Main

Domain Sub-Control
Control
E

1-5-1
Cybersecurity Risk
Management

1-5-2

1-5-3

1-5-3-1
1-5-3-2
1-5-3-3

1-5-3-4

1-5-4
ybersecurity in Information and
echnology Project Management

1-6-1

1-6-2

1-6-2-1

1-6-2-2

1-6-3

1-6-3-1

1-6-3-2
 Compliance with
Periodical Cybersecurity Cybersecurity Cybersecurity
an Resources
Review and Audit Standards, Laws Technology P
and Regulations

1-9-2
1-9-1
1-8-3
1-8-2
1-8-1
1-7-2
1-7-1
1-6-4
1-6-3-5
1-6-3-4
1-6-3-3
 Cybersecurity in Human Resource
1-9-3

1-9-3-1

1-9-3-2

1-9-4

1-9-4-1

1-9-4-2

1-9-5

1-9-6

1-10-1
Cybersecurity Awareness and

1-10-2
Training Program

1-10-3

1-10-3-1
1-10-3-2
1-10-3-3
1-10-3-4

1-10-4

1-10-4-1

1-10-4-2

1-10-4-3

1-10-5
 Cybersecurity
ty in Information Technology Project Cybersecuri
Risk
Management ty Strategy
Management

1-3-2
1-3-1
1-2-1
1-1-1

1-3-2-3
1-3-2-2
1-3-2-1
1-3-1-2
1-3-1-1
1-2-1-2
1-2-1-1
Critic
 Periodical
Cybersecurity Cybersecurity in Informati
in Human Resources
Review and Manage
Audit

1-5-1
1-4-2
1-4-1
1-3-2-4
 Cybersecurity
Periodical Review Cybersecurity in Human Resources
and Audit

1-1-1
1-5-1-2
1-5-1-1
 Cybersecuri
Cybersecurity Awareness Cybersecurity in Human
Periodical Rev
and Training Program Resources
and Audit

1-3-1
1-2-1
1-1-2

1-3-1-7
1-3-1-6
1-3-1-5
1-3-1-4
1-3-1-3
1-3-1-2
1-3-1-1
1-2-1-2
1-2-1-1

Organizations' So
 Cybersecurit
Cybersecurity in Cybersecurity Risk y Policies
Human Resources Management and
Procedures

1-3-1
1-2-1
1-1-1

1-3-1-2
1-3-1-1
1-2-1-3
1-2-1-2
1-2-1-1
1-1-1-1
Cybersecurity Awareness and Training Program
1-4-1

1-4-1-1

1-4-1-2

1-4-1-3

1-4-1-4

1-4-1-5

1-4-1-6

1-4-1-7

1-4-2
Cybersecurity Risk
Cybersecurity Policies and Procedures
Management

1-2-1
1-1-1

1-2-1-2
1-2-1-1
1-1-1-1
T
ybersecu
ity Roles
Cybersecu
and Cybersecurity in Human Resources
Manage
esponsibi
lities

1-3-2
1-3-1

1-1-T-1
1-3-1-8
1-3-1-7
1-3-1-6
1-3-1-5
1-3-1-4
1-3-1-3
1-3-1-2
1-3-1-1
1-2-1-3

C
 Complianc
e with
Cybersecu
Cybersecur
Cybersecurity rity Roles
ity Cybersecurity
in Human and
Standards, Risk Management
Resources Responsibi
Laws and
lities
Regulation

1-4-T-1
1-3-T-1
1-2-T-1

1-4-T-1-1
1-3-T-1-1
1-2-T-1-3
1-2-T-1-2
1-2-T-1-1
1-1-T-1-1
 Governance
Control clauses

Essential Cybersecurity Control

Cybersecurity risk management methodology and procedures must
be defined, documented
and approved as per confidentiality, integrity and availability
considerations of information and
technology assets.

The cybersecurity risk management methodology and procedures

must be implemented by the cybersecurity function.
The cybersecurity risk assessment procedures must be implemented
at least in the following cases:
Early stages of technology projects
Before making major changes to technology infrastructure.
During the planning phase of obtaining third party services.
During the planning phase and before going live for new technology
services and products.

The cybersecurity risk management methodology and procedures

must be reviewed periodically according to planned intervals or upon
changes to related laws and regulations. Changes and reviews must
be approved and documented.

Cybersecurity requirements must be included in project and asset

(information/ technology) change
management methodology and procedures to identify and manage
cybersecurity risks as part of project
management lifecycle. The cybersecurity requirements must be a key
part of the overall requirements
of technology projects.

The cybersecurity requirements in project and assets

(information/technology) change management
must include at least the following:

Vulnerability assessment and remediation.

Conducting a configurations’ review, secure configuration and

hardening and patching before
changes or going live for technology projects.

The cybersecurity requirements related to software and application

development projects must
include at least the following:

Using secure coding standards.

Using trusted and licensed sources for software development tools
and libraries.
Conducting compliance test for software against the defined
organizational cybersecurity
requirements.

Secure integration between software components.

Conducting a configurations’ review, secure configuration and

hardening and patching
before going live for software products.

The cybersecurity requirements in project management must be

reviewed periodically.
The organization must comply with related national cybersecurity
laws and regulations.

The organization must comply with any nationally-approved

international
agreements and commitments related to cybersecurity.

Cybersecurity reviews must be conducted periodically by the

cybersecurity function
in the organization to assess the compliance with the cybersecurity
controls in the
organization.

Cybersecurity audits and reviews must be conducted by independent

parties outside the
cybersecurity function (e.g., Internal Audit function) to assess the
compliance with the cybersecurity
controls in the organization. Audits and reviews must be conducted
independently, while ensuring
that this does not result in a conflict of interest, as per the Generally
Accepted Auditing Standards
(GAAS), and related laws and regulations.

Results from the cybersecurity audits and reviews must be

documented and presented to the
cybersecurity steering committee and Authorizing Official. Results
must include the audit/review
scope, observations, recommendations and remediation plans.

Personnel cybersecurity requirements (prior to employment, during

employment and after
termination/separation) must be defined, documented and approved.

The personnel cybersecurity requirements must be implemented.

The personnel cybersecurity requirements prior to employment must
include at least the
following:

Inclusion of personnel cybersecurity responsibilities and non-

disclosure clauses
(covering the cybersecurity requirements during employment and
after termination/
separation) in employment contracts.

Screening or vetting candidates of cybersecurity and

critical/privileged positions.
The personnel cybersecurity requirements during employment must
include at least the following:
Cybersecurity awareness (during on-boarding and during
employment).

Implementation of and compliance with the cybersecurity

requirements as per the
organizational cybersecurity policies and procedures.

Personnel access to information and technology assets must be

reviewed and removed immediately
upon termination/separation.

Personnel cybersecurity requirements must be reviewed periodically.

A cybersecurity awareness program must be developed and

approved. The program must be
conducted periodically through multiple channels to strengthen the
awareness about cybersecurity,
cyber threats and risks, and to build a positive cybersecurity
awareness culture.

The cybersecurity awareness program must be implemented.

The cybersecurity awareness program must cover the latest cyber

threats and how to protect
against them, and must include at least the following subjects:

Secure handling of email services, especially phishing emails.

Secure handling of mobile devices and storage media.
Secure Internet browsing.
Secure use of social media.

Essential and customized (i.e., tailored to job functions as it relates to

cybersecurity) training and
access to professional skillsets must be made available to personnel
working directly on tasks
related to cybersecurity including:

Cybersecurity function’s personnel.

Personnel working on software/application development. and

information and
technology assets operations.

Executive and supervisory positions.

The implementation of the cybersecurity awareness program must be
reviewed periodically.
 Critical Systems Cybersecurity Cont

In addition to the controls within sub-component 1-1

of the ECC, the cybersecurity strategy of
the entity must set a priority to support the
protection of critical systems of the entity.

In addition to the controls under subcomponent 1-5

of the basic controls for cybersecurity, the
methodology for managing cybersecurity risks
should include, at a minimum, the following:

Implementing a Cybersecurity risk assessment on

critical systems at least once a
year.
Create a cybersecurity risk register for critical
systems and follow it up at least once a
month.

In addition to the sub-controls within Control 1-6-2

in the ECC, it must cover the cybersecurity
requirements for project management and changes
to the information and technical assets of
critical systems in the entity, with a minimum of the
following:

Carrying out stress testing of the technical

components of critical systems (Stress
Testing) to ensure the capacity of the various
components.
Ensure the application of bussiness continuity
reqirements
In addition to sub controls in the ECC 3-6-1
Security source code review prior to release
Securing the access, storage, documentation and
releases of source code.
Securing the authenticated Application
Programming Interface (API).
Safe and reliable transfer of applications from the
Testing Environment to the
Production Environment, with any data, identities,
or passwords associated with the
test environments deleted prior to transfer.

Referring to officer 1-8-1 in the basic controls of

cybersecurity, the department concerned with
cybersecurity must; Review the implementation of
cyber security controls for critical systems,
once a year; at least.

With reference to ECC control 1-8-2, the

implementation of CSCC must be reviewed by
independent parties within the organization, outside
the cybersecurity function at least once
every three years.

In addition to the subcontrols in ECC control 1-9-3,

personnel cybersecurity requirements
prior to employment must include at least the
following:
Screening or vetting candidates for working on
critical systems.

The technical support and development positions

for critical systems, must be
filled with experienced Saudi professionals.

Data Cybersecurity Controls (

With reference to ECC control 1-8-1, the
cybersecurity function in the organization must
review
the implementation of the Data Cybersecurity
Controls periodically as specified for each data
classification level.
With reference to ECC control 1-8-2, cybersecurity
review and audit must be conducted
periodically by independent parties outside the
organization’s cybersecurity function as specified
for each data classification level.

In addition to the subcontrols in the ECC control 1-9-

3, personnel's cybersecurity requirements
prior to employment, during employment and after
termination/separation must include at least
the following:

screening and vetting cadidates in jops related to

data handling

A signed agreement by personnel pledging to not

wuse social media,
1919 communication applications or personal cloud
storage to create, store or share
the organization’s data, with the exception of
secure communication applications
approved by relevant authorities.

In addition to the subcontrols in ECC control 1-10-3,

the cybersecurity awareness program must
cover topics related to data protection, including
the following:
Risk od data leakage and unauthorized access to
data during its lifecycle
Secure handling of classified data while traveling
and outside the workplace.
Secure handling of data during meetings (virtual
and in-person).
Secure handling when using printers, scanners and
copiers.
Procedures for secure data disposal.
Risks of sharing documents and information through
non-secure channels.
Cybersecurity risks related to the use of external
storage media.

Organizations' Social Media Accounts Cybersecu

Defining and documenting the cybersecurity
requirements for organizations’
social media accounts as part of the organization’s
cybersecurity policies.

Defining and documenting the cybersecurity

requirements for organizations’
social media accounts as part of the organization’s
cybersecurity policies.

In addition to the controls within subdomain 1-5 in

the ECC, requirements for cybersecurity risk
management should include at least the following:

Assessing cybersecurity risks for organization’s

social media accounts, once per
year at least.
Assessing cybersecurity risks during planning and
before permitting use of organization’s social media
accounts.

Including cybersecurity risks related to

organization’s social media accounts in the
organization’s cybersecurity risk register, and
monitoring it at least once a year.

In addition to the subcontrols within control 1-9-4 in

the ECC, the cybersecurity requirements for
personnel responsible for managing the
organization’s social media accounts
should include at least the following:

Cybersecurity awareness about social media

accounts.

Implementation of and compliance with the

cybersecurity requirements as per the
organizational cybersecurity policies and
procedures for the organization’s social media
accounts.
In addition to the subcontrols within control 1-10-3
in the ECC, the cybersecurity awareness
program must cover the awareness about the
potential cyber risks and threats related
to the organization’s social media accounts and the
secure use to minimize these risks and
threats, including the following:

Secure use and protection of devices dedicated to

the organization’s social media
accounts and ensuring that they do not contain
classified data or used for personal
purposes.

Secure handling of identities, passwords and

security questions.
Organization’s social media accounts restoration
plan and dealing with
cybersecurity incidents.
Secure handling of applications and solutions used
for the organization’s social
media accounts.
Not to use the organization’s social media accounts
for personal purposes such as
browsing.
Avoiding accessing the organization’s social media
accounts using untrusted
public devices or networks.
Communicating directly with the cybersecurity
department if a
cybersecurity threat is suspected.

In addition to the sub controls within control 1-10-4

in the ECC, personnel responsible for
managing the organization’s social media accounts
must be trained on the required technical skills,
plans and procedures necessary to ensure the
implementation of the cybersecurity requirements
and practices when using the organization’s social
media accounts.
 Telework Cybersecurity Control
Referring to control 1-3-1 in the ECC, cybersecurity policies and
procedures must cover, at a minimum, the following:

Defining and documenting the telework

cybersecurity requirements and
controls as part of the organization’s cybersecurity
policies.

In addition to the controls within subdomain 1-5 in

the ECC, requirements for cybersecurity
risk management should include at least the
following:

Assessment of the cybersecurity risks for telework

systems, once per year at
least.
Assessment of cybersecurity risks during planning
and before permitting
telework for any service or system.
Including the cybersecurity risks related to telework
systems and its related
services and systems in the entity's cybersecurity
risk register, and monitoring
it at least once a year.

In addition to the sub-controls within control 1-10-3

in the ECC, the cybersecurity
awareness program must cover the awareness
about the potential cyber risks and threats
related to telework, including the following:

Secure use of telework devices and how to protect

them.
Secure handling of identities and passwords.
Protection of the stored data on the telework
devices, and to be handled based on its
classification.
Secure handling of applications and solutions used
for telework such as: virtual conferencing and
collaboration, and file sharing solutions.
Secure handling of home networks, making sure it is
configured in a secure
way.
Avoidance of teleworking using unreliable public
devices or networks or while
in public places.
Unauthorized physical access, loss, theft, and
sabotage of technical assets and
telework systems.
To Communicate directly with the cybersecurity
department If a cybersecurity
threat is suspected.

In addition to the sub-controls within control 1-10-4

in the ECC, employees must be trained
with the required technical skills to ensure the
implementation of the cybersecurity
requirements when handling telework systems.

Cloud Cybersecurity Controls (

In addition to the ECC control 1-4-1, the Authorizing Official shall also
identify, document
and approve:
Cybersecurity roles and RACI assignment for all
stakeholders of the cloud
services including Authorizing Official’s roles and
responsibilities.

Cybersecurity risk management methodology

mentioned in the ECC Subdomain 1-5 shall also
include for the CST, as a minimum:
Defining acceptable risk levels for the cloud
services.
Considering data and information classification
accredited by CST in
cybersecurity risk management methodology.
Developing cybersecurity risk register for cloud
services, and monitoring it
periodically according to the risks.

In addition to the ECC control 1-7-1, the CST

legislative and regulatory compliance should
include as a minimum with the following
requirements:

Continuous or real-time compliance monitoring of

the CSP with relevant
cybersecurity legislation and contract clauses.

In addition to sub controls in the ECC control 1-9-3,

the following requirements should be
covered prior the professional relationship of staff
with the CST shall cover, at a minimum:

Screening or vetting candidates of personnel with

access to Cloud Service
sensitive functions (Key Management, Service
Administration, Access
Control).
 Governance
Is it covered by the policy?
(Yes/No)
ntial Cybersecurity Controls (ECC)
ystems Cybersecurity Controls (CSCC)
ta Cybersecurity Controls (DCC)
Media Accounts Cybersecurity Controls (OSMACC)
work Cybersecurity Controls (TCC)
d Cybersecurity Controls (CCC-T)
 Policy Name Clause Reference

rols (ECC)
ontrols (CSCC)
s (DCC)
ecurity Controls (OSMACC)
rols (TCC)
s (CCC-T)
 Main
Domain Sub-Control
Control

2-1-1
Asset Management

2-1-2

2-1-3

2-1-4

2-1-5

2-1-6

2-2-1
entity and Access Management

2-2-2

2-2-3

2-2-3-1

2-2-3-2
 Identity and Acc
2-2-3-3

2-2-3-4

2-2-3-5

2-2-4

2-3-1
Information System and Information
Processing Facilities Protection

2-3-2

2-3-3

2-3-3-1

2-3-3-2

2-3-3-3

2-3-3-4

2-3-4

2-4-1

2-4-2
 2-4-3

2-4-3-1

Email Protection
2-4-3-2

2-4-3-3

2-4-3-4

2-4-3-5

2-4-4

2-5-1

2-5-2

2-5-3
urity Management

2-5-3-1

2-5-3-2
Networks Security Manage
2-5-3-3

2-5-3-4

2-5-3-5

2-5-3-6
2-5-3-7

2-5-3-8

2-5-3-9

2-5-4

2-6-1

2-6-2
Mobile Devices Security

2-6-3

2-6-3-1

2-6-3-2

2-6-3-3

2-6-3-4
 Mobil
2-6-4

2-7-1

Information
Protection
Data and

2-7-2

2-7-3

2-7-4

2-8-1

2-8-2
Cryptography

2-8-3

2-8-3-1

2-8-3-2

2-8-3-3
 2-8-4

2-9-1

Backup and Recovery

2-9-2

Management 2-9-3

2-9-3-1

2-9-3-2

2-9-3-3

2-9-4

2-10-1
Vulnerabilities Management

2-10-2

2-10-3

2-10-3-1

2-10-3-2

2-10-3-3

2-10-3-4

2-10-3-5

2-10-4
 2-11-1

Penetration Testing
2-11-2

2-11-3

2-11-3-1

2-11-3-2

2-11-4

2-12-1
Cybersecurity Event Logs and
Monitoring Management

2-12-2

2-12-3

2-12-3-1

2-12-3-2

2-12-3-3

2-12-3-4

2-12-3-5

2-12-4

2-13-1
ent and
ment
Cybersecurity Incident and
Threat Management
2-13-2

2-13-3

2-13-3-1

2-13-3-2
2-13-3-3

2-13-3-4

2-13-3-5

2-13-4

2-14-1

2-14-2

2-14-3
Physical Security

2-14-3-1

2-14-3-2

2-14-3-3

2-14-3-4

2-14-3-5
 2-14-4

Web Application Security

2-15-1

2-15-2

2-15-3

2-15-3-1
2-15-3-2
2-15-3-3
2-15-3-4

2-15-3-5

2-15-4

Cri
Management

2-1-1
Asset

2-1-1-1

2-1-1-2

2-2-1
t
 2-2-1-1

Identity and Access Management

2-2-1-2

2-2-1-3

2-2-1-4

2-2-1-5

2-2-1-6

2-2-1-7

2-2-1-8

2-2-2

2-3-1
Protection
Information System and Processing Facilities Protection
2-3-1-1

2-3-1-2

2-3-1-3

2-3-1-4

2-3-1-5

2-3-1-6

2-3-1-7

2-3-1-8

2-4-1
ement
Networks Security Management
2-4-1-1

2-4-1-2

2-4-1-3

2-4-1-4

2-4-1-5

2-4-1-6

2-4-1-7

2-4-1-8

2-4-1-9
Mobile Devices Security

2-5-1

2-5-1-1
Mobile
2-5-1-2

Data and Information Protection

2-6-1

2-6-1-1

2-6-1-2

2-6-1-3

2-6-1-4

2-6-1-5

2-7-1
Cryptography

2-7-1-1

2-7-1-2

2-7-1-3
Backup and Recovery Management
2-8-1

2-8-1-1

2-8-1-2

2-8-1-3

2-8-2

2-9-1
Vulnerabilities Management

2-9-1-1

2-9-1-2

2-9-1-3
 Vulner
2-9-2

Penetration Testing
2-10-1

2-10-1-1

2-10-1-2

2-10-2

2-11-1
Cybersecurity Event Logs and
Monitoring Management

2-11-1-1

2-11-1-2

2-11-1-3

2-11-1-4

2-11-1-5
 Monito
Cybersec
2-11-2

Web Application Security

2-12-1

2-12-1-1

2-12-1-2

2-12-2

2-13-1
Application Security

2-13-2

2-13-3

2-13-3-1

2-13-3-2
2-13-3-3

2-13-3-4
nformation System and
Information Processing Identity and Access Management Ap
Facilities Protection

2-2-1
2-1-3
2-1-2
2-1-1
2-13-4

2-2-1-2
2-2-1-1
2-1-1-2
2-1-1-1
 Information S
Mobile Devices
aphy Data and Information Protection Information P
Security
Facilities Pr

2-5-1
2-4-1
2-3-1

2-4-1-4
2-4-1-3
2-4-1-2
2-4-1-1
2-3-1-2
2-3-1-1
2-2-1-4
2-2-1-3
 Cryptography
2-5-1-1

2-5-1-2

2-6-1

2-6-1-1
Secure Data Disposal

2-6-1-2

2-6-1-3

2-6-1-4

2-6-1-5

2-6-2
Scanners and

2-7-1
Cybersecurity for Printers and Scanners and
2-7-2

2-7-3

Copy Machines 2-7-3-1

2-7-3-2

2-7-3-3

2-7-3-4

2-7-3-5

2-7-4

Organizations'
Management

2-1-1
Asset

2-1-1-1

2-2-1
 2-2-1-1

2-2-1-2

Identity and Access Management

2-2-1-3

2-2-1-4

2-2-1-5

2-2-1-6

2-2-1-7

2-2-1-8

2-2-1-9

2-2-2
s Protection

2-3-1
tem and
 Data and
Mobile Device Information System and
Information
Security Processing Facilities Protectio
Protection

2-5-1
2-4-1

2-5-1-1
2-4-1-2
2-4-1-1
2-3-1-4
2-3-1-3
2-3-1-2
2-3-1-1
 Cybersecur
Asset ity Incident
Cybersecurity Events Logs and
Manageme and Threat
Monitoring Management
nt Manageme
nt

2-1-1
2-7-1
2-6-1

2-1-1-1
2-7-1-1
2-6-1-4
2-6-1-3
2-6-1-2
2-6-1-1
Information System and Processing
Identity and Access Management
Facilities Protection

2-3-1
2-2-2
2-2-1

2-3-1-4
2-3-1-3
2-3-1-2
2-3-1-1
2-2-1-3
2-2-1-2
2-2-1-1
ta and Information Mobile Device Network Security Information
Protection Security Management Facil

2-6-1
2-5-1
2-4-1

2-6-1-1
2-5-1-2
2-5-1-1
2-4-1-4
2-4-1-3
2-4-1-2
2-4-1-1
2-3-1-5
 Backup and
Vulnerabilities Data and Inform
Recovery Cryptography
Management Protection
Management

2-9-1
2-8-2
2-8-1
2-7-1

2-9-1-1
2-8-1-1
2-7-1-1
2-6-1-2
cident and Cybersecurity Events Logs and Penetration Vulner
gement Monitoring Management Testing Manag

2-12-1
2-11-2
2-11-1
2-10-2
2-10-1
2-9-1-2

2-11-1-4
2-11-1-3
2-11-1-2
2-11-1-1
2-10-1-1
 Asset ybersecurity Incident and
ntity and Access Management
Management Threat Management

2-2-T-1
2-1-T-1
2-12-1-3
2-12-1-2
2-12-1-1

2-2-T-1-2
2-2-T-1-1
2-1-T-1-1
 Information
Networks System and
Data and Mobile
Security Information
Information Devices Identity and Ac
Managem Processing
Protection Security
ent Facilities
Protection

2-6-T-1
2-5-T-1
2-4-T-1
2-3-T-1

2-5-T-1-1
2-4-T-1-1
2-3-T-1-1
2-2-T-1-5
2-2-T-1-4
2-2-T-1-3
 Cybersecurity
Data and
Event Logs and vulnerabilities
Cryptography Informatio
Monitoring Management
Protection
Management

2-9-T-1
2-7-T-1

2-11-T-1
2-9-T-1-2
2-9-T-1-1
2-7-T-1-2
2-7-T-1-1
2-6-T-1-2
2-6-T-1-1

2-11-T-1-2
2-11-T-1-1
 2-15-T-1

2-15-T-2

Key Management 2-15-T-3

2-15-T-3-1

2-15-T-3-2

2-15-T-4
 Defense
Control clauses

Essential Cybersecurity Cont

Cybersecurity requirements for managing information and technology
assets must be defined, documented and approved.

The cybersecurity requirements for managing

information and technology assets must be
implemented.
Acceptable use policy of information and technology
assets must be defined,
documented and approved.
Acceptable use policy of information and technology
assets must be implemented.
Information and technology assets must be
classified, labeled and handled as per related law
and regulatory requirements.
The cybersecurity requirements for managing
information and technology assets must be
reviewed peridodically.
Cybersecurity requirements for identity and access
management must be defined, documented and
approved.
The cybersecurity requirements for identity and
access management must be implemented.
The cybersecurity requirements for identity and
access management must include at least the
following
Single-factor authentication based on username and
password

Multi-factor authentication for remote access,

defining suitable authentication factors, number of
factors and suitable technique based on the result
of impact assessment of authentication failure and
bypass for remote access.
User authorization based on identity and access
control principles: Need-to- Know and Need-to-Use,
Least Privilege and Segregation of Duties.
Privileged access management.

Periodic review of users' identities and access rights

The Implementation of the cybersecurity

requirements for identity and access management
must be reviewed periodically.

Cybersecurity requirements for protecting

information systems and information processing
facilities must be defined, documented and
approved.

The cybersecurity requirements for protecting

information systems and information processing
facilities must be implemented.
The cybersecurity requirements for protecting
information systems and information processing
facilities must include at least the following:

Advanced, up-to-date and secure management of

malware and virus protection on servers and
workstations.
Restricted use and secure handling of external
storage media.
Patch management for information systems,
software and devices.

Centralized clock synchronization with an accurate

and trusted source (e.g., Saudi Standard controls,
Metrology and Quality Organization (SASO)).

The cybersecurity requirements for protecting

information systems and information processing
facilities must be reviewed periodically.
Cybersecurity requirements for email service must
be defined, documented and approved.
The cybersecurity requirements for email service
must be implemented.
The cybersecurity requirements for protection email
service must be include at the least the following:.

Analyzing and filtering email messages (specifically

phishing emails and spam) using advanced and up-
to-date email protection techniques.

Multi-factor authentication for remote and webmail

access to email service, defining authentication
factors, number of factors and suitable technique
based on the result of impact assessment of
authentication failure and bypass.
Email archiving and backup.
Secure management and protection against
Advanced Persistent Threats (APT), which normally
utilize zero-day viruses and malware.

Validation of the organization’s email service

domains through Haseen platform by using Sender
policy framework (SPF), Domain keys identified mail
(DKIM(, and Domain message authentication
reporting and conformance (DMARC)

The cybersecurity requirements for email service

must be reviewed periodically.
Cybersecurity requirements for network security
management must be defined, documented and
approved.
The Cybersecurity requirements for network
security management must be implemented.
The Cybersecurity requirements for network
security managemen must include at least the
following:
Logical or physical segregation and segmentation of
network segments using firewalls and defense-in-
depth principles.
2-5-3-2
Network segregation between production, test and
development environments.
Secure browsing and Internet connectivity including
restrictions on the use of file storage/sharing and
remote access websites, and protection against
suspicious websites.

Wireless network protection using strong

authentication and encryption techniques. A
comprehensive risk assessment and management
exercise must be conducted to assess and manage
the cyber risks prior to connecting any wireless
networks to the organization’s internal network.

Management and restrictions on network services,

protocols and ports.
Intrusion Prevention Systems (IPS).
Security of Domain Name Service (DNS).
Secure management and protection of Internet
browsing channel against Advanced Persistent
Threats (APT), which normally utilize zero-day
viruses and malware.
Protecting against Distributed Denial of Service (DDoS) attacks to
limit risks arising from these attacks.
The cybersecurity requirements for network security management
must be reviewed periodically.

Cybersecurity requirements for mobile devices

security and BYOD must be defined, documented
and approved.
The cybersecurity requirements for mobile devices
security and BYOD must be implemented
The cybersecurity requirements for mobile devices
security and BYOD must include at least the
following:
Separation and encryption of organization’s data
and information stored on mobile devices and
BYODs.
Controlled and restricted use based on job
requirements.
Secure wiping of organization’s data and
information stored on mobile devices and BYOD in
cases of device loss, theft or after
termination/separation from the organization.
Security awareness for mobile devices users.
The cybersecurity requirements for mobile devices
security and BYOD must be reviewed periodically.

Cybersecurity requirements for protecting and

handling data and information must be defined,
documented and approved as per the related laws
and regulations.

The cybersecurity requirements for protecting and

handling data and information must be
implemented.
The cybersecurity requirements for protecting and handling data and
information must include at least the applicable requirements in Data
Cybersecurity Controls published by NCA.

The cybersecurity requirements for protecting and

handling data and information must be reviewed
periodically.
Cybersecurity requirements for cryptography must
be defined, documented and approved.
The cybersecurity requirements for cryptography
must be implemented.

The cybersecurity requirements for cryptography

must include at least the requirements in the
National Cryptographic standards; published by NCA
and each organization is required to choose and
implement the appropriate cryptographic standard
level based on the nature and sensitivity of the
data, system, and networks to be protected, and
based on the risk assessment by the organization;
and as per related laws and regulations; according
to the following:

Approved cryptographic system and solution

standards and its technical and regulatory
limitations.
Secure management of cryptographic keys during
their lifecycles.
Encryption of data in-transit, at-rest, and while
processing as per classification and related laws
and regulations.
The cybersecurity requirements for cryptography
must be reviewed periodically.
Cybersecurity requirements for backup and
recovery management must be defined,
documented and approved.
The cybersecurity requirements for backup and
recovery management must be implemented.
The cybersecurity requirements for backup and
recovery management must include at least the
following:
Scope and coverage of backups to cover critical
technology and information assets.
Ability to perform quick recovery of data and
systems after cybersecurity incidents.
Periodic tests of backup’s recovery effectiveness.
The cybersecurity requirements for backup and
recovery management must be reviewed
periodically.
Cybersecurity requirements for technical
vulnerabilities management must be defined,
documented and approved.

The cybersecurity requirements for technical

vulnerabilities management must be implemented.

The cybersecurity requirements for technical

vulnerabilities management must include at least
the following:
Periodic vulnerabilities assessments.
Vulnerabilities classification based on criticality
level.
Vulnerabilities remediation based on classification
and associated risk levels.
Security patch management.

Subscription with authorized and trusted

cybersecurity resources for up- to-date information
and notifications on technical vulnerabilities.

The cybersecurity requirements for technical

vulnerabilities management must be reviewed
periodically.
Cybersecurity requirements for penetration testing
exercises must be defined, documented and
approved.
The cybersecurity requirements for penetration
testing processes must be implemented.
The cybersecurity requirements for penetration
testing processes must include at least the
following:

Scope of penetration tests which must cover

Internet-facing services and its technical
components including infrastructure, websites, web
applications, mobile apps, email and remote access.

Conducting penetration tests periodically.

Cybersecurity requirements for penetration testing
processes must be reviewed periodically.
Cybersecurity requirements for event logs and
monitoring management must be defined,
documented and approved.

The cybersecurity requirements for event logs and

monitoring management must be implemented.

The cybersecurity requirements for event logs and

monitoring management must include at least the
following:
Activation of cybersecurity event logs on critical
information assets.
Activation of cybersecurity event logs on remote
access and privileged user accounts.
Identification of required technologies (e.g., SIEM)
for cybersecurity event logs collection.
Continuous monitoring of cybersecurity events.
Retention period for cybersecurity event logs (must
be 12 months minimum).
The cybersecurity requirements for event logs and
monitoring management must be reviewed
periodically.
Requirements for cybersecurity incidents and threat
management must be defined, documented and
approved.
The requirements for cybersecurity incidents and
threat management must be implemented.
The requirements for cybersecurity incidents and
threat management must include at least the
following:
Cybersecurity incident response plans and
escalation procedures.
Cybersecurity incidents classification.
Cybersecurity incidents reporting to NCA.

Sharing incidents notifications, threat intelligence,

breach indicators and reports with NCA.

Collecting and handling threat intelligence feeds.

The requirements for cybersecurity incidents and

threat management must be reviewed periodically.

Cybersecurity requirements for physical protection

of information and technology assets must be
defined, documented and approved.
The cybersecurity requirements for physical
protection of information and technology assets
must be implemented.
The cybersecurity requirements for physical
protection of information and technology assets
must include at least the following:

Authorized access to sensitive areas within the

organization (e.g., data center, disaster recovery
center, sensitive information processing facilities,
security surveillance center, network cabinets).

Facility entry/exit records and CCTV monitoring.

Protection of facility entry/exit and surveillance
records.
Secure destruction and re-use of physical assets
that hold classified information (including
documents and storage media).
Security of devices and equipment inside and
outside the organization’s facilities
The cybersecurity requirements for physical
protection of information and technology assets
must be reviewed periodically.
Cybersecurity requirements for external web
applications must be defined, documented and
approved.
The cybersecurity requirements for external web
applications must be implemented.
The cybersecurity requirements for external web
applications must include at least the following:
Use of web application firewall.
Adoption of the multi-tier architecture principle.
Use of secure protocols (e.g., HTTPS).
Clarification of the secure usage policy for users.
User authentication based on defined number and
factors of authentication, as a result of impact
assessment of authentication failure and bypass for
users' access
The cybersecurity requirements for external web
applications must be reviewed periodically.

Critical Systems Cybersecurity Co

In addition to the controls under subcomponent 2-1
of the basic controls for cybersecurity,
the cybersecurity requirements for the
management of information and technology assets
should include, at a minimum; the following:

Maintain an annual updated list of all assets of

critical systems.
Identifying asset owners and involving them in the
asset management life cycle of
critical systems.

In addition to the sub-controls under item 2-2-3 in

the basic controls for cybersecurity, they
must cover the cybersecurity requirements related
to managing access identities and the
permissions for critical systems in the entity, at a
minimum:
Prohibiting remote access from outside the Kingdom
of Saudi Arabia.

Restricting remote entry from inside the Kingdom;

Provided that it is verified by
the security operations center of the entity, at every
entry process; and
continuously monitor remote access-related
activities.

Multifactor authentication (MFA) for all users.

Multi-Factor Authentication (MFA) for critical users;
And the systems used to
manage and monitor the critical systems mentioned
in Control 4-1-3-2.

Prepare password standard controls taking into

consideration best practices and
implementation.
Using safe methods and algorithms to store and
process password, e.g. using hashing function
Secure management of service accounts between
applications and systems ; and disable interactive
human login through it .

With the exception of Database Administrators,

access or direct interaction of
any user with databases is prohibited. This is done
through applications only, and
based on the powers conferred on them; Taking into
account the implementation
of security solutions that limit or prevent database
administrators from accessing
Classified Data.

Going back to Control 2-2-3-5 in Basic Controls for

Cyber Security, access identities on
critical systems should be reviewed, at least once,
every three months.

In addition to the sub-controls under Control 2-3-3 in

the Basic Controls of Cybersecurity,
they must cover the cybersecurity requirements to
protect critical systems, and their
information processing devices, at a minimum; the
following:
allow only a specific whitelisting of applications and
programs; To work on
critical systems.
Protecting servers of critical systems with end-point
protection technologies
approved by the organization.

Applying security fixes and updates patches, at

least once a month, to critical
external systems connected to the Internet; and at
least every three months, for
internal critical systems; With following the change
mechanisms approved by the entity.

Allocating workstations for technical staff with

privileged accounts; Provided that
it is isolated in a private management network and
that it is not linked to any
other network or service (e.g.: e-mail service, the
Internet).

Encrypt any Non-console administrative access to

any of the technical components of critical systems,
using secure encryption algorithms and protocols.

Reviewing the configuration of critical systems and

their immunizations (Secure
Configuration and Hardening) every six months at
least.

Review and modify the factory configuration

(Default Configuration) and ensure that there are no
Hard-coded, backdoor and default password as
applicable.

Protect systems' critical records and files from

unauthorized access, tampering, alteration or
deletion.

In addition to the sub-controls within Control 3-5-2

in the Basic Controls of Cybersecurity,
the cybersecurity requirements for managing the
security of networks of critical systems of
the entity must cover, at a minimum, the following:
Isolation and physical, or logical, partitioning of
networks of critical systems.
review firewall configuration and lists; Every six
months, at least.

Prevent direct connection of any device to the local

network for critical systems;
Only after examining, and ensuring the availability
of the verified protection
elements, for the acceptable levels of critical
systems.

Prevent critical systems from connecting to the

wireless network.
Network Advanced persistent threat.
Preventing critical systems from connecting to the
Internet if they provide an
internal service to the entity; There is no very
necessary need to access the
service from outside the entity.

Provision of critical systems services, through

networks independent of the
Internet, in the event that the services of those
systems are directed to limited
parties; Not for individuals .
Distributed Denial of Service Attack “DDoS"
Allow whitelisting only for firewall lists for critical
systems .

In addition to the sub-controls within Control 2-6-3

in the Basic Controls of Cybersecurity, it
must cover the cybersecurity requirements related
to the security of mobile devices and
(BYOD) devices of the entity, at a minimum; the
following:

Restrict access from mobile devices to critical

systems, except for a temporary
period only; This is after conducting a risk
assessment and obtaining the
necessary approvals from the department
concerned with cyber security in the
entity.
Full Disk Encryption for mobile devices with access
to critical systems.

In addition to the sub-controls within Control 2-7-3

in the Basic Controls of Cybersecurity, it
must cover the cybersecurity requirements for data
and information protection; At a
minimum, the following :

Not to use critical system data in a production

environment other than the
production environment, except after using strict
controls to protect that data,
such as: data masking techniques or data
scrambling techniques .

Categorize all critical systems data.

Protect classified data of critical systems through
Data Leakage Prevention
techniques.

Determine the required retention period for

business data related to critical
systems; According to the relevant legislation, and
only required data is kept
in production environments for critical systems .

Prevent the transfer of any production environment

data of critical systems to any other environment.

In addition to the sub-controls under Control 2-8-3

of the Basic Cybersecurity Controls, the
cryptographic cybersecurity requirements should
cover, at a minimum, the following :
encrypt all critical systems data; During the transfer
(Data-In-Transit).
encrypt all critical systems data; While storing
(Data-At-Rest) at the level of
files, the database, or at the level of specific
columns, within the database.

Using updated and secure methods, algorithms,

keys, and encryption devices
in accordance with what is issued by the NCA in this
regard.
In addition to the sub-controls under Control 3-9-2 in
the Basic Cyber Security Controls, it
should cover the cyber security requirements for
managing backups, at a minimum; the
following :

he scope of online and offline backups to include all

critical systems.

make backups at planned intervals; Based on the

entity's risk assessment, the
Commission recommends that backup copies of
critical systems be made on a
daily basis .

Secure access, storage, and transmission of backup

content and media for
critical systems, and protect them from
unauthorized destruction,
modification, or viewing.

Referring to Control 2-9-3-3 in Basic Cyber Security

Controls, a periodic check is required;
At least every three months, to determine the
effectiveness of restoring backups of critical
systems.

In addition to the sub-controls under Control 2-10-3

in the Cybersecurity Core Controls, the
cybersecurity requirements for vulnerability
management for critical systems should cover, at
a minimum, the following :

Use reliable means and tools to find vulnerabilities.

Vulnerability assessment and remediation (by

installing updates and fixes
packages) on technical components of critical
systems, at least once a month,
for critical external systems connected to the
Internet; And at least every three
months, for critical internal systems.

immediate remediation of newly discovered critical

vulnerabilities; Following
the change management mechanisms approved by
the entity.
Referring to Control 2-10-3-1 in Basic Cyber Security
Controls, vulnerabilities on technical
components, of critical systems, should be scanned
and discovered once a month; at least.

In addition to the sub-controls under Control 2-11-3

in the Basic Cyber Security Controls,
the cyber security requirements for penetration
testing of critical systems should cover, at a
minimum; the following :

he scope of penetration testing work, to include all

technical components of
critical systems, and all services provided internally
and externally .
Penetration testing done by a qualified team.

Referring to officer 2-11-3-2 in Basic Controls for

Cyber Security, penetration testing must be
done on critical systems, every six months; at least.

In addition to the subcontrols in ECC control 2-12-3,

cybersecurity requirements for event
logs and monitoring management for critical
systems must include at least the following:

activate event logs for cybersecurity; on all

technical components of critical
systems.
Enable alerts and event logs related to File Integrity
Management and monitor
them.
"User Behavior Analytics” UBA
Monitor event logs of critical systems around the
clock.

maintaining and protecting logs of cybersecurity

incidents related to critical
systems; Provided that it is comprehensive and
includes full details (e.g.: time,
date, identity, affected system).
Referring to Control 2-12-3-5 in Basic Controls for
Cyber Security, the period of retention of
event logs related to cyber security, on critical
systems, must not be less than 18 months;
According to the relevant legislative and regulatory
requirements.

In addition to the sub-controls under Control 2-15-3

in Basic Controls for Cybersecurity,
they must cover the cybersecurity requirements, to
protect external web applications of the
entity's critical systems, at a minimum; the
following:

Secure Session Management, including authenticity,

lockout, and timeout.

Implementing application security and protection

standards (OWASP Top Ten) at minimum

Referring to officer 2-15-3-2 in Basic Controls for

Cybersecurity, the principle of Multi-tier
Architecture must be used, provided that the
number of levels is not less than 3 (3-Tier
Architecture).

Cybersecurity requirements must be identified,

documented and approved to protect the
internal applications of the entity's critical systems
from cyber risks.

Cybersecurity requirements must be applied; To

protect the internal applications of the
party's critical systems.
Cybersecurity requirements must cover; To protect
the internal applications of the party's
critical systems, at a minimum, the following:
Using the principle of multi-tier architecture,
provided that the number of levels is not less than 3
(3-Tier Architecture).
Use secure protocols (such as HI'TPS).
Clarify the acceptable use policy for users.
Secure Session Management, including authenticity,
lockout, and timeout.
Periodically review the cybersecurity requirements
to protect the internal applications of the entity's
critical systems.

Data Cybersecurity Control

In addition to the subcontrols in ECC control 2-2-3,
the cybersecurity requirements for identity and
access management must cover at least the
following:

Strict restriction to allow only the minimum number

of personnel accessing,
viewing and sharing data based on lists of privileges
limited to Saudi-national
employees unless exempted by the Authorizing
Official (the head of the
organization or his/her delegate) and those lists are
approved by the Authorizing
Official.

Prohibiting the sharing of approved lists of

privileges with unauthorized persons.

Managing identities and access rights to view data

using Privileged Access Management systems.

In addition to ECC subcontrol 2-2-3-5, the approved

lists of privileges and privileges used to handle
data must be reviewed as specified for each data
classification level.

In addition to the subcontrols in ECC control 2-3-3,

cybersecurity requirements for Information
System and Processing Facilities Protection must
include at least the following;:

Applying security patches and updates from the

time of announcement on systems
used to handle data as specified for each data
classification level.

Reviewing the secure configuration and hardening

of systems used to handle data
as specified for each data classification level.
Reviewing and hardening the default configuration
(e.g., default passwords and
backgrounds) of the technology assets used to
handle the data.

Disabling the Print Screen or Screen Capture

features on the devices that create or
process documents.
In addition to the subcontrols in ECC control 2-6-3,
cybersecurity requirements for mobile devices
must cover at least the following:

Centrally managing the organization's owned

mobile devices using Mobile Device
Management (MDM) system and activating the
remote wipe feature.

Centrally managing BYOD devices using Mobile

Device Management (MDM) system and activating
the remote wipe feature.

In addition to the subcontrols in ECC control 2-7-3,

cybersecurity requirements for data and
information protection must cover at least the
following:

Using Watermark feature to label the whole

document when creating, storing,
printing on the screen and on each copy so that the
symbol can be traced to the
user or device level.

Using Data Leakage Prevention technologies and

Rights Management technologies

Prohibiting the use of data in any environment other

than the production
environment, except after conducting a risk
assessment and applying controls to
protect that data, such as: data masking or data
scrambling techniques.

Using brand protection service to protect the

organization’s identity from
impersonation.
In addition to the subcontrols in ECC control 2-8-3,
cybersecurity requirements for cryptography
must cover at least the following:
Using secure and up-to-date cryptographic methods
and algorithms when creating, storing, transmitting
data, and for overall network communication
medium; as per the requirements of the “advanced
level” in the National Cryptographic Standards
(NCS-1:2020).

Using secure and up-to-date cryptographic methods

and algorithms when creating, storing, transmitting
data, and for overall network communication
medium; as per the requirements of the “moderate
level” in the National Cryptographic Standards
(NCS-1:2020).

Cybersecurity requirements for secure data disposal

must cover at least the following:
Identification of technologies, tools and procedures
for the implementation of
secure data disposal according to the data
classification level.

When storage media is no longer needed, it must be

securely disposed by using
the technologies, tools and procedures identified in
subcontrol 2-6-1-1.

When storage media needs to be re-used, data

must be securely erased (secure erasure) in a
manner it cannot be recovered.
Implementation of secure data disposal or erasure
operations referred to in sub- controls 2-6-1-2 and
2-6-1-3 must be verified.
Keeping a record of all secure data disposal and
erasure operations that have been
conducted.
The implementation of the secure data disposal
requirements must be reviewed as specified for
each data classification level.

Cybersecurity requirements for printers, scanners

and copy machines must be defined, documented
and approved.
Cybersecurity requirements for printers, scanners
and copy machines must be implemented.

Cybersecurity requirements for printers, scanners

and copy machines must cover at least the
following:

Disabling the temporary storage feature.

Enabling authentication on centralized printers,
scanners and copy machines
and requiring it before usage.
Securely retaining (for a period not less than 12
months) logs of printers,
scanners and copy machines usage.
Enabling and protecting CCTV logs which are used
to monitor centralized
printers, scanners and copy machines areas.
Using cross-shredding devices, to securely dispose
documents when no longer
needed.

Implementation of cybersecurity requirements for

printers, scanners and copy machines must be
reviewed as specified for each data classification
level.

Organizations' Social Media Accounts Cyberse

In addition to the controls within subdomain 2-1 in
the ECC, cybersecurity requirements
for managing information and technology assets
must include at least the following:

Identifying and inventorying organization’s social

media accounts, and
information and technology assets related to them,
and updating them at least
once, every year.

In addition to the subcontrols within control 2-2-3 in

the ECC, cybersecurity requirements for
identity and access management related to
organization’s social media accounts
must include at least the following:
Using social media accounts designated for
organizations, not individuals
Registering using official information (official
specific social media email and
official mobile number), and do not use personal
information.

Verifying organization’s social media accounts

whenever possible and maintaining a consistent
identity across all organization’s social media
accounts used; to facilitate knowledge of official
accounts, and to discover fraud or unofficial
accounts.

Using a secure and specific password for each

organization’s social media account,
changing the password regularly, and not to repeat
use of passwords.
Using multi-factor authentication for organization’s
social media accounts logins.
Activating and updating security questions and
documenting them in a safe place.

Managing organization’s social media accounts

access rights based on business
need, considering the sensitivity of the accounts,
the level of access rights and the
type of devices and systems used.

Restricting access rights of service providers of

social media management, social
media monitoring or brand protection.
Restricting access to organization’s social media
accounts to specific devices.

With reference to ECC subcontrol 2-2-3-5, user

identities and access rights used for organization’s
social media accounts must be reviewed at least
once every year.

In addition to the subcontrols in ECC control 2-3-3,

cybersecurity requirements for protecting
organization’s social media accounts and
technology assets related to them must include at
least the following:
Applying updates and security patches for social
media applications at least once a
month.

Reviewing configurations and hardening of

organization’s social media accounts
and technology assets related to them at least once
a year.

Reviewing and hardening default configurations,

such as default passwords, pre-
login, and lockout, for organization’s social media
accounts and technology assets
related to them.

Restricting activation of features and services in

social media accounts on need
basis and carrying out risk assessment if there is a
need to activate it.

In addition to the subcontrols within control 2-6-3 in

the ECC, cybersecurity requirements for
mobile device security related to organization’s
social media accounts must include at least the
following:

Centrally manage mobile devices for organization’s

social media accounts using a
Mobile Device Management system (MDM).
Applying updates and security patches on mobile
devices, at least once every
month.

In addition to the subcontrols in ECC control 2-7-3,

cybersecurity requirements for protecting and
handling data and information for organization’s
social media accounts must include at least the
following:

Technology assets for management of

organization’s social media accounts must
not contain classified data, per relevant regulations.
In addition to the subcontrols in ECC control 2-12-3,
cybersecurity requirements for event logs and
monitoring management for organization’s social
media accounts and technology assets related to
them must include at least the following:

Activating all notifications and cybersecurity alerts

for organization’s social media
accounts and cybersecurity events logs on related
technology assets.

Following organization’s social media accounts and

monitoring them to ensure
that they do not post any unauthorized content, or
login any unauthorized access.
Monitoring social media networks to ensure the
organization is not being impersonated.

Automated monitoring for any change in the

accounts pattern, indicators of
compromise, or the publication of any unauthorized
content or impersonation of
the organization.

In addition to the subcontrols within control 2-13-3

in ECC, cybersecurity requirements for incident
and threat management in the organization must
include at least the following:

Developing a plan to recover the organization’s

social media accounts and to deal
with cyber incidents.

Telework Cybersecurity Cont

In addition to the controls within subdomain 2-1 in
the ECC, cybersecurity requirements for
asset management related to telework systems
should include at least the following:

Identifying and maintaining an annually-updated

inventory of information
and technology assets of the telework systems.
In addition to the sub-controls within control 2-2-3 in
the ECC, cybersecurity requirements
for identity and access management related to
telework systems shall include at least the
following:

Managing telework access rights based on need,

considering the sensitivity of
the systems, the level of access rights and the type
of devices used by employees
for telework.

Restricting remote access for the same user from

multiple computers at the
same time (Concurrent Logins).
Using secure standards to manage identities and
passwords used in the
telework systems.

With reference to the ECC sub-control 2-2-3-5,

user’s identities and access rights used for
teleworking must be reviewed at least once every
year.

In addition to the sub controls in the ECC control 2-

3-3, cybersecurity requirements for
protecting telework systems and information
processing facilities must include at least the
following:

Applying updates and security patches for telework

systems at least once every
month.
Reviewing telework systems’ configurations and
hardening at least once every
year.
Reviewing and changing default configurations, and
ensuring the removal of
hard-coded, backdoor and/or default passwords.
Securing Session Management which includes the
session authenticity,
lockout, and timeout.
Restricting the activation of the features and
services of the telework systems
based on needs, provided that potential cyber risks
are analyzed in case there
is a need to activate them.

In addition to the sub controls in the ECC control 2-

5-3, cybersecurity requirements of
telework systems’ network security management
must include at least the following

Restrictions on network services, protocols and

ports used to access remotely,
specifically to internal systems and to only be
opened based on need.
Reviewing firewall rules and configurations, at least
once every year.
Protecting against Distributed Denial of Service
Attack (DDoS) attacks to
limit risks arising from these attacks.
Protecting against Advanced Persistent Threats
(APT) at the network layer.
In addition to the sub-controls within control 2-6-3 in
the ECC, cybersecurity requirements
for mobile device security related to telework
systems shall include at least the following:

Central management of mobile devices and BYODs

using a Mobile Device
Management system (MDM).
Applying updates and security patches on mobile
devices, at least once every
month.

In addition to the sub controls in the ECC control 2-

7-3, cybersecurity requirements for
protecting and handling data and information must
include at least the following:

Identifying classified data, according to the relevant

regulations, that can be
used, accessed or dealt with through telework
systems.
Protecting classified data, which was identified in
control 2-6-1-1, using
controls such as: not allowing the use of a specific
type of classified data, or by
the use of technology (e.g. Data leakage
Prevention), such controls and
technologies can be determined by analyzing the
cyber risks of the
organization.

In addition to the sub-controls within control 2-8-3 in

the ECC, cybersecurity requirements
for cryptography related to telework systems shall
include at least the following:

The use of updated and secure methods and

algorithms for encryption over
the entire network connection used for telework,
according to the Advanced
level within the National Cryptography Standards
(NCS 1:2020).

In addition to the subcontrols in the ECC control 2-9-

3, cybersecurity requirements for
backup and recovery management must include at
least the following:

Performing backup within planned intervals,

according to the organization’s
risk assessment.

With reference to the ECC subcontrol 2-9-3-3, a

periodical test must be conducted at least
once every six months in order to determine the
efficiency of recovering telework systems
backups.

In addition to the subcontrols in the ECC control 2-

10-3, cybersecurity requirements for
technical vulnerabilities management of telework
systems must include at least the following:

Assessing vulnerabilities on technical components

of telework systems, and to
be classified based on criticality at least once every
three months.
Remediating vulnerabilities for telework systems, at
least once every three
months.

In addition to the sub-controls within control 2-11-3

in the ECC, cybersecurity requirements
for penetration testing related to telework systems
shall include at least the following:

Scope of penetration tests must cover all of the

telework systems’ technical
components.
With reference to the ECC subcontrol 2-11-3-2,
penetration tests must be conducted on
telework systems at least once every year.

In addition to the subcontrols in the ECC control 2-

12-3, cybersecurity requirements for
event logs and monitoring management for
telework systems must include at least the
following:

Activating cybersecurity events logs on all technical

components of telework
systems.
Monitoring and analyzing user behavior (UBA).
Monitoring telework systems events around the
clock.

Updating and implementing cybersecurity

monitoring procedures around the
clock, to include monitoring remote access
operations, especially remote access
from outside the Kingdom of Saudi Arabia, after
checking their authenticity.

With reference to the ECC sub-control 2-12-3-5,

retention period of cybersecurity’s telework
systems event logs must be 12 months minimum, in
accordance with relevant legislative and
regulatory requirements.

In addition to the sub-controls within control 2-13-3

in the ECC, cybersecurity requirements
for incident and threat management related to
telework systems shall include at least the
following:
Updating cyber security incidents response plans
and contact information
within the organization in a way that is compatible
with the telework situation and to ensure the ability
to communicate and the preparedness of the
incident response teams.

Periodically obtaining and dealing with threat

intelligence information related
to telework systems.

Addressing and implementing the recommendations

and alerts for cyber
security incidents and threats issued by the Sector
regulator or by the National
Cybersecurity Authority (NCA).

Cloud Cybersecurity Control

In addition to controls in the ECC control 2-1, the
CST shall cover the following additional
controls for cybersecurity requirements for
cybersecurity event logs and monitoring
management, as a minimum:

Inventory of all cloud services and information and

technology assets
related to the cloud services.

In addition to sub controls in the ECC control 2-2-3,

the CST shall cover the following
additional sub controls for cybersecurity
requirements for identity and access management
requirements, as a minimum:

Identity and access management for all cloud

credentials along their full
lifecycle.

Confidentiality of cloud user identification, cloud

credential and cloud
access rights information, including the requirement
on users to keep
them private (for employed, third party and CST
personnel).
Secure session management, including session
authenticity, session
lockout, and session timeout termination.
Multi-factor authentication for privileged cloud
users.
Formal process to detect and prevent unauthorized
access to cloud (such
as a threshold of unsuccessful login attempts).

In addition to sub controls in the ECC control 2-3-3,

the CST shall cover the following additional sub
controls for cybersecurity requirements for
information system and processing
facilities protection requirements, as a minimum:

Verifying that the CSP isolates the community cloud

services provided to
CSTs (government organizations and CNI
organizations) from any other
cloud computing provided to organizations outside
the scope of work.

In addition to sub controls in the ECC control 2-5-3,

the CST shall cover the following
additional sub controls for cybersecurity
requirements for networks security management
requirements, as a minimum:
Protecting the connection channel CSP.
In addition to sub controls in the ECC control 2-6-3,
the CST shall cover the following
additional sub controls for cybersecurity
requirements for mobile device security, as a
minimum:

Data sanitation and secure disposal for end-user

devices with access to
the cloud services.

In addition to sub controls in the ECC control 2-7-3,

the CST shall cover the following
additional sub controls for cybersecurity
requirements for protecting CST’s data and
information in cloud computing, as a minimum:
Exit Strategy to ensure means for secure disposal of
data on termination
or expiry of the contract with the CSP.
Using secure means to export and transfer data and
virtual infrastructure.
In addition to sub controls in the ECC control 2-8-3,
the CST shall cover the following
additional sub controls for cryptography, as a
minimum:

Technical mechanisms and cryptographic primitives

for strong
encryption, in according to the advanced level in
the National
Cryptographic Standards (NCS-1:2020).

Encryption of data and information transferred to or

transferred out of the cloud according to the
relevant law and regulatory requirements.

In addition to sub controls in the ECC control 2-10-3,

the CST shall cover the following
additional sub controls for cybersecurity
requirements for vulnerability management
requirements, as a minimum:

Assessing and remediating vulnerabilities cloud

services and at least once
every three months.
Management of CSP-notified vulnerabilities
safeguards in place.

In addition to sub controls in the ECC control 2-12-3,

the CST shall cover the following
additional sub controls for cybersecurity
requirements for cybersecurity event logs and
monitoring management, as a minimum:

ctivating and collecting of login event logs, and

cybersecurity event logs
on assets related to cloud services.
Monitoring shall include all activated cybersecurity
logs on the cloud
services of the CST.
Cybersecurity requirements for key management
within the CST shall be identified,
documented and approved.
Cybersecurity requirements for key management
within the CST shall applied.
In addition to the ECC sub control 2-8-3-2,
cybersecurity requirements for key management
within the CST shall cover, at minimum, the
following:
Ensure well-defined ownership for cryptographic
keys.
secure data retrieval mechanism in case of
cryptographic encryption
key lost (such as backup of keys and enforcement
of trusted key storage, strictly external to cloud).

Cybersecurity requirements for key management

within the CST shall be applied and reviewed
periodically
 Defense
Is it covered by the policy?
(Yes/No)
sential Cybersecurity Controls (ECC)
l Systems Cybersecurity Controls (CSCC)
Data Cybersecurity Controls (DCC)
al Media Accounts Cybersecurity Controls (OSMACC)
lework Cybersecurity Controls (TCC)
oud Cybersecurity Controls (CCC-T)
 Policy Name Clause Reference

ntrols (ECC)
Controls (CSCC)
rols (DCC)
rsecurity Controls (OSMACC)
ntrols (TCC)
ols (CCC-T)
 Cybersecurity Cybersecurity Resilience
Resilience Aspects of Aspects of Business
Business Continuity Continuity Management
Domain

Management (BCM) (BCM)

3-1-1
3-1-4
3-1-3
3-1-2
3-1-1
Main
Control

3-1-1-3
3-1-1-2
3-1-1-1
3-1-3-3
3-1-3-2
3-1-3-1
Sub-Control
Cybersecurity
Resilience
Cybe
Aspects of
Resilienc
Business
Busines
Continuity
Manage
Management
(BCM)
3-1-T-1
3-1-1-4

3-1-T-1-1
 Resilience
Control clauses

Essential Cybersecurity
Cybersecurity requirements for business continuity
management must be defined, documented and
approved.
The cybersecurity requirements for business
continuity management must be
implemented.
The cybersecurity requirements for business
continuity management must include
at least the following:
Ensuring the continuity of cybersecurity systems
and procedures.
Developing response plans for cybersecurity
incidents that may affect the
business continuity.
Developing disaster recovery plans.
The cybersecurity requirements for business
continuity management must be
reviewed periodically.

Critical Systems Cybersecur

In addition to the sub-controls within Control 3-1-3
in Basic Controls for Cyber Security, they
must cover business continuity management in the
entity, at a minimum; the following:
Develop a disaster recovery center for critical
systems.
inclusion of critical systems; within disaster
recovery plans.
conduct periodic examinations; Once a year, to
ensure the effectiveness of disaster
recovery plans for critical systems; at least.
The NCA recommends periodic live testing; Disaster
recovery (Live DR Test) for
critical systems.

Cloud Cybersecurity Co
In addition to sub controls in the ECC control 3-1-3,
the CST shall cover the following
additional sub controls for cybersecurity
requirements for cybersecurity resilience aspects of
business continuity management, as a minimum:

Developing and implementing disaster recovery and

business continuity procedures related to cloud
computing, in a secure manner.
 Resilience
Is it covered by the policy? (Yes/No)

Essential Cybersecurity Controls (ECC)

ritical Systems Cybersecurity Controls (CSCC)

Cloud Cybersecurity Controls (CCC-T)
 Policy Name

Controls (ECC)

rity Controls (CSCC)

ontrols (CCC-T)
Clause Reference
 Main
Domain Sub-Control
Control

4-1-1

4-1-2
Third-Party Cybersecurity

4-1-2-1

4-1-2-2

4-1-2-3

4-1-3

4-1-3-1

4-1-3-2

4-1-4

4-2-1
Hosting
d Computing and
Third Party Cloud Computing and Hosting
Hosting
Cybersecurity Cybersecurity
Cybersecurity

4-2-1
4-1-1
4-2-4
4-2-3
4-2-2

4-1-1-2
4-1-1-1
4-2-3-2
4-2-3-1
 Cybersecurity
Cloud Computing
Hosting
4-2-1-1

3-1-1

3-1-1-1

3-1-1-2

3-1-1-3

3-1-1-4

3-1-1-5
ybersecurity

3-1-1-6
Third Party Cybersecurity
3-1-2

3-1-2-1

3-1-2-2

3-1-2-3

3-1-2-4

3-1-2-5

3-1-2-6

3-1-2-7

3-1-2-8
 Cloud
Computing
and
Third Party Cybersecurity
Hosting
Cybersecur
ity

3-1-1
3-1-2
3-1-1

3-1-1-1
3-1-2-3
3-1-2-2
3-1-2-1
 T
Control clauses

Essential
Cybersecurity requirements for contracts and agreements with
third-parties must be
identified, documented and approved.

The cybersecurity requirements for contracts and agreements

with third-parties (e.g.,
Service Level Agreement (SLA)) -which may affect if impacted,
the organization's data or services- must include at least the
following:

Non-disclosure clauses and secure removal of organization's

data by third parties upon end of service.
Communication procedures in case of cybersecurity
incidents.
Requirements for third-parties to comply with related
organizational policies
and procedures, laws and regulations.

The cybersecurity requirements for contracts and agreements

with IT outsourcing and
managed services third-parties must include at least the
following:

Conducting a cybersecurity risk assessment to ensure the

availability of risk
mitigation controls before signing contracts and agreements or
upon changes
in related regulatory requirements.

Cybersecurity managed services centers for monitoring and

operations must
be completely present inside the Kingdom of Saudi Arabia.
The cybersecurity requirements for contracts and agreements
with third-parties must
be reviewed periodically.
Cybersecurity requirements related to the use of hosting and
cloud computing services
must be defined, documented and approved.
The cybersecurity requirements related to the use of hosting
and cloud computing
services must be implemented.

In line with related and applicable laws and regulations, and in

addition to the
applicable ECC controls from main domains (1), (2), (3) and
subdomain (4-1), the
cybersecurity requirements related to the use of hosting and
cloud computing services
must include at least the following:

Classification of data prior to hosting on cloud or hosting

services and
returning data (in a usable format) upon service completion.
Separation of organization's environments (specifically virtual
servers) from other environments hosted at the cloud service
provider
The cybersecurity requirements related to the use of hosting
and cloud computing
services must be reviewed periodically.

Critical System
In addition to the controls under subcomponent 4-1 of the Basic
Cyber Security Controls, they
must cover, at a minimum, the cyber security requirements
related to third parties; the following:

Screening or Vetting for outsourcing companies, outsourcing

personnel, and managed services working on critical systems.

to be backup services, managed services on critical systems;

Through companies and
national destinations; In accordance with the relevant
legislative and regulatory
requirements.

In addition to the sub-controls under Control 4-2-3 in the Basic

Cyber Security Controls, they
must cover the cyber security requirements for the use of cloud
computing services and hosting,
at a minimum; the following :
 The site for hosting critical systems, or any part of its technical
components, must
be inside the entity, or in cloud computing services provided by
government
agencies, or national companies that fulfil the cloud computing
controls issued by
the NCA, taking into account the classification of the hosted
data .

Data Cy
In addition to the controls in ECC subdomain 4-1, cybersecurity
requirements for third parties
cybersecurity must include at least the following:
Screening or vetting third-party employees who have access to
the data.

Requiring contractual commitment by third-parties to securely

dispose the
organization's data at the end of the contract or in case of
contract termination,
including providing evidences of such disposal to the
organization.

Documenting all data sharing operations within third-parties,

including data
sharing justification.

When transferring data outside the kingdom, the capability of

the hosting
organization abroad to safeguard data must be verified,
approval of the
Authorizing Official must be obtained and complying with
related laws and
regulations.

Requiring third-parties to notify the organization immediately in

case of
cybersecurity incident that may affect data that has been
shared or created.

Reclassifying data to the least level to achieve the objective

before sharing it with
third-parties using data masking or data scrambling
techniques.
In alignment with related laws and regulations, and in addition
to the applicable controls in ECC
and controls within DCC domain (1), (2), and (3); cybersecurity
requirements when dealing with
consultancy services that works on high-sensitivity strategic
projects at the national level must cover
at least the following:

Screening or vetting consultancy services employees who have

access to the data.

Requiring contractual commitment by consultancy services

including employees
non-disclosure agreements and secure disposal the
organization's data at the end
of the contract or in case of contract termination, including
providing evidences
of such disposal to the organization.

Documenting all data sharing operations within consultancy

services, including
data sharing justification.

Requiring consultancy services to notify the organization

immediately in case of
cybersecurity incident that may affect data that has been
shared or created.

Reclassifying data to the least level to achieve the objective

before sharing it with
consultancy services using data masking or data scrambling
techniques.

Dedicating a closed room for the consultancy services

employees to perform their
work, in addition to providing dedicated organization owned
devices to share and
process data.

Activating access control system to allow only authorized

access to the closed
room.

Preventing carrying out of devices, storage media and

documents outside the
closed room, as well as the entry of any other electronic
devices.
 Organizations' Social Med
A need assessment for the use of social media management,
automated monitoring or brand
protection services along with associcated cybersecurity risks
must be conducted.

In addition to the subcontrols within control 4-1-2 in ECC,

cybersecurity requirements for use of
social media management, automated monitoring or brand
protection services in the organization
must include at least the following:

Non-disclosure clauses and secure removal of organization’s

data by the
third-party upon service termination
Communication procedures to report vulnerabilities and cyber
incidents

Requirements for the third-party to comply with cybersecurity

requirements and
policies to protect organizations’ social media accounts, and
related laws and
regulation.

Telework
In addition to the sub-controls in the ECC control 4-2-3,
cybersecurity requirements related to the
use of hosting and cloud computing services must include at
least the following:

The location of the hosted telework systems must be inside the

Kingdom of Saudi
Arabia
 Third-Party
Is it covered by the policy?
(Yes/No)
Essential Cybersecurity Controls (ECC)
Critical Systems Cybersecurity Controls (CSCC)
Data Cybersecurity Controls (DCC)
nizations' Social Media Accounts Cybersecurity Controls

Telework Cybersecurity Controls (TCC)

d-Party
Policy Name

rsecurity Controls (ECC)

ybersecurity Controls (CSCC)
ecurity Controls (DCC)
counts Cybersecurity Controls (OSMACC)

ersecurity Controls (TCC)

Clause Reference