SAMA CSF Compliance
The mandatory cybersecurity framework for financial institutions regulated by the Saudi Central Bank, covering governance, risk, operations and third parties.
Banks, insurers, financing companies and other SAMA-regulated financial institutions in Saudi Arabia.
- Maturity-model based (levels 1–5) across 4 main domains
- Mandatory for all SAMA-regulated entities
- Strong focus on third-party and operational resilience
Free SAMA CSF gap checker
Answer 8 quick questions for an instant readiness score and your priority gaps. ~2 minutes, no sign-up.
1. Do you have approved security policies and clear ownership of cyber risk?
2. How do you identify and treat information-security risks?
3. How are identity and access managed?
4. Do you maintain an inventory of assets and data?
5. How is sensitive/personal data protected?
6. What monitoring and detection do you have?
7. How prepared are you for a security incident?
8. How do you manage supplier/third-party risk?
SAMA CSF — frequently asked
Who must comply with the SAMA CSF?
All financial institutions regulated by the Saudi Central Bank (SAMA).
What maturity level is required?
SAMA expects in-scope entities to reach and sustain defined maturity levels, evidenced through assessment.
How does SAMA CSF relate to ISO 27001?
They overlap heavily; an ISO 27001 ISMS provides a strong foundation that maps to most SAMA requirements.
Related: all frameworks · GCC hub · automate it with CortexGuard
Ready to strengthen your security posture?
Book a confidential consultation with our advisors. We'll assess where you are and map a clear path to where you need to be.