ECC-2:2024 · Saudi Arabia

Essential Cybersecurity Controls

The National Cybersecurity Authority's mandatory baseline for government, critical infrastructure, and the wider Saudi market. Pick a domain below, open any subdomain, and drill straight into the exact controls: what to implement, and why.

4 Main domains
28 Subdomains
108 Main controls
92 Subcontrols

Explore the framework

A live map: click a domain to open it, then a subdomain to drill into its controls.

Click the ECC core for an overview, a domain to open it, or a subdomain to drill into its controls.

Framework overview

What is the ECC?

4 Main domains
28 Subdomains
108 Main controls
92 Subcontrols
What it is

The (ECC) are Saudi Arabia's national minimum cybersecurity , issued and overseen by the (NCA). This is ECC-2:2024, the current edition. It sets out the an entity must have in place to protect its information and technology and the data they hold.

Why it matters

For government bodies, their companies, and operators of critical national infrastructure, is mandatory rather than optional. Meeting it keeps you compliant with the , lowers the of breaches that could disrupt services or leak sensitive data, and gives leadership a clear, auditable picture of where security stands. It also lines security up with national law and the organisation's own strategy.

Must-know facts
  • It is a : the minimum every entity in must meet, not the ceiling. Higher- environments need more, and the issues additional, stricter frameworks for critical systems and for .
  • It is -based: are applied according to the entity's own risks, and any scoping decisions must be justified and documented.
  • It is a hierarchy: 4 main domains, then 28 subdomains, then 108 main , with further subcontrols beneath them.
  • is assessed and reported: an entity self-assesses against every , and the monitors and can how well it complies.
  • Every is a requirement: the official wording uses 'shall', so each line is something the entity must do, not a suggestion.
  • The four domains build on each other: sets direction, Defence does the hands-on technical protection, keeps services running and recovering, and and manages the that outsiders and hosting bring.
How every control works
  1. Policy Write the rule down and get leadership to approve it.
  2. Implement Put it into practice with secure configuration and standards.
  3. Review Audit on a schedule that it is working, and fix what is not.
Domain 1

Governance

10 Subdomains
35 Controls
1/4 Domain
What it is

is how an organisation decides who is in charge of security, what the rules are, and how it proves those rules are being followed.

Its role in ECC

In , Domain 1 is the foundation: a cybersecurity strategy, an independent cybersecurity function, documented , , and . Every technical in the other domains should trace back to a decision made here.

What's inside 10
Governance 1-1

Strategy

What it is

A cybersecurity strategy is a simple, leadership-approved plan that says where the organisation wants to get to on security, and how it will get there.

Why you need it

Without a plan, security spending is random and reactive. A strategy lines security up with the organisation's goals and the law, so effort goes where it matters most.

How to establish it

Write down clear security goals and an action plan to reach them, get the head of the organisation to approve it, then revisit it on a schedule or whenever the rules change.

The controls: what to implement 3
  1. Policy 1-1-1

    Write the organisation's cybersecurity strategy, get the head of the organisation to approve and back it, and make sure its goals line up with the law.

  2. Control 1-1-2

    Do not just write the strategy ; carry out an action plan to actually deliver it.

  3. Review 1-1-3

    On a regular schedule, check (an ) that strategy is still being done and is working.

Show the official ECC wording

Objective. To ensure that the action plans, objectives, initiatives, and projects of the entity contribute to compliance with the relevant legislative and regulatory requirements.

  1. 1-1-1 The cybersecurity strategy of the entity shall be identified, documented, and approved, and it shall be supported by the head of the entity or his/her delegate (Hereinafter referred to as the "Authorized Official"). The strategy goals shall be in line with the relevant legislative and regulatory requirements.
  2. 1-1-2 The entity shall execute an action plan to apply the cybersecurity strategy.
  3. 1-1-3 The cybersecurity strategy shall be reviewed at planned intervals (or in case of changes to the relevant legislative and regulatory requirements).
Governance 1-2

Management

What it is

A dedicated, properly staffed cybersecurity function ; a real team with a leader ; kept separate from the IT department.

Why you need it

If security reports into IT, it cannot honestly check IT's own work. An independent function with leadership backing can set direction and hold people accountable.

How to establish it

Create a cybersecurity department independent of IT, staff it with qualified full-time professionals, and set up a supervisory committee to oversee the security programme.

The controls: what to implement 3
  1. Control 1-2-1

    Set up a cybersecurity department that is independent of the IT department; ideally it reports to the head of the organisation, with no conflict of interest.

  2. Control 1-2-2

    Fill cybersecurity with qualified, full-time Saudi cybersecurity professionals.

  3. Requirements 1-2-3

    Set up a cybersecurity supervisory committee ; with an approved membership, mandate, and , and including the head of the cybersecurity department ; to oversee and support the security programme.

Show the official ECC wording

Objective. To ensure that the Authorized Official of the entity complies with and supports the implementation and management of cybersecurity programs within the entity, as per the relevant legislative and regulatory requirements.

  1. 1-2-1 A department for cybersecurity shall be established within the entity. This department shall be independent from the Information Technology and Communications Department (As per High Order No. 37140, dated 14/08/1438H.). It is recommended that the Cybersecurity Department reports directly to the head of the entity or his/her delegate while ensuring that this does not result in a conflict of interests.
  2. 1-2-2 All cybersecurity positions shall be filled out with full-time and qualified Saudi cybersecurity professionals.
  3. 1-2-3 A cybersecurity supervisory committee shall be established pursuant to the instruction of the entity's Authorized Official to ensure compliance with, support for, and monitoring of the implementation of the cybersecurity programs and regulations. The committee's members, responsibilities, and governance framework shall be identified, documented, and approved. The committee shall include the head of the cybersecurity department as a member. It is recommended that the committee reports directly to the head of the entity or his/her delegate while ensuring that this does not result in a conflict of interests.
Governance 1-3

Policies and Procedures

What it is

The written rules () and step-by-step instructions () that tell everyone how security is actually done.

Why you need it

People cannot follow rules that only live in someone's head. Documented, approved make expectations clear ; and auditable.

How to establish it

Write and approve security and , back them with technical (firewalls, databases, operating systems), communicate them to staff, and keep them current.

The controls: what to implement 4
  1. Control 1-3-1

    The security team writes the security and , gets them approved by leadership, and shares them with everyone who needs them.

  2. Control 1-3-2

    Make sure those and are actually followed across the organisation.

  3. Control 1-3-3

    Back the with technical ; concrete secure settings for things like firewalls, databases, and operating systems.

  4. Review 1-3-4

    On a regular schedule, check (an ) that and is still being done and is working.

Show the official ECC wording

Objective. To ensure that the cybersecurity requirements and the entity's compliance therewith are documented and communicated, as per the entity's regulatory requirements and the relevant legislative and regulatory requirements.

  1. 1-3-1 The cybersecurity department of the entity shall identify and document cybersecurity policies and procedures, including the cybersecurity controls and requirements, and have them approved by the entity's Authorized Official, and communicate them to the relevant personnel and parties inside the entity.
  2. 1-3-2 The cybersecurity department shall ensure that the cybersecurity policies and procedures, including the relevant controls and requirements, are implemented at the entity.
  3. 1-3-3 The cybersecurity policies and procedures shall be supported by technical security standards (e.g. technical security standards for firewall, databases, operating systems, etc.).
  4. 1-3-4 The cybersecurity policies and procedures shall be reviewed and updated at planned intervals (or in case of changes to the relevant legislative and regulatory requirements and standards). Changes shall be documented and approved.
Governance 1-4

Roles and Responsibilities

What it is

A clear map of who is responsible and accountable for each part of cybersecurity.

Why you need it

When are vague, security tasks get dropped or duplicated. Clear ownership means someone is always answerable.

How to establish it

Have leadership define, document, and approve the security org structure and , assign named people, and avoid conflicts of interest.

The controls: what to implement 2
  1. Policy 1-4-1

    Leadership defines, documents, and approves the security org chart and who does what, assigns named people, and supports them ; avoiding conflicts of interest.

  2. Review 1-4-2

    On a regular schedule, check (an ) that is still being done and is working.

Show the official ECC wording

Objective. To ensure that roles and responsibilities are clearly defined for all parties participating in implementing the cybersecurity controls within the entity.

  1. 1-4-1 The Authorized Official shall identify, document, and approve the governance organizational structure, roles, and responsibilities of the entity's cybersecurity, and assign the persons concerned therewith. The necessary support shall be provided for the implementation thereof while ensuring that this does not result in a conflict of interests.
  2. 1-4-2 The cybersecurity roles and responsibilities within the entity shall be reviewed and updated at planned intervals (or in case of changes to the relevant legislative and regulatory requirements).
Governance 1-5

Risk Management

What it is

A repeatable method for finding cyber , judging how serious they are, and deciding how to treat them.

Why you need it

You cannot protect everything equally. focuses time and money on the things that would hurt most ; it is the basis for every other .

How to establish it

Define and approve a method (covering , , and of your ), then actually run it: assess and act on them.

The controls: what to implement 4
  1. Policy 1-5-1

    Define and approve how the organisation will manage cyber , covering the , , and of its .

  2. Implement 1-5-2

    Actually run that method across the organisation.

  3. Implement 1-5-3

    Run a at least at the key trigger points ; early in technology projects, before major infrastructure changes, and when planning to outsource or move to the .

  4. Review 1-5-4

    On a regular schedule, check (an ) that is still being done and is working.

Show the official ECC wording

Objective. To ensure managing cybersecurity risks in a methodological approach, in order to protect the entity's information and technology assets, as per the entity's regulatory policies and procedures and the relevant legislative and regulatory requirements.

  1. 1-5-1 The cybersecurity department of the entity shall identify, document, and approve the cybersecurity risk management methodology and procedures within the entity, in accordance with considerations of confidentiality, and the integrity and availability of information and technology assets.
  2. 1-5-2 The cybersecurity department shall implement the cybersecurity risk management methodology and procedures within the entity.
  3. 1-5-3 The cybersecurity risk assessment procedures shall be implemented at least in the following cases: 1.5.3.1 At early stage of technology projects. 1.5.3.2 Before making major changes to technology infrastructure. 1.5.3.3 During planning to obtain third party services. 1.5.3.4 During planning and before the release of new technology services and products.
  4. 1-5-4 The cybersecurity risk management methodology and procedures shall be reviewed and updated at planned intervals (or in case of changes to the relevant legislative and regulatory requirements and standards). Changes shall be documented and approved.
Governance 1-6

in Information and Technology Project Management

What it is

Building security into new projects and system changes from the very start, instead of bolting it on afterwards.

Why you need it

Fixing security after launch is slow, expensive, and often never happens. Designing it in is cheaper and far safer.

How to establish it

Make security a required part of project and : assess and fix , review before launch, and for software use , trusted libraries, and testing.

The controls: what to implement 5
  1. Control 1-6-1

    Make security a required, built-in part of project management and any change to IT , so are caught early in the project lifecycle.

  2. Requirements 1-6-2

    At a minimum, before launching projects or changes: check for and fix , and review , , and updates.

  3. Requirements 1-6-3

    For software development, at a minimum: use ; trusted, licensed tools and libraries; test software against your security requirements; integrate apps securely; and review and before release.

  4. Review 1-6-4

    On a regular schedule, check (an ) that in information and technology project management is still being done and is working.

  5. Control 1-7-1

    If nationally approved international agreements include cybersecurity requirements, identify and with those too.

Show the official ECC wording

Objective. To ensure that cybersecurity requirements are included in the methodology and procedures of the entity's project management, in order to protect the confidentiality, integrity, accuracy, and availability of the entity's information and technology assets, as per the entity's regulatory policies and procedures and the relevant legislative and regulatory requirements.

  1. 1-6-1 Cybersecurity requirements shall be included in the project management methodology and procedures and in the information and technology asset change management within the entity to ensure identifying and managing cybersecurity risks as part of the technology project lifecycle. The cybersecurity requirements shall be a key part of the requirements for technology projects.
  2. 1-6-2 The cybersecurity requirements for project management and information and technology asset changes within the entity shall include the following as a minimum: 1.6.2.1 Vulnerability assessment and remediation. 1.6.2.2 Reviewing secure configuration and hardening and updates packages before launching projects and changes.
  3. 1-6-3 The cybersecurity requirements for software and application development projects within the entity shall include the following as a minimum: 1.6.3.1 Using the secure coding standards. 1.6.3.2 Using trusted and licensed sources for software development tools and libraries. 1.6.3.3 Conducting compliance test for software against the cybersecurity requirements within the entity. 1.6.3.4 Secure integration between applications. 1.6.3.5 Reviewing secure configuration and hardening and updates packages before launching software products
  4. 1-6-4 The cybersecurity requirements for project management within the entity shall be periodically reviewed. 1.7 Compliance with Cybersecurity Standards, Laws and Regulations Objective To ensure that the entity's cybersecurity program complies with the relevant legislative and regulatory requirements. Controls
  5. 1-7-1 If there are nationally approved international agreements or commitments that include cybersecurity requirements, the entity shall identify and comply with these requirements.
Governance 1-7

Compliance with Cybersecurity Standards, Laws and Regulations

What it is

Making sure the organisation meets all the cybersecurity laws, regulations, and binding agreements that apply to it.

Why you need it

Falling short of the law brings penalties and . Knowing exactly what applies to you is the first step to meeting it.

How to establish it

Identify the cybersecurity obligations that apply to you (including nationally approved international commitments) and put in place to with them.

The controls: what to implement 0
Show the official ECC wording

Objective.

Governance 1-8

Periodical Cybersecurity Review and Audit

What it is

Independently checking, on a schedule, that the security are actually in place and working.

Why you need it

drift and decay over time. Regular review and catch the gaps before attackers ; or regulators ; do.

How to establish it

Have the security team review implementation periodically, arrange independent , and report findings (, observations, fixes) to the oversight committee and leadership.

The controls: what to implement 3
  1. Review 1-8-1

    The security team periodically reviews whether the are actually being implemented.

  2. Review 1-8-2

    Have the independently audited by someone other than the cybersecurity team, so the review stays objective.

  3. Requirements 1-8-3

    Document and review results ; , findings, recommendations, and fix plans ; and present them to the oversight committee and leadership.

Show the official ECC wording

Objective. To ensure that the cybersecurity controls adopted by the entity are implemented and applicable in accordance with the entity's regulatory policies and procedures, relevant national legislative and regulatory requirements, and international requirements imposed on the entity by law.

  1. 1-8-1 The cybersecurity department of the entity shall periodically review the implementation of cybersecurity controls by the entity.
  2. 1-8-2 The implementation of cybersecurity controls by the entity shall be reviewed and audited by parties other than the cybersecurity department at the entity, provided that the audit and review are to be conducted independently while considering the principle of conflict of interest, as per the Generally Accepted Auditing Standards (GAAS) and the relevant legislative and regulatory requirements.
  3. 1-8-3 The results of cybersecurity audits and reviews shall be documented and presented to the cybersecurity supervisory committee and the Authorized Official. Results shall include the audit and review scope, observations, recommendations, corrective actions, and remediation plans.
Governance 1-9

in Human Resources

What it is

Handling security across the whole employee journey ; before hiring, during employment, and when people leave.

Why you need it

People are both your biggest and your first line of defence; most involve a person.

How to establish it

Put security duties and terms in contracts, screen people for sensitive , keep staff aware during employment, and revoke access promptly when they leave.

The controls: what to implement 6
  1. Policy 1-9-1

    Put a in place; write the rules for in human resources and get leadership to formally approve them.

  2. Implement 1-9-2

    Turn the into practice; apply the in human resources rules across the organisation (configure systems, follow ).

  3. Requirements 1-9-3

    Before someone starts: put their security duties and terms in the employment contract (covering during and after employment), and screen people going into sensitive or .

  4. Requirements 1-9-4

    During employment: keep people security-aware (from onboarding onward) and make sure they follow the security and .

  5. Review 1-9-5

    On a regular schedule, check (an ) that in human resources is still being done and is working.

  6. Review 1-9-6

    On a regular schedule, check (an ) that in human resources is still being done and is working.

Show the official ECC wording

Objective. To ensure that cybersecurity risks and requirements for personnel (employees and contractors) of the entity are managed efficiently prior to, during, and upon the end or termination of their employment, as per the entity's regulatory policies and procedures and the relevant legislative and regulatory requirements.

  1. 1-9-1 Cybersecurity requirements for personnel of the entity shall be identified, documented, and approved prior to, during, and upon the end or termination of their employment.
  2. 1-9-2 Cybersecurity requirements for personnel of the entity shall be implemented.
  3. 1-9-3 Cybersecurity requirements prior to the commencement of the employment relationship between personnel and the entity shall include the following as a minimum: 1.9.3.1 Incorporating the personnel's cybersecurity responsibilities clauses and non-disclosure clauses in their employment contracts with the entity (including during and after employment end/termination with the entity). 1.9.3.2 Conducting screening or vetting for personnel in cybersecurity positions and technical positions with critical and privileged powers.
  4. 1-9-4 Cybersecurity requirements for personnel during their employment relationship with the entity shall include the following as a minimum: 1.9.4.1 Cybersecurity awareness (during on-boarding and during employment). 1.9.4.2 Implementation and compliance with cybersecurity requirements, as per the entity's cybersecurity policies, procedures, and operations.
  5. 1-9-5 The personnel's powers shall be reviewed and revoked immediately upon the end/termination of their employment with the entity.
  6. 1-9-6 Cybersecurity requirements for personnel of the entity shall be periodically reviewed.
Governance 1-10

Awareness and Training Program

What it is

Teaching everyone safe behaviour, and giving security staff the deeper skills their specific need.

Why you need it

Technology cannot stop a user who clicks a link. Awareness turns staff from the weakest link into a line of defence.

How to establish it

Run an ongoing awareness programme covering email/, devices, safe browsing and social media, and provide specialised training to security and technical staff.

The controls: what to implement 5
  1. Control 1-10-1

    Build and approve an ongoing awareness programme, delivered through several channels, to grow a positive security culture.

  2. Implement 1-10-2

    Turn the into practice; apply the awareness and training program rules across the organisation (configure systems, follow ).

  3. Requirements 1-10-3

    The awareness programme must cover the top today: email, safe use of mobile devices and storage media, safe browsing, and safe use of social media.

  4. Control 1-10-4

    Give specialised training to people in security-linked ; the security team, developers and IT staff, and executives/supervisors ; matched to their responsibilities.

  5. Review 1-10-5

    On a regular schedule, check (an ) that awareness and training program is still being done and is working.

Show the official ECC wording

Objective. To ensure that the entity's personnel have the required security awareness, are aware of their cybersecurity responsibilities, and are equipped with the required cybersecurity skills, qualifications, and training courses in order to protect the entity's information and technology assets and fulfill their cybersecurity duties.

  1. 1-10-1 A cybersecurity awareness program, delivered through multiple channels, shall be periodically developed and approved by the entity to strengthen the awareness about cybersecurity, cyber threats, and risks, and to build a positive cybersecurity awareness culture.
  2. 1-10-2 The approved cybersecurity awareness program shall be implemented within the entity.
  3. 1-10-3 The cybersecurity awareness program shall include how to protect the entity against the most important and latest cyber risks and threats, including: 1.10.3.1 Secure handling of email services, especially phishing emails. 1.10.3.2 Secure handling of mobile devices and storage media. 1.10.3.3 Secure Internet browsing. 1.10.3.4 Secure usage of social media.
  4. 1-10-4 Specialized skills and necessary training shall be provided to personnel in positions that are linked directly to cybersecurity within the entity. Such skills and training shall be classified in line with their cybersecurity responsibilities, including: 1.10.4.1 Cybersecurity department personnel. 1.10.4.2 Personnel working on software/application development and those working on information and technology assets of the entity. 1.10.4.3 Executive and supervisory positions.
  5. 1-10-5 The implementation of cybersecurity awareness program within the entity shall be periodically reviewed.
Domain 2

Defence

15 Subdomains
61 Controls
2/4 Domain
What it is

Defence is the set of hands-on technical safeguards that actually protect systems and data day to day.

Its role in ECC

In , Domain 2 is the largest; 15 subdomains spanning the full protect, detect and respond cycle, from knowing your to handling . Each should map back to a identified in .

What's inside 15
Defence 2-1

Asset Management

What it is

Keeping an accurate of all your hardware, software, and data ; each with an owner and a sensitivity label.

Why you need it

You cannot protect what you do not know you have. Unknown are unguarded doors.

How to establish it

Build and maintain an , set an , and , label, and handle according to their sensitivity.

The controls: what to implement 6
  1. Policy 2-1-1

    Put a in place; write the rules for management and get leadership to formally approve them.

  2. Implement 2-1-2

    Turn the into practice; apply the management rules across the organisation (configure systems, follow ).

  3. Control 2-1-3

    Define, approve, and communicate an for the organisation's IT .

  4. Implement 2-1-4

    Turn the into practice; apply the management rules across the organisation (configure systems, follow ).

  5. Control 2-1-5

    , label, and handle according to the laws and regulations that apply.

  6. Review 2-1-6

    On a regular schedule, check (an ) that management is still being done and is working.

Show the official ECC wording

Objective. To ensure that the entity has an accurate and updated inventory of assets, including details of all information and technology assets of the entity, in order to support the entity's operations and cybersecurity requirements to maintain the confidentiality, integrity, accuracy, and availability of information and technology assets of the entity.

  1. 2-1-1 Cybersecurity requirements for managing information and technology assets of the entity shall be identified, documented, and approved.
  2. 2-1-2 Cybersecurity requirements for managing information and technology assets of the entity shall be implemented.
  3. 2-1-3 The policy of acceptable use of information and technology assets of the entity shall be identified, documented, approved, and communicated.
  4. 2-1-4 The policy of acceptable use of information and technology assets of the entity shall be implemented.
  5. 2-1-5 Information and technology assets of the entity shall be classified, labeled, and handled as per the relevant legislative and regulatory requirements.
  6. 2-1-6 Cybersecurity requirements for managing information and technology assets of the entity shall be periodically reviewed.
Defence 2-2

Identity and Access Management

What it is

Making sure only the right people and systems get access ; verified ; and only to what they actually need.

Why you need it

Most breaches abuse legitimate access. Tight limits how far an attacker, or a simple mistake, can reach.

How to establish it

Require strong sign-in ( for remote and ), grant access on and , manage privileged accounts carefully, and review access rights regularly.

The controls: what to implement 4
  1. Policy 2-2-1

    Put a in place; write the rules for and get leadership to formally approve them.

  2. Implement 2-2-2

    Turn the into practice; apply the rules across the organisation (configure systems, follow ).

  3. Requirements 2-2-3

    At a minimum cover: username/password sign-in; for remote and (sized to the ); access based on , , and ; privileged-; and periodic review of identities and access rights.

  4. Review 2-2-4

    On a regular schedule, check (an ) that is still being done and is working.

Show the official ECC wording

Objective. To ensure protecting cybersecurity of logical access to information and technology assets of the entity, in order to prevent unauthorized access and restrict access to the extent necessary for accomplishment of the assigned tasks of the entity.

  1. 2-2-1 Cybersecurity requirements for identity and access management of the entity shall be identified, documented, and approved.
  2. 2-2-2 Cybersecurity requirements for identity and access management of the entity shall be implemented.
  3. 2-2-3 Cybersecurity requirements for identity and access management of the entity shall include the following as a minimum: 2.2.3.1 Single-factor authentication based on username and password. Cybersecurity Defense 2 2.2.3.2 Multi-factor authentication, and defining the suitable authentication factors and their numbers as well as the suitable authentication techniques based on the result of impact assessment of authentication failure and bypass for remote access and for privileged accounts. 2.2.3.3 User authorization based on identity and access control principles (Need-to-Know and Need-to-Use principle, Least Privilege principle, and Segregation of Duties principle). 2.2.3.4 Privileged access management. 2.2.3.5 Periodic review of identities and access rights.
  4. 2-2-4 The implementation of cybersecurity requirements for identity and access management of the entity shall be periodically reviewed.
Defence 2-3

Information Systems and Information Processing Facilities Protection

What it is

the servers, workstations, and facilities that store and process your data.

Why you need it

These systems are where the valuable data lives; a weak server or an unmanaged USB port is an easy way in.

How to establish it

Use up-to-date , tightly restrict external storage media, systems and applications, and synchronise clocks to a trusted source.

The controls: what to implement 4
  1. Policy 2-3-1

    Put a in place; write the rules for information systems and information processing facilities protection and get leadership to formally approve them.

  2. Implement 2-3-2

    Turn the into practice; apply the information systems and information processing facilities protection rules across the organisation (configure systems, follow ).

  3. Requirements 2-3-3

    At a minimum: protect workstations and servers from and malware with modern tools; tightly restrict external storage media; manage ; and keep clocks synchronised to a trusted source (e.g. ).

  4. Review 2-3-4

    On a regular schedule, check (an ) that information systems and information processing facilities protection is still being done and is working.

Show the official ECC wording

Objective. To ensure the protection of information systems and processing facilities, including workstations and infrastructures of the entity, against cyber risks.

  1. 2-3-1 Cybersecurity requirements for protection of information system and processing facilities of the entity shall be identified, documented, and approved.
  2. 2-3-2 Cybersecurity requirements for protection of information systems and processing facilities of the entity shall be implemented.
  3. 2-3-3 Cybersecurity requirements for protection of information systems and processing facilities of the entity shall include the following as a minimum: 2.3.3.1 Protection from viruses, suspicious programs and activities, and malware on workstations and servers, using modern and advanced protection technologies and mechanisms, and securely managing them. 2.3.3.2 Strict restriction on the use of external storage media and their security. 2.3.3.3 Patch management for systems, applications, and devices. 2.3.3.4 Centralized clock synchronization with an accurate and trusted source, such as sources provided by the Saudi Standards, Metrology and Quality Organization (SASO).
  4. 2-3-4 The implementation of cybersecurity requirements for protection of the information system and processing facilities of the entity shall be periodically reviewed.
Defence 2-4

Email Protection

What it is

Securing the email service against , , and data leaks.

Why you need it

Email is the number-one way attackers get in ; a single convincing message can start a breach.

How to establish it

Filter and , require for remote/webmail access, archive and back up email, defend against advanced , and validate your domains with , DKIM, and DMARC.

The controls: what to implement 4
  1. Policy 2-4-1

    Put a in place; write the rules for email protection and get leadership to formally approve them.

  2. Implement 2-4-2

    Turn the into practice; apply the email protection rules across the organisation (configure systems, follow ).

  3. Requirements 2-4-3

    At a minimum: filter and ; require for remote/webmail access; archive and back up email; defend against advanced () ; and validate your email domains with , DKIM, and DMARC.

  4. Review 2-4-4

    On a regular schedule, check (an ) that email protection is still being done and is working.

Show the official ECC wording

Objective. To ensure the protection of the entity's email service against cyber risks.

  1. 2-4-1 Cybersecurity requirements for protection of the email service of the entity shall be identified, documented, and approved.
  2. 2-4-2 Cybersecurity requirements for protection of email service of the entity shall be implemented.
  3. 2-4-3 Cybersecurity requirements for protection of the email service of the entity shall include the following as a minimum: 2.4.3.1 Analyzing and filtering email messages (specifically phishing emails and spam emails) using modern and advanced email protection techniques and mechanisms. 2.4.3.2 Multi-factor authentication, and defining the suitable authentication factors and their numbers as well as the suitable authentication techniques based on the result of impact assessment of authentication failure and bypass for remote and webmail access. 2.4.3.3 Email archiving and backup. 2.4.3.4 Secure management and protection against Advanced Persistent Threats (APT), which normally utilize zero-day malware and viruses. 2.4.3.5 Validation of the entity's email service domains by using Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain Message Authentication Reporting and Conformance (DMARC).
  4. 2-4-4 The implementation of cybersecurity requirements for email service of the entity shall be periodically reviewed .
Defence 2-5

Network Security Management

What it is

Designing and defending the network so attackers cannot roam freely once they are inside.

Why you need it

A flat, open network lets one compromised device expose everything. Good network security contains the damage.

How to establish it

and isolate the network with firewalls, separate production from test/dev, secure browsing and wireless, restrict ports and services, and add protections like , security, and defence.

The controls: what to implement 4
  1. Policy 2-5-1

    Put a in place; write the rules for network security management and get leadership to formally approve them.

  2. Implement 2-5-2

    Turn the into practice; apply the network security management rules across the organisation (configure systems, follow ).

  3. Requirements 2-5-3

    At a minimum: and isolate the network with firewalls and ; separate production from test/dev; secure browsing and internet access; secure wireless; restrict ports, protocols, and services; and add , security, protection, and defence.

  4. Review 2-5-4

    On a regular schedule, check (an ) that network security management is still being done and is working.

Show the official ECC wording

Objective. To ensure the protection of entity's networks against cyber risks.

  1. 2-5-1 Cybersecurity requirements for the entity's network security management shall be identified, documented, and approved.
  2. 2-5-2 Cybersecurity requirements for the entity's network security management shall be implemented.
  3. 2-5-3 Cybersecurity requirements for the entity's network security management shall include the following as a minimum: 2.5.3.1 Logical or physical isolation and segmentation of network segments in a secure manner which is required to control relevant cybersecurity risks, using firewall and defense-in-depth principle. 2.5.3.2 Isolation of production network from testing and development environment networks. 2.5.3.3 Secure browsing and internet connectivity, including strict restrictions on suspicious websites, file storage/sharing websites, and remote access websites. 2.5.3.4 Wireless network security and protection using secure authentication and encryption techniques and avoiding the connection of wireless networks to the entity's internal network, except after a comprehensive assessment of subsequent risks, with handling them in a way that protects the technology assets of the entity. 2.5.3.5 Restricting and managing network services, protocols, and ports. 2.5.3.6 Intrusion Prevention Systems (IPS). 2.5.3.7 Security of Domain Name Service (DNS). 2.5.3.8 Secure management and protection of Internet browsing channel against Advanced Persistent Threats (APT), which normally utilize zero-day malware and viruses. 2-5-3-9 Protecting against Distributed Denial of Service (DDoS) attacks to limit risks arising from these attacks.
  4. 2-5-4 The implementation of cybersecurity requirements for the entity's network security management shall be periodically reviewed.
Defence 2-6

Mobile Devices Security

What it is

Protecting laptops, phones, and personal () devices ; and the organisation's data on them.

Why you need it

Mobile devices leave the building and get lost or stolen, taking your data with them if it is not protected.

How to establish it

Separate and organisation data on devices, restrict use to business needs, be able to wipe data on loss or when someone leaves, and make users aware of the .

The controls: what to implement 4
  1. Policy 2-6-1

    Put a in place; write the rules for mobile devices security and get leadership to formally approve them.

  2. Implement 2-6-2

    Turn the into practice; apply the mobile devices security rules across the organisation (configure systems, follow ).

  3. Requirements 2-6-3

    At a minimum: separate and organisation data on mobile and devices; restrict their use to business needs; be able to wipe organisation data if a device is lost or someone leaves; and raise user awareness.

  4. Review 2-6-4

    On a regular schedule, check (an ) that mobile devices security is still being done and is working.

Show the official ECC wording

Objective. To ensure the protection of the entity's mobile devices (including laptops, smartphones, and tablets) against cyber risks, and ensure secure handling of the entity's sensitive information and business information and protecting them during transfer and storage while using the devices of personnel of the entity (Bring Your Own Device "BYOD" policy).

  1. 2-6-1 Cybersecurity requirements for mobile devices and BYOD security when connected to the entity's network shall be identified, documented, and approved.
  2. 2-6-2 Cybersecurity requirements for mobile devices and BYOD security of the entity shall be implemented.
  3. 2-6-3 Cybersecurity requirements for mobile devices and BYOD security of the entity shall include the following as a minimum: 2.6.3.1 Separation and encryption of the entity's data and information stored on mobile devices and BYODs. 2.6.3.2 Controlled and restricted use based on the requirements of the interest of the entity's business. 2.6.3.3 Deletion of the entity's data and information stored on mobile devices and BYOD in cases of device loss or after the ending/termination of employment with the entity. 2.6.3.4 Security awareness for users.
  4. 2-6-4 The implementation of cybersecurity requirements for mobile devices and BYOD security of the entity shall be periodically reviewed.
Defence 2-7

Data and Information Protection

What it is

Protecting the data itself according to how sensitive it is, wherever it is stored or sent.

Why you need it

Data is usually the real target. Protecting it directly limits the harm even when other defences fail.

How to establish it

Set a data-protection keyed to your , put it into practice everywhere data lives, and keep it under review.

The controls: what to implement 3
  1. Policy 2-7-1

    Put a in place; write the rules for data and information protection and get leadership to formally approve them.

  2. Implement 2-7-2

    Turn the into practice; apply the data and information protection rules across the organisation (configure systems, follow ).

  3. Review 2-7-3

    On a regular schedule, check (an ) that data and information protection is still being done and is working.

Show the official ECC wording

Objective. To ensure confidentiality, integrity, accuracy, and availability of the entity's data and information, as per the entity's regulatory policies and procedures and the relevant legislative and regulatory requirements

  1. 2-7-1 Cybersecurity requirements for protecting and handling data and information of the entity shall be identified, documented, and approved, as per the relevant legislative and regulatory requirements.
  2. 2-7-2 Cybersecurity requirements for protecting data and information of the entity shall be implemented, based on its classification level.
  3. 2-7-3 The implementation of cybersecurity requirements for protecting data and information of the entity shall be periodically reviewed.
Defence 2-8

Cryptography

What it is

Using approved to protect data ; both stored and in transit ; with proper management of the keys.

Why you need it

is the safety net: even if data is stolen, it is unreadable without the keys.

How to establish it

Adopt an approved (approved algorithms and ), implement it for data at rest and in transit, and review it periodically.

The controls: what to implement 4
  1. Policy 2-8-1

    Put a in place; write the rules for and get leadership to formally approve them.

  2. Implement 2-8-2

    Turn the into practice; apply the rules across the organisation (configure systems, follow ).

  3. Requirements 2-8-3

    At a minimum, follow the 's National , and apply the right level of for how sensitive the data is.

  4. Review 2-8-4

    On a regular schedule, check (an ) that is still being done and is working.

Show the official ECC wording

Objective. To ensure the proper and efficient use of cryptography to protect electronic information assets of the entity, as per the entity's regulatory policies and procedures and the relevant legislative and regulatory requirements.

  1. 2-8-1 Cybersecurity requirements for cryptography within the entity shall be identified, documented, and approved.
  2. 2-8-2 Cybersecurity requirements for cryptography within the entity shall be implemented.
  3. 2-8-3 Cybersecurity requirements for cryptography shall include at least the requirements in the National Cryptographic Standards, published by NCA. The appropriate cryptographic standard level shall be implemented based on the nature and sensitivity of the data, systems, and networks to be protected as well as the entity's risk assessment, and as per the relevant legislative and regulatory requirements, as follows: 2.8.3.1 Approved cryptographic systems and solutions standards and their technical and regulatory restrictions. 2.8.3.2 Secure management of cryptographic keys during their lifecycles. 2.8.3.3 Encryption of data in-transit and at-rest, as per their classification and the relevant legislative and regulatory requirements.
  4. 2-8-4 The implementation of cybersecurity requirements for cryptography within the entity shall be periodically reviewed.
Defence 2-9

Backup and Recovery Management

What it is

Taking reliable, tested copies of data so you can restore it after loss, corruption, or .

Why you need it

When systems are wiped or by attackers, good are often the only way back ; if they actually work.

How to establish it

Back up critical systems and data, make sure you can recover quickly, and test recovery regularly so you know it works.

The controls: what to implement 4
  1. Policy 2-9-1

    Put a in place; write the rules for management and get leadership to formally approve them.

  2. Implement 2-9-2

    Turn the into practice; apply the management rules across the organisation (configure systems, follow ).

  3. Requirements 2-9-3

    At a minimum: back up critical ; be able to recover data and systems quickly after an ; and test recovery periodically.

  4. Review 2-9-4

    On a regular schedule, check (an ) that management is still being done and is working.

Show the official ECC wording

Objective. To ensure the protection of the entity's data, information, and technical configurations of systems and applications against cyber risks, as per the entity's regulatory policies and procedures and the relevant legislative and regulatory requirements.

  1. 2-9-1 Cybersecurity requirements for backup and recovery management within the entity shall be identified, documented, and approved.
  2. 2-9-2 Cybersecurity requirements for backup and recovery management within the entity shall be implemented.
  3. 2-9-3 Cybersecurity requirements for backup and recovery management shall include the following as a minimum: 2.9.3.1 Scope of backups to cover critical technology and information assets. 2.9.3.2 Ability to perform quick recovery of data and systems after cybersecurity incidents. 2.9.3.3 Periodic testing for the effectiveness of backup recovery.
  4. 2-9-4 The implementation of cybersecurity requirements for backup and recovery management within the entity shall be periodically reviewed.
Defence 2-10

Vulnerability Management

What it is

Continuously finding technical weaknesses and fixing them before attackers can exploit them.

Why you need it

Most attacks use known, unpatched weaknesses. Closing them quickly removes the easy routes in.

How to establish it

Scan for regularly, rate them by severity, fix them in priority order, manage (testing first), and subscribe to trusted vulnerability feeds.

The controls: what to implement 4
  1. Policy 2-10-1

    Put a in place; write the rules for management and get leadership to formally approve them.

  2. Implement 2-10-2

    Turn the into practice; apply the management rules across the organisation (configure systems, follow ).

  3. Requirements 2-10-3

    At a minimum: assess for regularly; rate them by severity; fix them based on severity and ; manage (testing them in a non-production environment first); and subscribe to trusted vulnerability sources.

  4. Review 2-10-4

    On a regular schedule, check (an ) that management is still being done and is working.

Show the official ECC wording

Objective. To ensure timely detection and effective remediation of technical vulnerabilities to prevent or minimize the probability of exploitation of these vulnerabilities by cyber-attacks and to reduce any impacts on the entity's business.

  1. 2-10-1 Cybersecurity requirements for technical vulnerabilities management within the entity shall be identified, documented, and approved.
  2. 2-10-2 Cybersecurity requirements for technical vulnerabilities management within the entity shall be implemented.
  3. 2-10-3 Cybersecurity requirements for technical vulnerabilities management shall include the following as a minimum: 2.10.3.1 Periodic vulnerabilities assessment and detection. 2.10.3.2 Vulnerabilities classification based on their severities. 2.10.3.3 Vulnerabilities remediation based on their classification and the associated cyber risks. 2.10.3.4 Patch management to remediate vulnerabilities, and ensuring the integrity and effectiveness of these updates and fixes are verified using a non-production environment before being applied. 2.10.3.5 Communication and subscription with trusted resources for new and up-to-date vulnerabilities.
  4. 2-10-4 The implementation of cybersecurity requirements for technical vulnerabilities management within the entity shall be periodically reviewed.
Defence 2-11

Penetration Testing

What it is

Periodically hiring experts to safely attack your systems like a real hacker, to find gaps the scanners miss.

Why you need it

Automated scans miss what a creative attacker would find. A shows what could really be broken into.

How to establish it

Define a testing covering all internet-facing services (sites, apps, email, ) and run penetration tests on a regular schedule.

The controls: what to implement 4
  1. Policy 2-11-1

    Put a in place; write the rules for and get leadership to formally approve them.

  2. Implement 2-11-2

    Turn the into practice; apply the rules across the organisation (configure systems, follow ).

  3. Requirements 2-11-3

    At a minimum: penetration tests to cover all internet-facing services and their components (infrastructure, websites, web and mobile apps, email, ); and run the tests periodically.

  4. Review 2-11-4

    On a regular schedule, check (an ) that is still being done and is working.

Show the official ECC wording

Objective. To assess and test the efficiency of the entity's cybersecurity defense capabilities through simulation of actual cyber-attack methods and technologies to discover unknown weaknesses that may lead to cyber penetration of the entity, as per the relevant legislative and regulatory requirements.

  1. 2-11-1 Cybersecurity requirements for penetration testing within the entity shall be identified, documented, and approved.
  2. 2-11-2 Cybersecurity requirements for penetration testing within the entity shall be implemented.
  3. 2-11-3 Cybersecurity requirements for penetration testing shall include the following as a minimum: 2.11.3.1 Scope of penetration testing to include all externally provided services (via the Internet) and their technical components, including infrastructure, websites, web applications, smartphone and tablet applications, email, and remote access. 2.11.3.2 Conducting penetration tests periodically.
  4. 2-11-4 The implementation of cybersecurity requirements for penetration testing shall be periodically reviewed.
Defence 2-12

Event Logs and Monitoring Management

What it is

Recording what systems do, and watching those , so suspicious activity is actually noticed.

Why you need it

If nobody is watching, an intruder can operate undetected for months. is how you catch them early.

How to establish it

Turn on for critical and /, collect logs centrally (a SIEM), monitor them continuously, and keep logs for at least 12 months.

The controls: what to implement 4
  1. Policy 2-12-1

    Put a in place; write the rules for and monitoring management and get leadership to formally approve them.

  2. Implement 2-12-2

    Turn the into practice; apply the and monitoring management rules across the organisation (configure systems, follow ).

  3. Requirements 2-12-3

    At a minimum: enable for critical and for /; use a SIEM to collect logs; monitor logs continuously; and keep logs for at least 12 months.

  4. Review 2-12-4

    On a regular schedule, check (an ) that and monitoring management is still being done and is working.

Show the official ECC wording

Objective. To ensure timely collection, analysis, and monitoring of cybersecurity event logs for proactive detection and effective management of cyber-attacks to prevent or minimize negative impacts on the entity's business.

  1. 2-12-1 Cybersecurity requirements for cybersecurity event logs and monitoring management within the entity shall be identified, documented, and approved.
  2. 2-12-2 Cybersecurity requirements for cybersecurity event logs and monitoring management within the entity shall be implemented.
  3. 2-12-3 Cybersecurity requirements for cybersecurity event logs and monitoring management shall include the following as a minimum: 2.12.3.1 Activation of cybersecurity event logs for critical information assets within the entity. 2.12.3.2 Activation of cybersecurity event logs for critical and privileged accounts accessing information assets as well as for remote access events within the entity. 2.12.3.3 Identification of Security Information and Event Management (SIEM) techniques required for cybersecurity event logs collection. 2.12.3.4 Continuous monitoring of cybersecurity event logs. 2.12.3.5 Retention period of cybersecurity event logs (shall be at least 12 months).
  4. 2-12-4 The implementation of cybersecurity requirements for cybersecurity event logs and monitoring management within the entity shall be periodically reviewed.
Defence 2-13

Incident and Threat Management

What it is

A defined way to detect, respond to, report, and learn from cyber and .

Why you need it

are inevitable. A practised plan turns a crisis into a managed event and limits the damage.

How to establish it

Prepare response and plans, , report them to the and share information, and use to stay ahead.

The controls: what to implement 4
  1. Policy 2-13-1

    Put a in place; write the rules for and management and get leadership to formally approve them.

  2. Implement 2-13-2

    Turn the into practice; apply the and management rules across the organisation (configure systems, follow ).

  3. Requirements 2-13-3

    At a minimum: have response and plans; incidents; report incidents to the ; share incident notifications and with the NCA; and collect and use -intelligence feeds.

  4. Review 2-13-4

    On a regular schedule, check (an ) that and management is still being done and is working.

Show the official ECC wording

Objective. To ensure timely identification, detection, and effective management of cybersecurity incidents and proactive response to cybersecurity threats to prevent or minimize impacts on the entity's business, as per High Order No. 37140, dated 14/08/1438H.

  1. 2-13-1 Requirements for cybersecurity incident and threat management within the entity shall be identified, documented, and approved.
  2. 2-13-2 Requirements for cybersecurity incident and threat management within the entity shall be implemented.
  3. 2-13-3 Requirements for cybersecurity incident and threat management shall include the following as a minimum: 2.13.3.1 Cybersecurity incident response plans and escalation procedures. 2.13.3.2 Cybersecurity incident classification. 2.13.3.3 Reporting cybersecurity incidents to the NCA. 2.13.3.4 Sharing cybersecurity incident notifications, threat intelligence, penetration indicators, and incident reports with the NCA. 2.13.3.5 Collecting and handling threat intelligence feeds.
  4. 2-13-4 The implementation of cybersecurity requirements for incident and threat management within the entity shall be periodically reviewed.
Defence 2-14

Physical Security

What it is

Stopping unauthorised people from physically reaching sensitive systems and facilities.

Why you need it

Cyber defences do not matter if someone can walk up to a server, steal a disk, or read printed records.

How to establish it

Restrict access to critical areas (data centre, site, network rooms), use and access , protect those logs, and securely destroy or reuse media and equipment.

The controls: what to implement 4
  1. Policy 2-14-1

    Put a in place; write the rules for physical security and get leadership to formally approve them.

  2. Implement 2-14-2

    Turn the into practice; apply the physical security rules across the organisation (configure systems, follow ).

  3. Requirements 2-14-3

    At a minimum: authorise access to critical areas (data centre, site, network rooms); keep and access ; protect those logs; securely destroy or reuse media holding data; and secure equipment inside and outside facilities.

  4. Review 2-14-4

    On a regular schedule, check (an ) that physical security is still being done and is working.

Show the official ECC wording

Objective. To ensure the protection of information and technology assets of the entity against unauthorized physical access, loss, theft, and damage.

  1. 2-14-1 Cybersecurity requirements for protection of information and technology assets of the entity against unauthorized physical access, loss, theft, and damage shall be identified, documented, and approved.
  2. 2-14-2 Cybersecurity requirements for protection of information and technology assets of the entity against unauthorized physical access, loss, theft, and damage shall be implemented.
  3. 2-14-3 Cybersecurity requirements for protection of information and technology assets of the entity against unauthorized physical access, loss, theft, and damage shall include the following as a minimum: 2.14.3.1 Authorized access to critical areas within the entity (e.g. the entity's data center, disaster recovery center, critical information processing facilities, security surveillance center, network connection rooms, technical device and equipment supply areas, etc.). 2.14.3.2 Access and monitoring logs (CCTV). 2.14.3.3 Protection of access and monitoring log information. 2.14.3.4 Security of the destruction and re-use of physical assets that hold classified information (including paper documents and storage media). 2.14.3.5 Security of devices and equipment inside and outside the entity's facilities.
  4. 2-14-4 Cybersecurity requirements for protection of information and technology assets of the entity against unauthorized physical access, loss, theft, and damage shall be periodically reviewed.
Defence 2-15

Web Application Security

What it is

Protecting your public-facing websites and web applications throughout their life.

Why you need it

Web apps are exposed to the whole internet, which makes them a favourite target ; a flaw here is directly reachable by attackers.

How to establish it

Use a , a design, secure protocols like , a clear usage , and strong user .

The controls: what to implement 4
  1. Policy 2-15-1

    Put a in place; write the rules for web application security and get leadership to formally approve them.

  2. Implement 2-15-2

    Turn the into practice; apply the web application security rules across the organisation (configure systems, follow ).

  3. Requirements 2-15-3

    At a minimum: use a ; adopt a ; use secure protocols like ; publish a secure-usage for users; and require suitable user .

  4. Review 2-15-4

    On a regular schedule, check (an ) that web application security is still being done and is working.

Show the official ECC wording

Objective. To ensure the protection of external web applications of the entity against cyber risks.

  1. 2-15-1 Cybersecurity requirements for protection of external web applications of the entity shall be identified, documented, and approved.
  2. 2-15-2 Cybersecurity requirements for protection of external web applications of the entity shall be implemented.
  3. 2-15-3 Cybersecurity requirements for protection of external web applications of the entity shall include the following as a minimum: 2.15.3.1 Use of web application firewall. 2.15.3.2 Adoption of the multi-tier architecture principle. 2.15.3.3 Use of secure protocols (e.g. HTTPS). 2.15.3.4 Clarification of the secure usage policy for users. 2.15.3.5 User authentication, and the suitable authentication factors and their numbers as well as the authentication techniques shall be defined based on the result of impact assessment of authentication failure and bypass for users' access.
  4. 2-15-4 Cybersecurity requirements for protection of web applications of the entity shall be periodically reviewed. Cybersecurity Resilience
Domain 3

Resilience

1 Subdomains
4 Controls
3/4 Domain
What it is

is the ability to keep services running, and recover quickly, when something goes wrong.

Its role in ECC

In , Domain 3 embeds cybersecurity into ; a cyber is treated as a continuity event, so plans, and the security themselves, survive disruption.

What's inside 1
Resilience 3-1

Resilience Aspects of Business Continuity Management (BCM)

What it is

Making cybersecurity a built-in part of , so services ; and the security themselves ; survive a disruption.

Why you need it

A cyber attack can take the business down. If continuity planning ignores cyber, recovery plans fail exactly when you need them.

How to establish it

Ensure cybersecurity systems keep running during disruption, build cyber- response into continuity plans, and develop and test plans.

The controls: what to implement 4
  1. Policy 3-1-1

    Put a in place; write the rules for aspects of and get leadership to formally approve them.

  2. Implement 3-1-2

    Turn the into practice; apply the aspects of rules across the organisation (configure systems, follow ).

  3. Requirements 3-1-3

    At a minimum: keep cybersecurity systems and running during disruption; build response plans for cyber that could hit ; and develop plans.

  4. Review 3-1-4

    On a regular schedule, check (an ) that aspects of is still being done and is working.

Show the official ECC wording

Objective. To ensure the inclusion of cybersecurity resilience requirements in the entity's business continuity management and remediate and minimize the impacts of disruptions on the entity's critical e-services and information processing systems and facilities caused by cyber risks.

  1. 3-1-1 Cybersecurity requirements for business continuity management within the entity shall be identified, documented, and approved.
  2. 3-1-2 Cybersecurity requirements for business continuity management within the entity shall be implemented.
  3. 3-1-3 Cybersecurity requirements for business continuity management within the entity shall include the following as a minimum: 3.1.3.1 Ensuring the continuity of cybersecurity systems and procedures. 3.1.3.2 Developing plans for response to cybersecurity incidents that may affect the entity's business continuity. 3.1.3.3 Developing disaster recovery plans.
  4. 3-1-4 Cybersecurity requirements for business continuity management within the entity shall be periodically reviewed. Third-Party and Cloud Computing Cybersecurity
Domain 4

Third-party & cloud

2 Subdomains
8 Controls
4/4 Domain
What it is

and security is about managing the you take on when other people run, host, or touch your systems and data.

Its role in ECC

In , Domain 4 requires vetting and setting cybersecurity requirements before contracts are signed, and adds -specific rules; most notably keeping regulated data hosted inside the Kingdom.

What's inside 2
Third-party & cloud 4-1

Third-Party Cybersecurity

What it is

Setting and enforcing security requirements on the outside companies you rely on ; before and during the relationship.

Why you need it

Attackers often get in through a weaker . The you outsource is still your risk.

How to establish it

Put security and clauses in contracts, require -notification , assess before signing, and keep /managed-service centres with inside Saudi Arabia.

The controls: what to implement 4
  1. Policy 4-1-1

    Put a in place; write the rules for cybersecurity and get leadership to formally approve them.

  2. Requirements 4-1-2

    In contracts (e.g. SLAs), at a minimum: include and secure data-removal clauses for end of service; set -communication ; and require the third party to follow your security requirements and the law.

  3. Requirements 4-1-3

    For IT/cybersecurity or managed-service contracts, at a minimum: do a cyber and have mitigations in place before signing; and keep managed /operations centres that use fully inside Saudi Arabia.

  4. Review 4-1-4

    On a regular schedule, check (an ) that cybersecurity is still being done and is working.

Show the official ECC wording

Objective. To ensure the protection of the entity's assets against third-party cybersecurity risks (including Information Technology (IT) outsourcing, cybersecurity outsourcing, and managed services), as per the entity's regulatory policies and procedures and the relevant legislative and regulatory requirements.

  1. 4-1-1 Cybersecurity requirements for the entity's contracts and agreements with third parties shall be identified, documented, and approved.
  2. 4-1-2 Cybersecurity requirements for contracts and agreements with third parties, e.g. Service Level Agreement (SLA), which, if impaired, may affect the entity's data or services shall include the following as a minimum: 4.1.2.1 Clauses of non-disclosure and the secure removal of the entity's data by the third party upon the end of service. 4.1.2.2 Communication procedures in case of the occurrence of a cybersecurity incident. 4.1.2.3 Obligating the third party to apply the entity's cybersecurity requirements and policies and the relevant legislative and regulatory requirements.
  3. 4-1-3 Cybersecurity requirements for contracts and agreements with third parties providing IT or cybersecurity outsourcing or managed services shall include the following as a minimum: 4.1.3.1 Conducting a cybersecurity risk assessment and ensuring the availability of risk mitigation controls before signing contracts and agreements or upon making changes to the relevant legislative and regulatory requirements. 4.1.3.2 Cybersecurity managed service centers for monitoring and operations which use remote access shall be fully located in the Kingdom of Saudi Arabia.
  4. 4-1-4 Cybersecurity requirements for third parties shall be periodically reviewed.
Third-party & cloud 4-2

Cloud Computing and Hosting Cybersecurity

What it is

Extra cybersecurity rules for when you use or hosting services ; including where your data is allowed to live.

Why you need it

In the you share infrastructure and hand data to a provider, yet you stay responsible for protecting it and keeping it in the right place.

How to establish it

Apply the other domains' to use too, make providers protect and return your data per its , keep regulated/government data hosted inside the Kingdom, and ensure your environment is separated from other .

The controls: what to implement 4
  1. Policy 4-2-1

    Put a in place; write the rules for and hosting cybersecurity and get leadership to formally approve them.

  2. Implement 4-2-2

    Turn the into practice; apply the and hosting cybersecurity rules across the organisation (configure systems, follow ).

  3. Requirements 4-2-3

    On top of the from Domains 1-3 and 4-1, at a minimum: providers must protect your data per its and return it in a usable format when service ends; and your environment (especially ) must be separated from other customers.

  4. Review 4-2-4

    On a regular schedule, check (an ) that and hosting cybersecurity is still being done and is working.

Show the official ECC wording

Objective. To ensure proper and efficient remediation of cyber risks and implementation of cybersecurity requirements for cloud computing and hosting, as per the entity's regulatory policies and procedures, relevant legislative and regulatory requirements, orders, and decisions, and to ensure the protection of the entity's information and technology assets on cloud computing services hosted, processed, or managed by third parties.

  1. 4-2-1 Cybersecurity requirements for use of cloud computing and hosting services shall be identified, documented, and approved.
  2. 4-2-2 Cybersecurity requirements for the cloud computing and hosting services within the entity shall be implemented.
  3. 4-2-3 In accordance with the relevant legislative and regulatory requirements, and in addition to the applicable controls in the Main Domains (1), (2), and (3) and Subdomain (4.1) that are necessary to protect the entity's data or services provided thereto, cybersecurity requirements for use of cloud computing and hosting services shall include the following as a minimum: 4.2.3.1 Protection of entity's data by cloud and hosting service providers in accordance with its classification level and returning data (in a usable format) upon service completion. 4.2.3.2 Separation of the entity's environment (especially virtual servers) from environments of other entities within the cloud computing service provider.
  4. 4-2-4 Cybersecurity requirements for cloud computing and hosting services shall be periodically reviewed.

Read it as concepts

Prefer prose? Start with the overview, then work domain by domain.