The National Cybersecurity Authority (NCA) in Saudi Arabia has released the Cloud Cybersecurity Controls (CCC) to extend and complement their existing Essential Cybersecurity Controls (ECC) requirements.
Key highlights:
- The CCC contains controls across 4 main domains - governance, defense, resilience and third party security. There are a total of 96 controls for Cloud Service Providers and 26 for Cloud Service Tenants.
- The goal is to establish minimum cybersecurity requirements for cloud computing services in Saudi Arabia, protecting confidentiality, integrity and availability of data.
- It applies to government organizations, critical infrastructure organizations, and private sector organizations owning/operating critical national infrastructure that use cloud services.
- Key areas covered include risk management, identity and access management, data protection, encryption, vulnerability management, incident response, and more.
- The CCC aligns with Saudi laws and regulations as well as international standards and common industry practices for cloud security.
- Compliance is mandated for cloud service providers and tenants within the scope of the CCC, under NCA’s authority and related royal decrees.
- Implementation timelines and compliance assessments will be determined by NCA. Organizations are encouraged to use the CCC to follow cybersecurity best practices.
- The controls complement the existing ECC requirements, providing an extension focused on the unique aspects of cloud computing security and risk management.
