Privacy settings
We use cookies and similar technologies that are necessary to run the website. Additional cookies are only used with your consent. You can consent to our use of cookies by clicking on Agree. For more information on which data is collected and how it is shared with our partners please read our privacy and cookie policy: Cookie policy, Privacy policy
We use cookies to access, analyse and store information such as the characteristics of your device as well as certain personal data (IP addresses, navigation usage, geolocation data or unique identifiers). The processing of your data serves various purposes: Analytics cookies allow us to analyse our performance to offer you a better online experience and evaluate the efficiency of our campaigns. Personalisation cookies give you access to a customised experience of our website with usage-based offers and support. Finally, Advertising cookies are placed by third-party companies processing your data to create audiences lists to deliver targeted ads on social media and the internet. You may freely give, refuse or withdraw your consent at any time using the link provided at the bottom of each page.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Saudi Arabian Monetary Authority (SAMA) Cybersecurity Framework - Full guide

Having a robust cybersecurity infrastructure is a must for businesses of the current era, as cyber threats are growing and becoming lethal with each passing day. Industries like banking can’t afford to have a weak security infrastructure as they deal with sensitive data.

Players in this industry have to make sure that advanced technologies are in place to prevent threats and data loss. 

SAMA Cybersecurity Framework is a crisp foundation that one can refer to gain deeper insights into cyber threats and try to control them in infancy. 

Let’s learn more about it.

Saudi Arabian Monetary Authority (SAMA) Cybersecurity Framework - Full guide

What is SAMA: Everything You Must Know

SAMA stands for Saudi Arabian Monetary Authority.

Saudi’s Central Bank came into existence in 1952 and focuses on regulating commercial development in the country. It surveyed the functioning of the finance-specific entities, overseeing the banking-related affairs of the government, issuing/regulating the currency in the nation, and monitoring the forex reserves.

The authority figured out that cyber threats to banking/financial operations are growing at a rapid pace. Hence, SAMA constructed a digital security methodology for all its concerned members.

SAMA was formed in 2017 for all the SAMA-regulated bodies. It aims to supply adequate guidance to all the SAMA members so that they can early and accurately identify cyber threats and control their spread. 

SAMA is a risk-centric methodology that has an extended list of key security mandates and controls that SAMA’s adopters should follow. 

When an institute fails to stick to what SAMA proposes, it’s mandatory to furnish a legal risk acceptance to SAMA. It helps SAMA determine the security-maturity level concerning member business ventures. 

The founding bodies of this framework are ISO, PCI, NIST, BASEL, and ISF. All the reviews, maintenance, and update rights for this framework are reserved with SAMA. 

Goals Of SAMA

This framework's foundation lies in verifying that a SAMA-regulated financial institute is capable of doing early cybersecurity risk identification and is ready to deal with them. 

SAMA has carefully covered every aspect of the process for managing the cyber-risks that all its member organizations must keep in consideration to protect mission-critical data/information. 

Its implementation is mandatory for SAMA members so that:

  • They can have viable cybersecurity risk management approach to adopt
  • They can have a well-defined maturity level 
  • Digital risks are managed at an early stage so that the damage is under control

SAMA’s objectives are defined in a manner that they are capable of safeguarding a wide range of assets, such as electronic/digital data, any sort of physical details, every single application, electronic devices, databases, and software a financial institute is using, the electronic/computer machines, data storage devices, and everything included in the technical infrastructure. 


SAMA Cybersecurity Maturity Levels

SAMA mandates its members (i.e., organizations) to adopt a certain degree of security controls according to the existing security-maturity level. For the level’s measurement, the SAMA CSF refers to a predefined model.

According to that model, there are six maturity levels that we will cover next in the table.

Maturity Levels

Maturity Level Definition and CriteriaExplanation
0 or Non-existent
  • No documentation to support the adoption of viable security controls
  • The team and concerned entities are not aware of the cyber security controls (CSCs).
  • There are no well-defined security controls in place, and no awareness efforts are made towards the deployment and importance of key security controls.
1 or Ad-hoc
  • There are null or partial pre-defined security controls in place.
  • Even CSCs are performed, they don not follow a standard pattern
  • CSCs are poorly defined
  • There is a variation of implemented security controls across the organization as designed and the format varies and is in the control of the owner.
  • The implemented CSCs are only partially capable of mitigating the risk.
2 or Repeatable but informal
  • CSCs are carried out in a highly unorganized manner and without any formal standard adherence
  • CSCs are frequently repeated, and the objectives are overlapping.
  • Only a limited scope for the review or testing of CSCs.
3 or Structured and formalized
  • The organization is using well-defined and fully structured CSCs
  • The control are approved formally
  • Organization is capable of demonstrating the adoption of CSCs
  • Well-defined cyber security standard and procedures are in use and adopted at a large scale
  • Use of governance, risk, and compliance tool is at place
  • Performance indicators are well-defined
  • Security controls are regularly evaluated
4 or Managed and measurable
  • Adopted/implemented CSCs are regularly assessed for their effectiveness
  • Refinement opportunities are figured out
  • Appropriate measures are adopted for the review and updated of the controls
  • There are well-documented updates of security controls
  • Security controls remain under review and tested at regular interval
  • Latest trends and indicators are used to assess the viability of used controls
  • The review or testing results are used for enhancing the security controls
5 or Adaptive
  • CSCs are the part of scalability and enhancement plans.
  • There is a large-scale adoption of enterprise-wide cyber security program
  • Continue focusses on compliance and efficacy of the CSCs.
  • CSCs are part of the risk management framework.
  • Peer and sector data are used for analyzing the effectiveness of CSCs.

SAMA, with this security maturity level, aims to address the key risks for financial institutes in their infancy stage and control the damage. For those who are willing to attain a level >3, successfully attaining all the prior levels is mandatory.

The first 3 maturity levels show the absence of robust controls in a given ecosystem. To be called dependable, an organization must operate at natural level 3 or above.

At maturity level 3, which is the minimum acceptable maturity level, it’s mandatory that the members and its board have a fully-endorsed and mandatory cyber security policy, and its purpose is clearly stated to everyone.

The staff, customers, and 3rd party vendors should be fully aware of acceptable policies.

At maturity level 4, the focus remains on testing the usefulness of working security-specific controls and policies to ensure that contemporary controls are in place. As cyber threats are evolving at a rapid pace, implementation of outdated cybersecurity controls will fail to deliver desired cybersecurity. Hence, this security maturity level assesses the efforts an organization is taking to evaluate the security-controls.  

At last, we have maturity level 5 which is more about the continual improvement of implemented and assessed controls. At this level, members need to be double-sure that risk management and security-controls are not poles apart and are not two different aspects. Rather, they should be integrated and monitored regularly.

Control Domains

The foundation of SAMA is based on four domains that are further divided into multiple subdomains. The focus of a subdomain remains on a specific topic or concern. Mainly, three subdomains are:

  • The principal that main reason behind the existence of that security control
  • The objective that explains the aims of the principle and what that specific security control is trying to achieve
  • Control consideration refers to the mandatory security control to be considered for each domain. Generally, there are four levels of control considerations.

Up next, we have explained the control domains of the SAMA Framework in detail.

  1. Cybersecurity Leadership and Governance

The governing bodies of the members are mainly responsible for maintaining a strong cybersecurity infrastructure. The board of these bodies can pass on this responsibility to the well-constructed security committee.

The role of this security committee is to outline which all governance standards are acceptable to review cybersecurity and provide well-defined cybersecurity standards for members.

In addition, the committee bears the responsibility for setting up the cybersecurity policy and finding out the viable operational practices that will improve the effectiveness of the CSCs.  

It’s mandatory to have an independent cyber-security function to design, maintain and govern the applied cyber-security policies.

As far as governance is concerned, SAMA ensures that the cyber security governance structure should be under the authority of the board. During the governance, the consider-worthy controls include representation from all the leading cybersecurity committees, regular internal audits, the establishment of a cybersecurity charter, and clear defining of committee objectives.

  1. Cybersecurity Risk Management and Compliance

Members must understand that taking care of the cyber-risks has to be a continual procedure and should revolve around the early identification, monitoring, and analysis of the concerned risk. SAMA instructs concerning authorities to shift their focus on the following:

  • Doing early identification of threat/risk or its prediction
  • Figuring out the probability of a cyber-security risk
  • Doing regular risk analysis
  • Framing a viable and result-driven response
  • Periodic monitoring of risk treatment and analyze the efficacy of the CSCss
  • Adherence with the defined CSCs (cyber security controls)

According to SAMA, the risk management procedure needs to be precisely defined, designed, approved and implemented. Its motive is to safeguard the integrity and confidentially of the mission-critical details of the concerned member businesses.

For compliance, any of the processes, aimed at managing the risk, must be designed by the SAMA member companies and communicate the implications to others. The risk-compliance process needs to be conducted periodically and should play a crucial role in updating the cyber security policy.

Non-negotiable adherence to globally accepted standards is mandatory. 

The consider-worthy compliances here are  PCI-DSS, SWIFT Customer Security Control framework, and EMV technical standard.

  1. Cybersecurity Operations and Technology

SAMA instructs its member businesses to protect the key operations and technology of self, staff, 3rd-party vendors, and members.

It’s important to have well-defined and improved CSCs to ensure that at-work technologies are not bringing any threats to the system. The penetration of cyber security requirements should begin from the human resource processes.

The staff of member businesses should be screened from the early processing stage and make sure that proper measures are adopted throughout the lifecycle of the employees.

As per SAMA, there should be robust physical security measures taken so that physical assets are away from the reach of all sorts of security threats.

Enough security controls should be in place to ensure that there is no unauthorized access to the physical assets of the members. The most viable security controls that SAMA suggests in this direction are to use advanced monitoring & surveillance tools, protect the data center tools, use inventive environmental protection measures, data access overseeing, and analysis of all access control measures in place to avoid unauthorized access.

Application security is also covered in SAMA. All the applications/software that financial institutes are using must adopt a viable SDLC approach and use secure code standards. Enough attention is given to identity and access management as well. Access control, user access management, and user request management must be monitored and regulated periodically.

This is not everything that is covered in this domain. It’s extensive, and the below-mentioned image can provide you with more clarity. 

  1. Third-Party Cybersecurity

This control domain of SAMA has a full focus on the 3rd party services and their security control. Member businesses should put extra effort to make sure that all the 3rd party resources are secure and free from cybersecurity threats. Some of the recommended security controls here are:

  • Including risk assessment in the procurement process
  • Having clear security requirements
  • Testing the security controls that 3rd party vendors are using
  • Termination of the contract if a vendor fails to adhere to best security controls
  • Adherence with SAMA outsourcing controls while outsourcing technology or talent
  • Seeking SAMA approval before using any cloud service or facility
  • Making sure that the selected cloud service provider is not using the data for personal usage
  • Granting the termination rights to the member companies
  • Performing cyber security audits for the cloud provider at regular intervals

All in all, SAMA has covered extensive security controls related to 3rd party vendors, contractors, and other outside resources.


For every financial institute, maintaining sound cybersecurity infrastructure is imperative. Ignoring early signs of a vulnerability can be proved highly fatal in the future. The SAMA Cybersecurity framework acts like fully standardized CSCs and processes for every SAMA member.

By explaining security maturity level, cybersecurity risks, and remedial responses in detail, SAMA allows financial institutes to be more responsive toward hidden threats. As the framework supports the adoption of the most recent cyber security technology, its implementation will certainly improve the security posture of financial institutes of Saudi Arabia.


What are some best practices for maintaining compliance with the SAMA Cybersecurity Framework?
How can an organization become compliant with the SAMA Cybersecurity Framework?
What are the consequences of non-compliance with the SAMA Cybersecurity Framework?
What are some of the key requirements of the SAMA Cybersecurity Framework?
What is the Saudi Arabian Monetary Authority (SAMA) Cybersecurity Framework?
How often should my organization undergo assessments to ensure compliance with the SAMA Cybersecurity Framework?
What is the first step in complying with the SAMA Cybersecurity Framework?
How often are SAMA Cybersecurity Framework assessments required?
What are the requirements for SAMA Cybersecurity Framework compliance?
What are the key components of the SAMA Cybersecurity Framework?
What is the SAMA Cybersecurity Framework?

Subscribe for the latest news

February 26, 2024
Learning Objectives
Subscribe for
the latest news
Related Topics