NCA ECC core Updated 2026-06-19

Cybersecurity Governance (Domain 1)

Domain 1: the ten governance subdomains that set strategy, risk, roles, compliance and people controls.

#governance#risk#compliance#strategy
1 Cybersecurity Governance tap to learn what this means 10 subdomains · 35 controls

is how an organisation decides who is in charge of security, what the rules are, and how it proves those rules are being followed.

In ECCIn , Domain 1 is the foundation: a cybersecurity strategy, an independent cybersecurity function, documented , , and . Every technical in the other domains should trace back to a decision made here.

How do controls actually work?

A control is just a safeguard that lowers a risk. You reduce risk by putting the right set of controls in place, and almost every ECC control follows the same three steps:

  1. Policy Write the rule down and get leadership to approve it. This is the foundation, nearly everything starts here.
  2. Implement Put it into practice: the secure configuration, technical settings and standards that enforce the rule.
  3. Review Check on a schedule (an audit) that it is actually done and working, and fix what is not.

A policy with no implementation is just paper; implementation with no review quietly rots. Each control below is tagged with the step it belongs to.

  1. 1-1 Cybersecurity Strategy 3
    What it is

    A cybersecurity strategy is a simple, leadership-approved plan that says where the organisation wants to get to on security, and how it will get there.

    Why you need it

    Without a plan, security spending is random and reactive. A strategy lines security up with the organisation's goals and the law, so effort goes where it matters most.

    How to establish it

    Write down clear security goals and an action plan to reach them, get the head of the organisation to approve it, then revisit it on a schedule or whenever the rules change.

    The controls, what to implement 3
    1. Policy 1-1-1

      Write the organisation's cybersecurity strategy, get the head of the organisation to approve and back it, and make sure its goals line up with the law.

    2. Control 1-1-2

      Do not just write the strategy ; carry out an action plan to actually deliver it.

    3. Review 1-1-3

      On a regular schedule, check (an ) that strategy is still being done and is working.

    Show the official ECC wording

    Objective. To ensure that the action plans, objectives, initiatives, and projects of the entity contribute to compliance with the relevant legislative and regulatory requirements.

    1. 1-1-1 The cybersecurity strategy of the entity shall be identified, documented, and approved, and it shall be supported by the head of the entity or his/her delegate (Hereinafter referred to as the "Authorized Official"). The strategy goals shall be in line with the relevant legislative and regulatory requirements.
    2. 1-1-2 The entity shall execute an action plan to apply the cybersecurity strategy.
    3. 1-1-3 The cybersecurity strategy shall be reviewed at planned intervals (or in case of changes to the relevant legislative and regulatory requirements).
  2. 1-2 Cybersecurity Management 3
    What it is

    A dedicated, properly staffed cybersecurity function ; a real team with a leader ; kept separate from the IT department.

    Why you need it

    If security reports into IT, it cannot honestly check IT's own work. An independent function with leadership backing can set direction and hold people accountable.

    How to establish it

    Create a cybersecurity department independent of IT, staff it with qualified full-time professionals, and set up a supervisory committee to oversee the security programme.

    The controls, what to implement 3
    1. Control 1-2-1

      Set up a cybersecurity department that is independent of the IT department; ideally it reports to the head of the organisation, with no conflict of interest.

    2. Control 1-2-2

      Fill cybersecurity with qualified, full-time Saudi cybersecurity professionals.

    3. Requirements 1-2-3

      Set up a cybersecurity supervisory committee ; with an approved membership, mandate, and , and including the head of the cybersecurity department ; to oversee and support the security programme.

    Show the official ECC wording

    Objective. To ensure that the Authorized Official of the entity complies with and supports the implementation and management of cybersecurity programs within the entity, as per the relevant legislative and regulatory requirements.

    1. 1-2-1 A department for cybersecurity shall be established within the entity. This department shall be independent from the Information Technology and Communications Department (As per High Order No. 37140, dated 14/08/1438H.). It is recommended that the Cybersecurity Department reports directly to the head of the entity or his/her delegate while ensuring that this does not result in a conflict of interests.
    2. 1-2-2 All cybersecurity positions shall be filled out with full-time and qualified Saudi cybersecurity professionals.
    3. 1-2-3 A cybersecurity supervisory committee shall be established pursuant to the instruction of the entity's Authorized Official to ensure compliance with, support for, and monitoring of the implementation of the cybersecurity programs and regulations. The committee's members, responsibilities, and governance framework shall be identified, documented, and approved. The committee shall include the head of the cybersecurity department as a member. It is recommended that the committee reports directly to the head of the entity or his/her delegate while ensuring that this does not result in a conflict of interests.
  3. 1-3 Cybersecurity Policies and Procedures 4
    What it is

    The written rules () and step-by-step instructions () that tell everyone how security is actually done.

    Why you need it

    People cannot follow rules that only live in someone's head. Documented, approved make expectations clear ; and auditable.

    How to establish it

    Write and approve security and , back them with technical (firewalls, databases, operating systems), communicate them to staff, and keep them current.

    The controls, what to implement 4
    1. Control 1-3-1

      The security team writes the security and , gets them approved by leadership, and shares them with everyone who needs them.

    2. Control 1-3-2

      Make sure those and are actually followed across the organisation.

    3. Control 1-3-3

      Back the with technical ; concrete secure settings for things like firewalls, databases, and operating systems.

    4. Review 1-3-4

      On a regular schedule, check (an ) that and is still being done and is working.

    Show the official ECC wording

    Objective. To ensure that the cybersecurity requirements and the entity's compliance therewith are documented and communicated, as per the entity's regulatory requirements and the relevant legislative and regulatory requirements.

    1. 1-3-1 The cybersecurity department of the entity shall identify and document cybersecurity policies and procedures, including the cybersecurity controls and requirements, and have them approved by the entity's Authorized Official, and communicate them to the relevant personnel and parties inside the entity.
    2. 1-3-2 The cybersecurity department shall ensure that the cybersecurity policies and procedures, including the relevant controls and requirements, are implemented at the entity.
    3. 1-3-3 The cybersecurity policies and procedures shall be supported by technical security standards (e.g. technical security standards for firewall, databases, operating systems, etc.).
    4. 1-3-4 The cybersecurity policies and procedures shall be reviewed and updated at planned intervals (or in case of changes to the relevant legislative and regulatory requirements and standards). Changes shall be documented and approved.
  4. 1-4 Cybersecurity Roles and Responsibilities 2
    What it is

    A clear map of who is responsible and accountable for each part of cybersecurity.

    Why you need it

    When are vague, security tasks get dropped or duplicated. Clear ownership means someone is always answerable.

    How to establish it

    Have leadership define, document, and approve the security org structure and , assign named people, and avoid conflicts of interest.

    The controls, what to implement 2
    1. Policy 1-4-1

      Leadership defines, documents, and approves the security org chart and who does what, assigns named people, and supports them ; avoiding conflicts of interest.

    2. Review 1-4-2

      On a regular schedule, check (an ) that is still being done and is working.

    Show the official ECC wording

    Objective. To ensure that roles and responsibilities are clearly defined for all parties participating in implementing the cybersecurity controls within the entity.

    1. 1-4-1 The Authorized Official shall identify, document, and approve the governance organizational structure, roles, and responsibilities of the entity's cybersecurity, and assign the persons concerned therewith. The necessary support shall be provided for the implementation thereof while ensuring that this does not result in a conflict of interests.
    2. 1-4-2 The cybersecurity roles and responsibilities within the entity shall be reviewed and updated at planned intervals (or in case of changes to the relevant legislative and regulatory requirements).
  5. 1-5 Cybersecurity Risk Management 4
    What it is

    A repeatable method for finding cyber , judging how serious they are, and deciding how to treat them.

    Why you need it

    You cannot protect everything equally. focuses time and money on the things that would hurt most ; it is the basis for every other .

    How to establish it

    Define and approve a method (covering , , and of your ), then actually run it: assess and act on them.

    The controls, what to implement 4
    1. Policy 1-5-1

      Define and approve how the organisation will manage cyber , covering the , , and of its .

    2. Implement 1-5-2

      Actually run that method across the organisation.

    3. Implement 1-5-3

      Run a at least at the key trigger points ; early in technology projects, before major infrastructure changes, and when planning to outsource or move to the .

    4. Review 1-5-4

      On a regular schedule, check (an ) that is still being done and is working.

    Show the official ECC wording

    Objective. To ensure managing cybersecurity risks in a methodological approach, in order to protect the entity's information and technology assets, as per the entity's regulatory policies and procedures and the relevant legislative and regulatory requirements.

    1. 1-5-1 The cybersecurity department of the entity shall identify, document, and approve the cybersecurity risk management methodology and procedures within the entity, in accordance with considerations of confidentiality, and the integrity and availability of information and technology assets.
    2. 1-5-2 The cybersecurity department shall implement the cybersecurity risk management methodology and procedures within the entity.
    3. 1-5-3 The cybersecurity risk assessment procedures shall be implemented at least in the following cases: 1.5.3.1 At early stage of technology projects. 1.5.3.2 Before making major changes to technology infrastructure. 1.5.3.3 During planning to obtain third party services. 1.5.3.4 During planning and before the release of new technology services and products.
    4. 1-5-4 The cybersecurity risk management methodology and procedures shall be reviewed and updated at planned intervals (or in case of changes to the relevant legislative and regulatory requirements and standards). Changes shall be documented and approved.
  6. 1-6 Cybersecurity in Information and Technology Project Management 5
    What it is

    Building security into new projects and system changes from the very start, instead of bolting it on afterwards.

    Why you need it

    Fixing security after launch is slow, expensive, and often never happens. Designing it in is cheaper and far safer.

    How to establish it

    Make security a required part of project and : assess and fix , review before launch, and for software use , trusted libraries, and testing.

    The controls, what to implement 5
    1. Control 1-6-1

      Make security a required, built-in part of project management and any change to IT , so are caught early in the project lifecycle.

    2. Requirements 1-6-2

      At a minimum, before launching projects or changes: check for and fix , and review , , and updates.

    3. Requirements 1-6-3

      For software development, at a minimum: use ; trusted, licensed tools and libraries; test software against your security requirements; integrate apps securely; and review and before release.

    4. Review 1-6-4

      On a regular schedule, check (an ) that in information and technology project management is still being done and is working.

    5. Control 1-7-1

      If nationally approved international agreements include cybersecurity requirements, identify and with those too.

    Show the official ECC wording

    Objective. To ensure that cybersecurity requirements are included in the methodology and procedures of the entity's project management, in order to protect the confidentiality, integrity, accuracy, and availability of the entity's information and technology assets, as per the entity's regulatory policies and procedures and the relevant legislative and regulatory requirements.

    1. 1-6-1 Cybersecurity requirements shall be included in the project management methodology and procedures and in the information and technology asset change management within the entity to ensure identifying and managing cybersecurity risks as part of the technology project lifecycle. The cybersecurity requirements shall be a key part of the requirements for technology projects.
    2. 1-6-2 The cybersecurity requirements for project management and information and technology asset changes within the entity shall include the following as a minimum: 1.6.2.1 Vulnerability assessment and remediation. 1.6.2.2 Reviewing secure configuration and hardening and updates packages before launching projects and changes.
    3. 1-6-3 The cybersecurity requirements for software and application development projects within the entity shall include the following as a minimum: 1.6.3.1 Using the secure coding standards. 1.6.3.2 Using trusted and licensed sources for software development tools and libraries. 1.6.3.3 Conducting compliance test for software against the cybersecurity requirements within the entity. 1.6.3.4 Secure integration between applications. 1.6.3.5 Reviewing secure configuration and hardening and updates packages before launching software products
    4. 1-6-4 The cybersecurity requirements for project management within the entity shall be periodically reviewed. 1.7 Compliance with Cybersecurity Standards, Laws and Regulations Objective To ensure that the entity's cybersecurity program complies with the relevant legislative and regulatory requirements. Controls
    5. 1-7-1 If there are nationally approved international agreements or commitments that include cybersecurity requirements, the entity shall identify and comply with these requirements.
  7. 1-7 Compliance with Cybersecurity Standards, Laws and Regulations 0
    What it is

    Making sure the organisation meets all the cybersecurity laws, regulations, and binding agreements that apply to it.

    Why you need it

    Falling short of the law brings penalties and . Knowing exactly what applies to you is the first step to meeting it.

    How to establish it

    Identify the cybersecurity obligations that apply to you (including nationally approved international commitments) and put in place to with them.

    The controls, what to implement 0
    Show the official ECC wording

    Objective.

  8. 1-8 Periodical Cybersecurity Review and Audit 3
    What it is

    Independently checking, on a schedule, that the security are actually in place and working.

    Why you need it

    drift and decay over time. Regular review and catch the gaps before attackers ; or regulators ; do.

    How to establish it

    Have the security team review implementation periodically, arrange independent , and report findings (, observations, fixes) to the oversight committee and leadership.

    The controls, what to implement 3
    1. Review 1-8-1

      The security team periodically reviews whether the are actually being implemented.

    2. Review 1-8-2

      Have the independently audited by someone other than the cybersecurity team, so the review stays objective.

    3. Requirements 1-8-3

      Document and review results ; , findings, recommendations, and fix plans ; and present them to the oversight committee and leadership.

    Show the official ECC wording

    Objective. To ensure that the cybersecurity controls adopted by the entity are implemented and applicable in accordance with the entity's regulatory policies and procedures, relevant national legislative and regulatory requirements, and international requirements imposed on the entity by law.

    1. 1-8-1 The cybersecurity department of the entity shall periodically review the implementation of cybersecurity controls by the entity.
    2. 1-8-2 The implementation of cybersecurity controls by the entity shall be reviewed and audited by parties other than the cybersecurity department at the entity, provided that the audit and review are to be conducted independently while considering the principle of conflict of interest, as per the Generally Accepted Auditing Standards (GAAS) and the relevant legislative and regulatory requirements.
    3. 1-8-3 The results of cybersecurity audits and reviews shall be documented and presented to the cybersecurity supervisory committee and the Authorized Official. Results shall include the audit and review scope, observations, recommendations, corrective actions, and remediation plans.
  9. 1-9 Cybersecurity in Human Resources 6
    What it is

    Handling security across the whole employee journey ; before hiring, during employment, and when people leave.

    Why you need it

    People are both your biggest and your first line of defence; most involve a person.

    How to establish it

    Put security duties and terms in contracts, screen people for sensitive , keep staff aware during employment, and revoke access promptly when they leave.

    The controls, what to implement 6
    1. Policy 1-9-1

      Put a in place; write the rules for in human resources and get leadership to formally approve them.

    2. Implement 1-9-2

      Turn the into practice; apply the in human resources rules across the organisation (configure systems, follow ).

    3. Requirements 1-9-3

      Before someone starts: put their security duties and terms in the employment contract (covering during and after employment), and screen people going into sensitive or .

    4. Requirements 1-9-4

      During employment: keep people security-aware (from onboarding onward) and make sure they follow the security and .

    5. Review 1-9-5

      On a regular schedule, check (an ) that in human resources is still being done and is working.

    6. Review 1-9-6

      On a regular schedule, check (an ) that in human resources is still being done and is working.

    Show the official ECC wording

    Objective. To ensure that cybersecurity risks and requirements for personnel (employees and contractors) of the entity are managed efficiently prior to, during, and upon the end or termination of their employment, as per the entity's regulatory policies and procedures and the relevant legislative and regulatory requirements.

    1. 1-9-1 Cybersecurity requirements for personnel of the entity shall be identified, documented, and approved prior to, during, and upon the end or termination of their employment.
    2. 1-9-2 Cybersecurity requirements for personnel of the entity shall be implemented.
    3. 1-9-3 Cybersecurity requirements prior to the commencement of the employment relationship between personnel and the entity shall include the following as a minimum: 1.9.3.1 Incorporating the personnel's cybersecurity responsibilities clauses and non-disclosure clauses in their employment contracts with the entity (including during and after employment end/termination with the entity). 1.9.3.2 Conducting screening or vetting for personnel in cybersecurity positions and technical positions with critical and privileged powers.
    4. 1-9-4 Cybersecurity requirements for personnel during their employment relationship with the entity shall include the following as a minimum: 1.9.4.1 Cybersecurity awareness (during on-boarding and during employment). 1.9.4.2 Implementation and compliance with cybersecurity requirements, as per the entity's cybersecurity policies, procedures, and operations.
    5. 1-9-5 The personnel's powers shall be reviewed and revoked immediately upon the end/termination of their employment with the entity.
    6. 1-9-6 Cybersecurity requirements for personnel of the entity shall be periodically reviewed.
  10. 1-10 Cybersecurity Awareness and Training Program 5
    What it is

    Teaching everyone safe behaviour, and giving security staff the deeper skills their specific need.

    Why you need it

    Technology cannot stop a user who clicks a link. Awareness turns staff from the weakest link into a line of defence.

    How to establish it

    Run an ongoing awareness programme covering email/, devices, safe browsing and social media, and provide specialised training to security and technical staff.

    The controls, what to implement 5
    1. Control 1-10-1

      Build and approve an ongoing awareness programme, delivered through several channels, to grow a positive security culture.

    2. Implement 1-10-2

      Turn the into practice; apply the awareness and training program rules across the organisation (configure systems, follow ).

    3. Requirements 1-10-3

      The awareness programme must cover the top today: email, safe use of mobile devices and storage media, safe browsing, and safe use of social media.

    4. Control 1-10-4

      Give specialised training to people in security-linked ; the security team, developers and IT staff, and executives/supervisors ; matched to their responsibilities.

    5. Review 1-10-5

      On a regular schedule, check (an ) that awareness and training program is still being done and is working.

    Show the official ECC wording

    Objective. To ensure that the entity's personnel have the required security awareness, are aware of their cybersecurity responsibilities, and are equipped with the required cybersecurity skills, qualifications, and training courses in order to protect the entity's information and technology assets and fulfill their cybersecurity duties.

    1. 1-10-1 A cybersecurity awareness program, delivered through multiple channels, shall be periodically developed and approved by the entity to strengthen the awareness about cybersecurity, cyber threats, and risks, and to build a positive cybersecurity awareness culture.
    2. 1-10-2 The approved cybersecurity awareness program shall be implemented within the entity.
    3. 1-10-3 The cybersecurity awareness program shall include how to protect the entity against the most important and latest cyber risks and threats, including: 1.10.3.1 Secure handling of email services, especially phishing emails. 1.10.3.2 Secure handling of mobile devices and storage media. 1.10.3.3 Secure Internet browsing. 1.10.3.4 Secure usage of social media.
    4. 1-10-4 Specialized skills and necessary training shall be provided to personnel in positions that are linked directly to cybersecurity within the entity. Such skills and training shall be classified in line with their cybersecurity responsibilities, including: 1.10.4.1 Cybersecurity department personnel. 1.10.4.2 Personnel working on software/application development and those working on information and technology assets of the entity. 1.10.4.3 Executive and supervisory positions.
    5. 1-10-5 The implementation of cybersecurity awareness program within the entity shall be periodically reviewed.

Governance is the largest domain (10 subdomains) and the one the other three depend on. It answers who owns cybersecurity, on what authority, against which risks, and how do we prove it. Strategy (1-1) flows down into management and policy; risk management (1-5) feeds every technical decision in Domain 2; review, audit and compliance (1-7, 1-8) close the loop.

Trap: ECC requires the cybersecurity function to be independent of IT and supported by the head of the entity. Governance is organisational, not technical, burying the CISO under the CIO fails 1-2 and 1-4.