NCA ECC core Updated 2026-06-19

Cybersecurity Defence (Domain 2)

Domain 2: fifteen defensive subdomains protecting assets, identities, data, networks and applications.

#defence#access-control#cryptography#monitoring
2 Cybersecurity Defence tap to learn what this means 15 subdomains · 61 controls

Defence is the set of hands-on technical safeguards that actually protect systems and data day to day.

In ECCIn , Domain 2 is the largest; 15 subdomains spanning the full protect, detect and respond cycle, from knowing your to handling . Each should map back to a identified in .

How do controls actually work?

A control is just a safeguard that lowers a risk. You reduce risk by putting the right set of controls in place, and almost every ECC control follows the same three steps:

  1. Policy Write the rule down and get leadership to approve it. This is the foundation, nearly everything starts here.
  2. Implement Put it into practice: the secure configuration, technical settings and standards that enforce the rule.
  3. Review Check on a schedule (an audit) that it is actually done and working, and fix what is not.

A policy with no implementation is just paper; implementation with no review quietly rots. Each control below is tagged with the step it belongs to.

  1. 2-1 Asset Management 6
    What it is

    Keeping an accurate of all your hardware, software, and data ; each with an owner and a sensitivity label.

    Why you need it

    You cannot protect what you do not know you have. Unknown are unguarded doors.

    How to establish it

    Build and maintain an , set an , and , label, and handle according to their sensitivity.

    The controls, what to implement 6
    1. Policy 2-1-1

      Put a in place; write the rules for management and get leadership to formally approve them.

    2. Implement 2-1-2

      Turn the into practice; apply the management rules across the organisation (configure systems, follow ).

    3. Control 2-1-3

      Define, approve, and communicate an for the organisation's IT .

    4. Implement 2-1-4

      Turn the into practice; apply the management rules across the organisation (configure systems, follow ).

    5. Control 2-1-5

      , label, and handle according to the laws and regulations that apply.

    6. Review 2-1-6

      On a regular schedule, check (an ) that management is still being done and is working.

    Show the official ECC wording

    Objective. To ensure that the entity has an accurate and updated inventory of assets, including details of all information and technology assets of the entity, in order to support the entity's operations and cybersecurity requirements to maintain the confidentiality, integrity, accuracy, and availability of information and technology assets of the entity.

    1. 2-1-1 Cybersecurity requirements for managing information and technology assets of the entity shall be identified, documented, and approved.
    2. 2-1-2 Cybersecurity requirements for managing information and technology assets of the entity shall be implemented.
    3. 2-1-3 The policy of acceptable use of information and technology assets of the entity shall be identified, documented, approved, and communicated.
    4. 2-1-4 The policy of acceptable use of information and technology assets of the entity shall be implemented.
    5. 2-1-5 Information and technology assets of the entity shall be classified, labeled, and handled as per the relevant legislative and regulatory requirements.
    6. 2-1-6 Cybersecurity requirements for managing information and technology assets of the entity shall be periodically reviewed.
  2. 2-2 Identity and Access Management 4
    What it is

    Making sure only the right people and systems get access ; verified ; and only to what they actually need.

    Why you need it

    Most breaches abuse legitimate access. Tight limits how far an attacker, or a simple mistake, can reach.

    How to establish it

    Require strong sign-in ( for remote and ), grant access on and , manage privileged accounts carefully, and review access rights regularly.

    The controls, what to implement 4
    1. Policy 2-2-1

      Put a in place; write the rules for and get leadership to formally approve them.

    2. Implement 2-2-2

      Turn the into practice; apply the rules across the organisation (configure systems, follow ).

    3. Requirements 2-2-3

      At a minimum cover: username/password sign-in; for remote and (sized to the ); access based on , , and ; privileged-; and periodic review of identities and access rights.

    4. Review 2-2-4

      On a regular schedule, check (an ) that is still being done and is working.

    Show the official ECC wording

    Objective. To ensure protecting cybersecurity of logical access to information and technology assets of the entity, in order to prevent unauthorized access and restrict access to the extent necessary for accomplishment of the assigned tasks of the entity.

    1. 2-2-1 Cybersecurity requirements for identity and access management of the entity shall be identified, documented, and approved.
    2. 2-2-2 Cybersecurity requirements for identity and access management of the entity shall be implemented.
    3. 2-2-3 Cybersecurity requirements for identity and access management of the entity shall include the following as a minimum: 2.2.3.1 Single-factor authentication based on username and password. Cybersecurity Defense 2 2.2.3.2 Multi-factor authentication, and defining the suitable authentication factors and their numbers as well as the suitable authentication techniques based on the result of impact assessment of authentication failure and bypass for remote access and for privileged accounts. 2.2.3.3 User authorization based on identity and access control principles (Need-to-Know and Need-to-Use principle, Least Privilege principle, and Segregation of Duties principle). 2.2.3.4 Privileged access management. 2.2.3.5 Periodic review of identities and access rights.
    4. 2-2-4 The implementation of cybersecurity requirements for identity and access management of the entity shall be periodically reviewed.
  3. 2-3 Information Systems and Information Processing Facilities Protection 4
    What it is

    the servers, workstations, and facilities that store and process your data.

    Why you need it

    These systems are where the valuable data lives; a weak server or an unmanaged USB port is an easy way in.

    How to establish it

    Use up-to-date , tightly restrict external storage media, systems and applications, and synchronise clocks to a trusted source.

    The controls, what to implement 4
    1. Policy 2-3-1

      Put a in place; write the rules for information systems and information processing facilities protection and get leadership to formally approve them.

    2. Implement 2-3-2

      Turn the into practice; apply the information systems and information processing facilities protection rules across the organisation (configure systems, follow ).

    3. Requirements 2-3-3

      At a minimum: protect workstations and servers from and malware with modern tools; tightly restrict external storage media; manage ; and keep clocks synchronised to a trusted source (e.g. ).

    4. Review 2-3-4

      On a regular schedule, check (an ) that information systems and information processing facilities protection is still being done and is working.

    Show the official ECC wording

    Objective. To ensure the protection of information systems and processing facilities, including workstations and infrastructures of the entity, against cyber risks.

    1. 2-3-1 Cybersecurity requirements for protection of information system and processing facilities of the entity shall be identified, documented, and approved.
    2. 2-3-2 Cybersecurity requirements for protection of information systems and processing facilities of the entity shall be implemented.
    3. 2-3-3 Cybersecurity requirements for protection of information systems and processing facilities of the entity shall include the following as a minimum: 2.3.3.1 Protection from viruses, suspicious programs and activities, and malware on workstations and servers, using modern and advanced protection technologies and mechanisms, and securely managing them. 2.3.3.2 Strict restriction on the use of external storage media and their security. 2.3.3.3 Patch management for systems, applications, and devices. 2.3.3.4 Centralized clock synchronization with an accurate and trusted source, such as sources provided by the Saudi Standards, Metrology and Quality Organization (SASO).
    4. 2-3-4 The implementation of cybersecurity requirements for protection of the information system and processing facilities of the entity shall be periodically reviewed.
  4. 2-4 Email Protection 4
    What it is

    Securing the email service against , , and data leaks.

    Why you need it

    Email is the number-one way attackers get in ; a single convincing message can start a breach.

    How to establish it

    Filter and , require for remote/webmail access, archive and back up email, defend against advanced , and validate your domains with , DKIM, and DMARC.

    The controls, what to implement 4
    1. Policy 2-4-1

      Put a in place; write the rules for email protection and get leadership to formally approve them.

    2. Implement 2-4-2

      Turn the into practice; apply the email protection rules across the organisation (configure systems, follow ).

    3. Requirements 2-4-3

      At a minimum: filter and ; require for remote/webmail access; archive and back up email; defend against advanced () ; and validate your email domains with , DKIM, and DMARC.

    4. Review 2-4-4

      On a regular schedule, check (an ) that email protection is still being done and is working.

    Show the official ECC wording

    Objective. To ensure the protection of the entity's email service against cyber risks.

    1. 2-4-1 Cybersecurity requirements for protection of the email service of the entity shall be identified, documented, and approved.
    2. 2-4-2 Cybersecurity requirements for protection of email service of the entity shall be implemented.
    3. 2-4-3 Cybersecurity requirements for protection of the email service of the entity shall include the following as a minimum: 2.4.3.1 Analyzing and filtering email messages (specifically phishing emails and spam emails) using modern and advanced email protection techniques and mechanisms. 2.4.3.2 Multi-factor authentication, and defining the suitable authentication factors and their numbers as well as the suitable authentication techniques based on the result of impact assessment of authentication failure and bypass for remote and webmail access. 2.4.3.3 Email archiving and backup. 2.4.3.4 Secure management and protection against Advanced Persistent Threats (APT), which normally utilize zero-day malware and viruses. 2.4.3.5 Validation of the entity's email service domains by using Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain Message Authentication Reporting and Conformance (DMARC).
    4. 2-4-4 The implementation of cybersecurity requirements for email service of the entity shall be periodically reviewed .
  5. 2-5 Network Security Management 4
    What it is

    Designing and defending the network so attackers cannot roam freely once they are inside.

    Why you need it

    A flat, open network lets one compromised device expose everything. Good network security contains the damage.

    How to establish it

    and isolate the network with firewalls, separate production from test/dev, secure browsing and wireless, restrict ports and services, and add protections like , security, and defence.

    The controls, what to implement 4
    1. Policy 2-5-1

      Put a in place; write the rules for network security management and get leadership to formally approve them.

    2. Implement 2-5-2

      Turn the into practice; apply the network security management rules across the organisation (configure systems, follow ).

    3. Requirements 2-5-3

      At a minimum: and isolate the network with firewalls and ; separate production from test/dev; secure browsing and internet access; secure wireless; restrict ports, protocols, and services; and add , security, protection, and defence.

    4. Review 2-5-4

      On a regular schedule, check (an ) that network security management is still being done and is working.

    Show the official ECC wording

    Objective. To ensure the protection of entity's networks against cyber risks.

    1. 2-5-1 Cybersecurity requirements for the entity's network security management shall be identified, documented, and approved.
    2. 2-5-2 Cybersecurity requirements for the entity's network security management shall be implemented.
    3. 2-5-3 Cybersecurity requirements for the entity's network security management shall include the following as a minimum: 2.5.3.1 Logical or physical isolation and segmentation of network segments in a secure manner which is required to control relevant cybersecurity risks, using firewall and defense-in-depth principle. 2.5.3.2 Isolation of production network from testing and development environment networks. 2.5.3.3 Secure browsing and internet connectivity, including strict restrictions on suspicious websites, file storage/sharing websites, and remote access websites. 2.5.3.4 Wireless network security and protection using secure authentication and encryption techniques and avoiding the connection of wireless networks to the entity's internal network, except after a comprehensive assessment of subsequent risks, with handling them in a way that protects the technology assets of the entity. 2.5.3.5 Restricting and managing network services, protocols, and ports. 2.5.3.6 Intrusion Prevention Systems (IPS). 2.5.3.7 Security of Domain Name Service (DNS). 2.5.3.8 Secure management and protection of Internet browsing channel against Advanced Persistent Threats (APT), which normally utilize zero-day malware and viruses. 2-5-3-9 Protecting against Distributed Denial of Service (DDoS) attacks to limit risks arising from these attacks.
    4. 2-5-4 The implementation of cybersecurity requirements for the entity's network security management shall be periodically reviewed.
  6. 2-6 Mobile Devices Security 4
    What it is

    Protecting laptops, phones, and personal () devices ; and the organisation's data on them.

    Why you need it

    Mobile devices leave the building and get lost or stolen, taking your data with them if it is not protected.

    How to establish it

    Separate and organisation data on devices, restrict use to business needs, be able to wipe data on loss or when someone leaves, and make users aware of the .

    The controls, what to implement 4
    1. Policy 2-6-1

      Put a in place; write the rules for mobile devices security and get leadership to formally approve them.

    2. Implement 2-6-2

      Turn the into practice; apply the mobile devices security rules across the organisation (configure systems, follow ).

    3. Requirements 2-6-3

      At a minimum: separate and organisation data on mobile and devices; restrict their use to business needs; be able to wipe organisation data if a device is lost or someone leaves; and raise user awareness.

    4. Review 2-6-4

      On a regular schedule, check (an ) that mobile devices security is still being done and is working.

    Show the official ECC wording

    Objective. To ensure the protection of the entity's mobile devices (including laptops, smartphones, and tablets) against cyber risks, and ensure secure handling of the entity's sensitive information and business information and protecting them during transfer and storage while using the devices of personnel of the entity (Bring Your Own Device "BYOD" policy).

    1. 2-6-1 Cybersecurity requirements for mobile devices and BYOD security when connected to the entity's network shall be identified, documented, and approved.
    2. 2-6-2 Cybersecurity requirements for mobile devices and BYOD security of the entity shall be implemented.
    3. 2-6-3 Cybersecurity requirements for mobile devices and BYOD security of the entity shall include the following as a minimum: 2.6.3.1 Separation and encryption of the entity's data and information stored on mobile devices and BYODs. 2.6.3.2 Controlled and restricted use based on the requirements of the interest of the entity's business. 2.6.3.3 Deletion of the entity's data and information stored on mobile devices and BYOD in cases of device loss or after the ending/termination of employment with the entity. 2.6.3.4 Security awareness for users.
    4. 2-6-4 The implementation of cybersecurity requirements for mobile devices and BYOD security of the entity shall be periodically reviewed.
  7. 2-7 Data and Information Protection 3
    What it is

    Protecting the data itself according to how sensitive it is, wherever it is stored or sent.

    Why you need it

    Data is usually the real target. Protecting it directly limits the harm even when other defences fail.

    How to establish it

    Set a data-protection keyed to your , put it into practice everywhere data lives, and keep it under review.

    The controls, what to implement 3
    1. Policy 2-7-1

      Put a in place; write the rules for data and information protection and get leadership to formally approve them.

    2. Implement 2-7-2

      Turn the into practice; apply the data and information protection rules across the organisation (configure systems, follow ).

    3. Review 2-7-3

      On a regular schedule, check (an ) that data and information protection is still being done and is working.

    Show the official ECC wording

    Objective. To ensure confidentiality, integrity, accuracy, and availability of the entity's data and information, as per the entity's regulatory policies and procedures and the relevant legislative and regulatory requirements

    1. 2-7-1 Cybersecurity requirements for protecting and handling data and information of the entity shall be identified, documented, and approved, as per the relevant legislative and regulatory requirements.
    2. 2-7-2 Cybersecurity requirements for protecting data and information of the entity shall be implemented, based on its classification level.
    3. 2-7-3 The implementation of cybersecurity requirements for protecting data and information of the entity shall be periodically reviewed.
  8. 2-8 Cryptography 4
    What it is

    Using approved to protect data ; both stored and in transit ; with proper management of the keys.

    Why you need it

    is the safety net: even if data is stolen, it is unreadable without the keys.

    How to establish it

    Adopt an approved (approved algorithms and ), implement it for data at rest and in transit, and review it periodically.

    The controls, what to implement 4
    1. Policy 2-8-1

      Put a in place; write the rules for and get leadership to formally approve them.

    2. Implement 2-8-2

      Turn the into practice; apply the rules across the organisation (configure systems, follow ).

    3. Requirements 2-8-3

      At a minimum, follow the 's National , and apply the right level of for how sensitive the data is.

    4. Review 2-8-4

      On a regular schedule, check (an ) that is still being done and is working.

    Show the official ECC wording

    Objective. To ensure the proper and efficient use of cryptography to protect electronic information assets of the entity, as per the entity's regulatory policies and procedures and the relevant legislative and regulatory requirements.

    1. 2-8-1 Cybersecurity requirements for cryptography within the entity shall be identified, documented, and approved.
    2. 2-8-2 Cybersecurity requirements for cryptography within the entity shall be implemented.
    3. 2-8-3 Cybersecurity requirements for cryptography shall include at least the requirements in the National Cryptographic Standards, published by NCA. The appropriate cryptographic standard level shall be implemented based on the nature and sensitivity of the data, systems, and networks to be protected as well as the entity's risk assessment, and as per the relevant legislative and regulatory requirements, as follows: 2.8.3.1 Approved cryptographic systems and solutions standards and their technical and regulatory restrictions. 2.8.3.2 Secure management of cryptographic keys during their lifecycles. 2.8.3.3 Encryption of data in-transit and at-rest, as per their classification and the relevant legislative and regulatory requirements.
    4. 2-8-4 The implementation of cybersecurity requirements for cryptography within the entity shall be periodically reviewed.
  9. 2-9 Backup and Recovery Management 4
    What it is

    Taking reliable, tested copies of data so you can restore it after loss, corruption, or .

    Why you need it

    When systems are wiped or by attackers, good are often the only way back ; if they actually work.

    How to establish it

    Back up critical systems and data, make sure you can recover quickly, and test recovery regularly so you know it works.

    The controls, what to implement 4
    1. Policy 2-9-1

      Put a in place; write the rules for management and get leadership to formally approve them.

    2. Implement 2-9-2

      Turn the into practice; apply the management rules across the organisation (configure systems, follow ).

    3. Requirements 2-9-3

      At a minimum: back up critical ; be able to recover data and systems quickly after an ; and test recovery periodically.

    4. Review 2-9-4

      On a regular schedule, check (an ) that management is still being done and is working.

    Show the official ECC wording

    Objective. To ensure the protection of the entity's data, information, and technical configurations of systems and applications against cyber risks, as per the entity's regulatory policies and procedures and the relevant legislative and regulatory requirements.

    1. 2-9-1 Cybersecurity requirements for backup and recovery management within the entity shall be identified, documented, and approved.
    2. 2-9-2 Cybersecurity requirements for backup and recovery management within the entity shall be implemented.
    3. 2-9-3 Cybersecurity requirements for backup and recovery management shall include the following as a minimum: 2.9.3.1 Scope of backups to cover critical technology and information assets. 2.9.3.2 Ability to perform quick recovery of data and systems after cybersecurity incidents. 2.9.3.3 Periodic testing for the effectiveness of backup recovery.
    4. 2-9-4 The implementation of cybersecurity requirements for backup and recovery management within the entity shall be periodically reviewed.
  10. 2-10 Vulnerability Management 4
    What it is

    Continuously finding technical weaknesses and fixing them before attackers can exploit them.

    Why you need it

    Most attacks use known, unpatched weaknesses. Closing them quickly removes the easy routes in.

    How to establish it

    Scan for regularly, rate them by severity, fix them in priority order, manage (testing first), and subscribe to trusted vulnerability feeds.

    The controls, what to implement 4
    1. Policy 2-10-1

      Put a in place; write the rules for management and get leadership to formally approve them.

    2. Implement 2-10-2

      Turn the into practice; apply the management rules across the organisation (configure systems, follow ).

    3. Requirements 2-10-3

      At a minimum: assess for regularly; rate them by severity; fix them based on severity and ; manage (testing them in a non-production environment first); and subscribe to trusted vulnerability sources.

    4. Review 2-10-4

      On a regular schedule, check (an ) that management is still being done and is working.

    Show the official ECC wording

    Objective. To ensure timely detection and effective remediation of technical vulnerabilities to prevent or minimize the probability of exploitation of these vulnerabilities by cyber-attacks and to reduce any impacts on the entity's business.

    1. 2-10-1 Cybersecurity requirements for technical vulnerabilities management within the entity shall be identified, documented, and approved.
    2. 2-10-2 Cybersecurity requirements for technical vulnerabilities management within the entity shall be implemented.
    3. 2-10-3 Cybersecurity requirements for technical vulnerabilities management shall include the following as a minimum: 2.10.3.1 Periodic vulnerabilities assessment and detection. 2.10.3.2 Vulnerabilities classification based on their severities. 2.10.3.3 Vulnerabilities remediation based on their classification and the associated cyber risks. 2.10.3.4 Patch management to remediate vulnerabilities, and ensuring the integrity and effectiveness of these updates and fixes are verified using a non-production environment before being applied. 2.10.3.5 Communication and subscription with trusted resources for new and up-to-date vulnerabilities.
    4. 2-10-4 The implementation of cybersecurity requirements for technical vulnerabilities management within the entity shall be periodically reviewed.
  11. 2-11 Penetration Testing 4
    What it is

    Periodically hiring experts to safely attack your systems like a real hacker, to find gaps the scanners miss.

    Why you need it

    Automated scans miss what a creative attacker would find. A shows what could really be broken into.

    How to establish it

    Define a testing covering all internet-facing services (sites, apps, email, ) and run penetration tests on a regular schedule.

    The controls, what to implement 4
    1. Policy 2-11-1

      Put a in place; write the rules for and get leadership to formally approve them.

    2. Implement 2-11-2

      Turn the into practice; apply the rules across the organisation (configure systems, follow ).

    3. Requirements 2-11-3

      At a minimum: penetration tests to cover all internet-facing services and their components (infrastructure, websites, web and mobile apps, email, ); and run the tests periodically.

    4. Review 2-11-4

      On a regular schedule, check (an ) that is still being done and is working.

    Show the official ECC wording

    Objective. To assess and test the efficiency of the entity's cybersecurity defense capabilities through simulation of actual cyber-attack methods and technologies to discover unknown weaknesses that may lead to cyber penetration of the entity, as per the relevant legislative and regulatory requirements.

    1. 2-11-1 Cybersecurity requirements for penetration testing within the entity shall be identified, documented, and approved.
    2. 2-11-2 Cybersecurity requirements for penetration testing within the entity shall be implemented.
    3. 2-11-3 Cybersecurity requirements for penetration testing shall include the following as a minimum: 2.11.3.1 Scope of penetration testing to include all externally provided services (via the Internet) and their technical components, including infrastructure, websites, web applications, smartphone and tablet applications, email, and remote access. 2.11.3.2 Conducting penetration tests periodically.
    4. 2-11-4 The implementation of cybersecurity requirements for penetration testing shall be periodically reviewed.
  12. 2-12 Cybersecurity Event Logs and Monitoring Management 4
    What it is

    Recording what systems do, and watching those , so suspicious activity is actually noticed.

    Why you need it

    If nobody is watching, an intruder can operate undetected for months. is how you catch them early.

    How to establish it

    Turn on for critical and /, collect logs centrally (a SIEM), monitor them continuously, and keep logs for at least 12 months.

    The controls, what to implement 4
    1. Policy 2-12-1

      Put a in place; write the rules for and monitoring management and get leadership to formally approve them.

    2. Implement 2-12-2

      Turn the into practice; apply the and monitoring management rules across the organisation (configure systems, follow ).

    3. Requirements 2-12-3

      At a minimum: enable for critical and for /; use a SIEM to collect logs; monitor logs continuously; and keep logs for at least 12 months.

    4. Review 2-12-4

      On a regular schedule, check (an ) that and monitoring management is still being done and is working.

    Show the official ECC wording

    Objective. To ensure timely collection, analysis, and monitoring of cybersecurity event logs for proactive detection and effective management of cyber-attacks to prevent or minimize negative impacts on the entity's business.

    1. 2-12-1 Cybersecurity requirements for cybersecurity event logs and monitoring management within the entity shall be identified, documented, and approved.
    2. 2-12-2 Cybersecurity requirements for cybersecurity event logs and monitoring management within the entity shall be implemented.
    3. 2-12-3 Cybersecurity requirements for cybersecurity event logs and monitoring management shall include the following as a minimum: 2.12.3.1 Activation of cybersecurity event logs for critical information assets within the entity. 2.12.3.2 Activation of cybersecurity event logs for critical and privileged accounts accessing information assets as well as for remote access events within the entity. 2.12.3.3 Identification of Security Information and Event Management (SIEM) techniques required for cybersecurity event logs collection. 2.12.3.4 Continuous monitoring of cybersecurity event logs. 2.12.3.5 Retention period of cybersecurity event logs (shall be at least 12 months).
    4. 2-12-4 The implementation of cybersecurity requirements for cybersecurity event logs and monitoring management within the entity shall be periodically reviewed.
  13. 2-13 Cybersecurity Incident and Threat Management 4
    What it is

    A defined way to detect, respond to, report, and learn from cyber and .

    Why you need it

    are inevitable. A practised plan turns a crisis into a managed event and limits the damage.

    How to establish it

    Prepare response and plans, , report them to the and share information, and use to stay ahead.

    The controls, what to implement 4
    1. Policy 2-13-1

      Put a in place; write the rules for and management and get leadership to formally approve them.

    2. Implement 2-13-2

      Turn the into practice; apply the and management rules across the organisation (configure systems, follow ).

    3. Requirements 2-13-3

      At a minimum: have response and plans; incidents; report incidents to the ; share incident notifications and with the NCA; and collect and use -intelligence feeds.

    4. Review 2-13-4

      On a regular schedule, check (an ) that and management is still being done and is working.

    Show the official ECC wording

    Objective. To ensure timely identification, detection, and effective management of cybersecurity incidents and proactive response to cybersecurity threats to prevent or minimize impacts on the entity's business, as per High Order No. 37140, dated 14/08/1438H.

    1. 2-13-1 Requirements for cybersecurity incident and threat management within the entity shall be identified, documented, and approved.
    2. 2-13-2 Requirements for cybersecurity incident and threat management within the entity shall be implemented.
    3. 2-13-3 Requirements for cybersecurity incident and threat management shall include the following as a minimum: 2.13.3.1 Cybersecurity incident response plans and escalation procedures. 2.13.3.2 Cybersecurity incident classification. 2.13.3.3 Reporting cybersecurity incidents to the NCA. 2.13.3.4 Sharing cybersecurity incident notifications, threat intelligence, penetration indicators, and incident reports with the NCA. 2.13.3.5 Collecting and handling threat intelligence feeds.
    4. 2-13-4 The implementation of cybersecurity requirements for incident and threat management within the entity shall be periodically reviewed.
  14. 2-14 Physical Security 4
    What it is

    Stopping unauthorised people from physically reaching sensitive systems and facilities.

    Why you need it

    Cyber defences do not matter if someone can walk up to a server, steal a disk, or read printed records.

    How to establish it

    Restrict access to critical areas (data centre, site, network rooms), use and access , protect those logs, and securely destroy or reuse media and equipment.

    The controls, what to implement 4
    1. Policy 2-14-1

      Put a in place; write the rules for physical security and get leadership to formally approve them.

    2. Implement 2-14-2

      Turn the into practice; apply the physical security rules across the organisation (configure systems, follow ).

    3. Requirements 2-14-3

      At a minimum: authorise access to critical areas (data centre, site, network rooms); keep and access ; protect those logs; securely destroy or reuse media holding data; and secure equipment inside and outside facilities.

    4. Review 2-14-4

      On a regular schedule, check (an ) that physical security is still being done and is working.

    Show the official ECC wording

    Objective. To ensure the protection of information and technology assets of the entity against unauthorized physical access, loss, theft, and damage.

    1. 2-14-1 Cybersecurity requirements for protection of information and technology assets of the entity against unauthorized physical access, loss, theft, and damage shall be identified, documented, and approved.
    2. 2-14-2 Cybersecurity requirements for protection of information and technology assets of the entity against unauthorized physical access, loss, theft, and damage shall be implemented.
    3. 2-14-3 Cybersecurity requirements for protection of information and technology assets of the entity against unauthorized physical access, loss, theft, and damage shall include the following as a minimum: 2.14.3.1 Authorized access to critical areas within the entity (e.g. the entity's data center, disaster recovery center, critical information processing facilities, security surveillance center, network connection rooms, technical device and equipment supply areas, etc.). 2.14.3.2 Access and monitoring logs (CCTV). 2.14.3.3 Protection of access and monitoring log information. 2.14.3.4 Security of the destruction and re-use of physical assets that hold classified information (including paper documents and storage media). 2.14.3.5 Security of devices and equipment inside and outside the entity's facilities.
    4. 2-14-4 Cybersecurity requirements for protection of information and technology assets of the entity against unauthorized physical access, loss, theft, and damage shall be periodically reviewed.
  15. 2-15 Web Application Security 4
    What it is

    Protecting your public-facing websites and web applications throughout their life.

    Why you need it

    Web apps are exposed to the whole internet, which makes them a favourite target ; a flaw here is directly reachable by attackers.

    How to establish it

    Use a , a design, secure protocols like , a clear usage , and strong user .

    The controls, what to implement 4
    1. Policy 2-15-1

      Put a in place; write the rules for web application security and get leadership to formally approve them.

    2. Implement 2-15-2

      Turn the into practice; apply the web application security rules across the organisation (configure systems, follow ).

    3. Requirements 2-15-3

      At a minimum: use a ; adopt a ; use secure protocols like ; publish a secure-usage for users; and require suitable user .

    4. Review 2-15-4

      On a regular schedule, check (an ) that web application security is still being done and is working.

    Show the official ECC wording

    Objective. To ensure the protection of external web applications of the entity against cyber risks.

    1. 2-15-1 Cybersecurity requirements for protection of external web applications of the entity shall be identified, documented, and approved.
    2. 2-15-2 Cybersecurity requirements for protection of external web applications of the entity shall be implemented.
    3. 2-15-3 Cybersecurity requirements for protection of external web applications of the entity shall include the following as a minimum: 2.15.3.1 Use of web application firewall. 2.15.3.2 Adoption of the multi-tier architecture principle. 2.15.3.3 Use of secure protocols (e.g. HTTPS). 2.15.3.4 Clarification of the secure usage policy for users. 2.15.3.5 User authentication, and the suitable authentication factors and their numbers as well as the authentication techniques shall be defined based on the result of impact assessment of authentication failure and bypass for users' access.
    4. 2-15-4 Cybersecurity requirements for protection of web applications of the entity shall be periodically reviewed. Cybersecurity Resilience

Defence is the engine room, 15 of the 28 subdomains live here, all of the hands-on technical controls. It runs the full protect-detect-respond arc: know your assets (2-1), control who reaches them (2-2), protect the data on them (2-7, 2-8), watch for trouble (2-10 to 2-12), and react when it happens (2-13). Every control here should trace back to a risk identified in Governance 1-5.

Trap: 2-11 (Penetration Testing) and 2-12 (Logs and Monitoring) are distinct, recurring obligations, not a one-off pen test. ECC expects continuous monitoring and periodic testing, with findings fed back into vulnerability management (2-10).