We have released a compliance package for implementing the Essential Cybersecurity Controls (ECC) mandated by the National Cybersecurity Authority in Saudi Arabia.
- The document lays out 114 cybersecurity controls across 5 main domains - governance, defense, resilience, third party/cloud, and industrial control systems. The controls cover strategy, people, processes and technology.
- The controls apply to government organizations, critical infrastructure organizations, and other private sector organizations owning/operating critical national infrastructure in Saudi Arabia.
- Compliance is mandated under NCA’s authority and related royal decrees in Saudi Arabia.
- The goal is to set minimum cybersecurity requirements for organizations in KSA to protect confidentiality, integrity and availability of their information and technology assets.
- It applies to government entities, critical infrastructure organizations, and encourages adoption by all KSA organizations. Compliance is mandated for in-scope organizations.
- The controls address aspects like governance, risk management, identity management, data protection, incident response, awareness training, third party risk, and more.
- Implementation requirements consider related laws and regulations in KSA and internationally.