Who SAMA CSF applies to
The Saudi Central Bank (SAMA) Cyber Security Framework applies to banks, insurers, financing companies, fintechs and payment firms regulated by SAMA. It defines cyber-security governance, defence, resilience and third-party requirements, each assessed against a required maturity level.
The implementation path
1. Understand the domains and maturity model
SAMA CSF is structured around cyber-security leadership and governance, risk management, operations and technology, and third-party/cloud. Each control is scored on a maturity scale; SAMA expects regulated entities to reach and evidence a defined maturity level.
2. Maturity assessment
Assess current maturity across every domain against the required level — this produces the baseline and the gap.
3. Gap analysis and roadmap
Prioritise gaps by risk and regulatory expectation, and build a remediation roadmap ahead of a SAMA review or inspection.
4. Remediate and evidence
Implement the controls and, critically, produce the evidence — SAMA reviews turn on evidence quality and traceability, not the existence of a policy.
5. SAMA review readiness
Prepare board-level and regulator-ready reporting aligned to SAMA expectations, with third-party and cloud controls addressed.
Common pitfalls
- Assuming a global framework maps 1:1 — SAMA CSF has its own maturity expectations and domains.
- Weak evidence — maturity claims must be backed by traceable evidence.
- Neglecting third-party and cloud — a distinct, scrutinised domain.
- Treating it as one-off — maturity must be maintained, not achieved once.
How CyberSigma helps
We run a SAMA CSF maturity assessment, gap analysis and remediation roadmap, and prepare board- and regulator-ready reporting — delivered by senior consultants with GCC financial-sector depth.
