Compliance
SAMA

Enforce access controls, manage risk, and maintain audit readiness to meet SAMA Cyber Security Framework requirements.
Trusted by
SAMA Compliance requires financial institutions in Saudi Arabia to follow the SAMA Cyber Security Framework (CSF), which defines 20 control objectives and over 100 sub-controls. It focuses on governance, risk management, and security to protect financial systems and data. Organizations must implement controls, assess maturity, and maintain continuous monitoring.
SAMA compliance ensures financial systems and customer data are protected through strong governance & risk controls. Without it, organizations face regulatory penalties, weak oversight, & operational risk. Compliance strengthens resilience, audit readiness, and trust.
Limited oversight increases exposure to financial and cyber risks.
Uncontrolled access impacts sensitive financial systems.
Inability to demonstrate compliance to regulators.
Vendors introduce security and compliance vulnerabilities.
Failure to meet SAMA control objectives impacts certification.
Get a structured approach to meet SAMA CSF requirements and improve maturity.

Organizations must establish a formal governance structure with defined policies, accountability, and oversight aligned to SAMA requirements.
Ensure all access and control decisions are tied to defined roles and responsibilities. Maintain records of ownership, approvals, and governance decisions to demonstrate accountability during regulatory assessments.
Organizations must establish a formal governance structure with defined policies, accountability, and oversight aligned to SAMA requirements.
Ensure all access and control decisions are tied to defined roles and responsibilities. Maintain records of ownership, approvals, and governance decisions to demonstrate accountability during regulatory assessments.
Organizations must identify, assess, and continuously manage risks across systems, data, and operations.
Maintain visibility into access across systems to identify risk exposure. Ensure access to critical systems is aligned with risk classification and continuously monitored for anomalies or misuse.
Access to systems and data must be controlled, role-based, and continuously validated.
Ensure all access is approved, documented, and traceable. Maintain complete audit trails of access requests, approvals, and changes. Continuously review access to ensure it remains appropriate and aligned with job roles.
Organizations must continuously monitor systems and detect, respond to, and report cybersecurity incidents.
Maintain continuous visibility into system access and activity. Ensure all access and system events are logged and monitored, and anomalies are detected early with proper response mechanisms.
Organizations must assess, control, and monitor risks introduced by vendors and external parties.
Ensure third-party access is governed with the same rigor as internal access. Maintain visibility into vendor access, enforce role-based permissions, and monitor all third-party activity.
Sensitive financial and customer data must be protected against unauthorized access and misuse.
Ensure access to sensitive data is limited based on role and necessity. Maintain logs of data access and ensure traceability of all actions to support audits and investigations.
Organizations must maintain maturity levels (minimum Level 3) and continuously improve cybersecurity controls.
Continuously review access controls, risks, and system activity. Maintain historical evidence of control effectiveness and ensure controls evolve with emerging threats and regulatory expectations.
SAMA Compliance Playbook
Build a structured approach to meet SAMA requirements and improve maturity.
Identify risks and control gaps
Implement governance and access controls
Maintain audit-ready monitoring and evidence
Disclaimer: This content is for informational purposes only and does not constitute legal or regulatory advice. Organizations should consult SAMA compliance experts for implementation.



