What is SAMA CSF?
The Saudi Arabian Monetary Authority (SAMA) Cyber Security Framework is a mandatory cybersecurity framework for all financial institutions regulated by SAMA — including banks, insurance companies, financing companies and payment service providers operating in Saudi Arabia. Published in May 2017, it was the first dedicated cybersecurity framework issued by a Gulf Cooperation Council (GCC) financial regulator and has influenced cybersecurity regulation across the Gulf region.
| Standard Body | Saudi Arabian Monetary Authority (SAMA) |
| Current Version | Version 1.0 (May 2017) |
| Mandatory or Voluntary | Mandatory for all SAMA-regulated financial institutions |
| Geography | Saudi Arabia |
| Official Resource | sama.gov.sa |
SAMA CSF Structure
The SAMA CSF is built on four domains, each containing sub-domains and controls. It draws significantly from ISO 27001, NIST CSF and PCI DSS.
| Domain | Key sub-domains |
|---|---|
| Cyber Security Leadership and Governance | Cyber security strategy, policy framework, risk management, compliance, awareness and training |
| Cyber Security Risk Management and Compliance | Risk assessment methodology, third-party risk, regulatory compliance, audit and assurance |
| Cyber Security Operations and Technology | Asset management, identity and access management, infrastructure security, application security, cryptography, physical security, logging and monitoring, vulnerability management |
| Cyber Resilience | Business continuity, disaster recovery, cyber incident management, crisis management |
Maturity Levels
SAMA CSF uses a five-level maturity model for each control — organisations must self-assess and report their maturity level annually.
| Level | Description |
|---|---|
| 1 — Initial | Ad hoc processes, no formal documentation |
| 2 — Repeatable | Basic processes defined and partially documented |
| 3 — Defined | Processes fully documented and consistently applied |
| 4 — Managed | Processes measured and controlled using metrics |
| 5 — Optimising | Continuous improvement embedded — proactive threat response |
Securitora Assessment
SAMA CSF is the most important cybersecurity framework for financial institutions operating in Saudi Arabia and is increasingly referenced by regulators across the GCC. Its structure is familiar to organisations experienced with ISO 27001 and NIST CSF — the maturity model approach provides a clear improvement roadmap. Annual self-assessment and reporting to SAMA creates a governance rhythm that drives continuous security improvement.
| Recommended for | Banks, insurers and all SAMA-regulated financial institutions in Saudi Arabia |
| Difficulty to implement | Medium — familiar structure for ISO 27001 practitioners with additional SAMA-specific requirements |
| Best used with | ISO 27001 · NIST CSF 2.0 · UAE IA |
| Official resource | sama.gov.sa → |