1.3	Compliance with Legal, Regulatory and Industry Standards	PM-01 PM-09 CA-02 CA-05 CA-07 PM-06 PM-14 PM-31 PL-09
1.4	Cyber Security in Project Management	SA-03 SA-04 SA-08 SA-15 SA-17 PM-07 SA-20
1.5	Cyber Security Roles and Responsibilities	PM-02 PS-01 PS-02 PS-07 PS-09 PL-01 AC-05
1.6	Cyber Security Awareness and Training	AT-01 AT-02 AT-03 AT-04 AT-05 AT-06 PM-13 PM-15
1.7	Cyber Security in Human Resources	PS-01 PS-02 PS-03 PS-04 PS-05 PS-06 PS-07 PS-08 PS-09
1.8	Cyber Security Risk Management	PM-01 PM-09 PM-28 PM-29 PM-30 PM-32 RA-01 RA-02 RA-03 RA-05 RA-07 RA-09 PL-09 CA-05
1.9	Cyber Security Review and Audit	CA-02 CA-05 CA-06 CA-07 CA-08 PM-06 PM-14 PM-31 AU-06 RA-05 RA-10
2.1	Asset Management	CM-08 CM-09 CM-12 CM-13 PM-05 RA-02 RA-09 SC-07
2.2	Regulatory Compliance and Reporting	PM-01 PM-06 PM-09 CA-02 CA-05 CA-07 PM-14 PM-31 IR-06
3.1	Identity and Access Management	AC-01 AC-02 AC-03 AC-04 AC-05 AC-06 AC-07 AC-08 AC-09 AC-10 AC-11 AC-12 AC-14 AC-16 AC-17 AC-18 AC-19 AC-24 IA-01 IA-02 IA-03 IA-04 IA-05 IA-06 IA-07 IA-08 IA-09 IA-10 IA-11 IA-12
3.2	Application Security	SA-03 SA-04 SA-08 SA-10 SA-11 SA-15 SA-16 SA-17 SA-20 SA-21 SA-22 CM-04 CM-14 SI-10 SI-11
3.3	Infrastructure Security (Networks, Systems, Endpoints)	SC-07 SC-08 SC-05 SC-20 SC-21 SC-22 SC-32 SC-40 SC-41 CM-02 CM-03 CM-06 CM-07 SI-03 SI-04 SI-07 SI-16 AC-04 AC-17 AC-18 AC-19
3.4	Cryptography	SC-12 SC-13 SC-08 SC-17 SC-28 SC-40 IA-07
3.5	Secure Configuration and Patch Management	CM-02 CM-03 CM-04 CM-05 CM-06 CM-07 CM-09 CM-14 SI-02 RA-05 RA-07 SA-22
3.6	Cyber Security Event and Incident Management	IR-01 IR-02 IR-03 IR-04 IR-05 IR-06 IR-07 IR-08 IR-09 SI-04 SI-05 AU-06 PM-16 RA-10 SC-26 SC-44
3.7	Physical Security	PE-01 PE-02 PE-03 PE-04 PE-05 PE-06 PE-08 PE-09 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-17 PE-18 PE-19 PE-20 PE-21 PE-23
3.8	Bring Your Own Device (BYOD)	AC-19 AC-20 AC-17 CM-02 CM-06 SC-08 SC-10 SC-23 SC-43
3.9	Secure Disposal of Information Assets	MP-06 MP-01 MP-02 MP-03 MP-04 MP-05 MP-07 MP-08 PE-16 SR-12
4.1	Third Party Risk Management	PM-30 PS-07 SA-04 SA-09 SA-21 SR-01 SR-02 SR-03 SR-05 SR-06
4.2	Outsourcing Cyber Security Requirements	SA-04 SA-09 SR-01 SR-02 SR-03 SR-06 SA-21 PS-07 CA-02 PM-14
4.3	Cloud Computing Security	SA-09 AC-20 SC-07 SC-08 SC-12 SC-13 SC-28 CM-02 CM-06 CA-09 SR-01 SR-06