🇸🇦 Kingdom of Saudi Arabia 📞 +966 549983377 ✉ contact@pristinesaudi.com
24/7 SOC ACTIVE
🌐 عربي Client Portal
Home
About
About Pristine Leadership Team Certifications & Awards Technology Partners Careers
Services
SOC & Threat Monitoring Penetration Testing Cloud Security GRC & Compliance IAM & PAM Incident Response Cyber Training OT/ICS Security MSSP Services DevSecOps
Solutions
SIEM / SOAR Zero Trust DLP EDR / XDR Network Security Email Security
Compliance
NCA ECC & CCC SAMA Framework ISO 27001 / 27701 PDPL Compliance PCI DSS
Industries
Government & Defense Banking & Financial Energy & Oil & Gas Healthcare Telecom Retail & E-Commerce
Insights
Cyber Threat Reports Whitepapers Webinars & Events Case Studies FAQs
Home/Compliance/SAMA Framework
SAMA Cybersecurity Framework · Saudi Central Bank · Financial Sector

SAMA
Level 4
Compliance.
Guaranteed.

Pristine InfoSolutions is Saudi Arabia's most experienced SAMA Cybersecurity Framework compliance partner — delivering Level 3 baseline and Level 4 maturity for banks, fintechs, insurance companies, and all SAMA-supervised financial institutions. 100% supervisory examination pass rate across 50+ financial institution clients.

Get Free SAMA CSF Assessment → Explore Framework
100%Exam Pass Rate
50+FI Clients Served
Level 4Banks Target Achieved
4CSF Domains
SAMA CSF MATURITY CONSOLE · PRISTINE CLIENT
EXAM-READY
// SAMA CSF — Domain Maturity Levels
Leadership & Governance
Level 4
Risk Management & Compliance
Level 4
Operations & Technology
Level 4
Third Party Cybersecurity
Level 4
Supervisory Exam StatusPASSED — Zero Findings
SAMA CSF v1.0
4 Domains
6 Maturity Levels
Level 3 All Members
Level 4 Banks Mandated
Annual Self-Assessment
Banks · Fintechs · Insurance
Exchange Companies
SAMA Supervisory Exam
NIST · ISO 27001 · BASEL Aligned
100% Pass Rate
Bilingual Arabic/English
SAMA CSF v1.0
4 Domains
6 Maturity Levels
Level 3 All Members
Level 4 Banks Mandated
Annual Self-Assessment
Banks · Fintechs · Insurance
Exchange Companies
SAMA Supervisory Exam
NIST · ISO 27001 · BASEL Aligned
100% Pass Rate
Bilingual Arabic/English
About SAMA CSF

Saudi Arabia's Mandatory Financial Sector Cybersecurity Standard

The SAMA Cybersecurity Framework (CSF) — issued by the Saudi Central Bank in May 2017 — is the mandatory cybersecurity standard for every financial institution licensed by SAMA. It establishes a unified, risk-based approach to cybersecurity management across Saudi Arabia's financial sector, with six maturity levels and annual self-assessment obligations.

  • Who must comply — all SAMA-licensed banks, fintechs, insurance, exchange companies, and payment service providers
  • Minimum Level 3 required for all SAMA member organisations — non-compliance triggers regulatory action
  • Level 4 mandated for banks — all Saudi commercial banks must achieve Level 4 across all applicable subdomains
  • Annual self-assessment submitted to SAMA's Financial Sector IT Risk Department with supporting evidence
  • Aligned to NIST, ISO 27001, ISF, BASEL, and PCI DSS — international certification supported by SAMA CSF
Get Free SAMA Gap Assessment →
// SAMA CSF Key Facts
Versionv1.0 · May 2017
Issued BySaudi Central Bank (SAMA)
ApproachRisk-Based / Principle-Based
Maturity Levels0 to 5 (6 levels)
All Members MinimumMaturity Level 3
Banks TargetMaturity Level 4 (Mandated)
Assessment CycleAnnual Self-Assessment
Pristine Pass Rate100% — 50+ FI Clients
Aligned ToNIST · ISO 27001 · BASEL · PCI DSS
CSF Framework Deep-Dive

All 4 SAMA CSF Domains — Complete Level 4 Implementation

Every domain, subdomain, and key control consideration — delivered to Level 4 maturity with bilingual Arabic/English evidence packages formatted for SAMA supervisory examination review.

Domain 1: Cybersecurity Leadership & Governance

The foundation of SAMA CSF compliance — establishing board-level cybersecurity accountability, formal strategy aligned to the institution's business objectives, a comprehensive policy framework, and a security-aware culture across all staff. SAMA expects clear governance structures with dedicated cybersecurity committees and independent security functions.

  • 1-1 Cybersecurity Governance: Cybersecurity committee with board-delegated authority. Independent cybersecurity function. Regular internal and external audits
  • 1-2 Cybersecurity Strategy: Formal strategy aligned to business objectives and SAMA obligations — reviewed annually with KPIs and board reporting
  • 1-3 Cybersecurity Policy: Comprehensive policy library in Arabic — covering all CSF subdomains with change management process
  • 1-4 Awareness & Training: Staff, third-party, and customer awareness programme. Specialist training for cybersecurity function aligned to Saudi financial regulatory context
Achieve Domain 1 Level 4 →
Domain 1 — Level 4 Coverage
✓ LEVEL 4
1-1 Governance Structure
100%
1-2 Strategy & KPIs
100%
1-3 Policy Framework
100%
1-4 Awareness Programme
100%
Board Evidence Package
100%
✓ 40+ Arabic/English policies — purpose-built for SAMA examiner expectations

Domain 2: Cybersecurity Risk Management & Compliance

A continuous, systematic programme for identifying, assessing, treating, and monitoring cybersecurity risks — ensuring the institution maintains accurate risk exposure visibility at all times. Also covers compliance verification against the CSF itself and integration with enterprise risk management.

  • 2-1 Risk Management: Risk management procedure protecting CIA of information assets. Risk assessments at project initiation, major changes, and third-party engagement
  • 2-2 Compliance: Annual self-assessment against all applicable CSF controls. Alignment to NIST, ISO 27001, ISF, BASEL, and PCI DSS
  • 2-3 Projects: Cybersecurity embedded in all IT project governance — security sign-off at each milestone before production deployment
Achieve Domain 2 Level 4 →
Domain 2 — Level 4 Coverage
✓ LEVEL 4
2-1 Risk Management
100%
2-2 Annual Self-Assessment
100%
2-2 Global Std Alignment
100%
2-3 Project Security Gates
100%
SAMA Submission Format
100%
✓ Pristine prepares the SAMA annual self-assessment — formatted to SAMA's exact requirements with indexed evidence

Domain 3: Cybersecurity Operations & Technology

The largest and most technically detailed SAMA domain — covering asset management, IAM, network security, endpoint protection, data security, email security, SIEM/SOC, vulnerability management, change management, BCP/DR, and secure development. This is where most institutions have the greatest implementation gaps.

  • 3-1 Asset Management: Comprehensive asset register with owners, classification, and lifecycle management
  • 3-2 IAM: Least-privilege, PAM with JIT, MFA for all remote/privileged access, quarterly access reviews
  • 3-3 Network Security: Segmentation, email security (SPF/DKIM/DMARC), EDR, DLP, encryption, cryptography
  • 3-4 Event Management (SIEM/SOC): Centralised SIEM with 24/7 SOC — mandatory for Level 4. Defined detection playbooks and MTTR SLAs
  • 3-5 Incident Management: Formal IR with SAMA notification procedures. Annual tabletop exercises for ransomware and APT scenarios
Achieve Domain 3 Level 4 →
Domain 3 — Level 4 Coverage
MOST COMPLEX DOMAIN
Asset Management
100%
IAM & PAM Controls
100%
Network & Email Sec.
100%
SIEM / SOC (24/7)
100%
BCP / DR Testing
100%
✓ Pristine implements all Domain 3 technical controls — not documentation only. Evidence validated pre-examination

Domain 4: Third Party Cybersecurity

Third-party relationships represent one of the highest cybersecurity risks for Saudi financial institutions. Domain 4 requires formal third-party risk management across all vendors, cloud providers, outsourcing arrangements, and supply chain partners — with contractual obligations, periodic assessment, and incident response coordination.

  • 4-1 Vendor Risk Management: Cybersecurity requirements in all vendor contracts. Pre-engagement risk assessment. Lifecycle monitoring and re-assessment
  • 4-2 Outsourcing & Cloud: Outsourcing policy with minimum security requirements. CSP assessment against NCA CCC. Shared responsibility documented. Third-party access controlled, logged, and monitored
  • 4-3 Supply Chain: Hardware and software procurement security controls. Incident response coordination procedures with critical third parties
Achieve Domain 4 Level 4 →
Domain 4 — Level 4 Coverage
✓ LEVEL 4
4-1 Vendor Risk
100%
4-2 Outsourcing Policy
100%
4-2 Cloud CSP Assessment
100%
4-2 Third-Party Access
100%
4-3 Supply Chain
100%
✓ Domain 4 + NCA ECC Domain 4 overlap — Pristine satisfies both from a single programme simultaneously
SAMA Maturity Model

6 Maturity Levels — Where Are You and Where Do You Need to Be?

SAMA's maturity model provides a structured path from non-existent controls to fully optimised security operations. Understanding your current level and the gap to your required level is the first step.

0
Non-Existent
No controls. No awareness. Seen only in newly licensed institutions at day one.
1
Initial
Ad-hoc controls. Unorganised. Reactive. No formal procedures. Undocumented.
2
Repeatable
Basic controls. Inconsistent documentation. Some processes but no systematic approach.
MIN REQ
3
Defined
Formally documented. Consistently implemented. Regularly reviewed. Proactive culture emerging.
BANKS
4
Quantitatively Managed
KPI-measured. Peer benchmarked. Data-driven decisions. Banks must achieve this level.
5
Adaptive
Continuous improvement. Real-time threat intelligence. Predictive analytics. Few globally achieve this.
Level 3 — All SAMA Members

Every institution licensed by SAMA must achieve and maintain Level 3 as minimum. Below Level 3 is non-compliant and triggers regulatory action.

Level 4 — Saudi Banks (Mandated)

All Saudi commercial banks are mandated to achieve Level 4 with board-approved roadmaps submitted to SAMA. Pristine delivers Level 4 in 12-16 weeks.

Annual Self-Assessment Required

All members conduct annual self-assessment against all applicable CSF controls — Pristine prepares this submission in SAMA's exact format.

SAMA Programmes

SAMA Compliance Programmes for Saudi Financial Institutions

Structured programmes delivering predictable compliance outcomes — bilingual evidence packages and ongoing examination lifecycle support.

// Package 01
SAMA Baseline

Rapid SAMA CSF gap assessment and self-assessment support for institutions with urgent examination deadlines.

  • Full CSF gap assessment (all 4 domains)
  • Subdomain-level maturity scoring
  • Gap report — Arabic and English
  • Prioritised remediation roadmap
  • Annual self-assessment preparation
  • Submission support to SAMA
  • Technical report for Board
  • 2-week delivery available
Enquire — Baseline →
// MOST POPULAR
// Package 02
SAMA Professional

Complete SAMA Level 3/4 compliance — gap assessment, full policy library, technical implementation, annual self-assessment, and exam support.

  • Full CSF gap assessment — all 4 domains
  • Complete policy library (40+ docs AR+EN)
  • Technical control implementation (Domain 3)
  • Annual self-assessment preparation
  • SAMA submission package (formatted)
  • Mock examination + Arabic facilitation
  • Quarterly compliance monitoring (12 months)
  • Post-examination finding response
Enquire — Professional →
// Package 03
SAMA Enterprise

Full SAMA Level 4 transformation with NCA ECC integration, continuous evidence collection, and annual retainer.

  • All Professional features included
  • NCA ECC-2:2024 simultaneous delivery
  • Dedicated SAMA Programme Manager
  • Continuous automated evidence collection
  • PDPL alignment integrated
  • Monthly board compliance report (Arabic)
  • SAMA + NCA unified dashboard
  • Annual retainer — unlimited support
Enquire — Enterprise →
Why Pristine SAMA

Why Saudi Financial Institutions Choose Pristine

🎯

100% Supervisory Exam Pass Rate

Across 50+ SAMA compliance engagements — banks, fintechs, insurance, and exchange companies — every single Pristine client has passed their SAMA supervisory examination. Zero adverse findings on Pristine-prepared submissions.

🏦

Deep Financial Sector Expertise

Pristine consultants combine cybersecurity expertise with specialist knowledge of Saudi financial regulation — understanding not just what SAMA requires, but how examiners interpret it and what examination priorities are shaping scrutiny this cycle.

🌐

Arabic-Native Financial Documentation

All policies, self-assessment submissions, and board presentations produced in Arabic by native-speaking compliance specialists who write in the language and tone expected by Saudi financial regulators.

12-Week Level 4 Delivery

Our SAMA methodology achieves Level 4 maturity in 12 weeks for most Saudi banks. Competitors offering comparable scope routinely take 9-12 months. For institutions with urgent examination deadlines, this delivery speed is critical.

🔗

SAMA + NCA ECC Unified

Saudi financial institutions face simultaneous SAMA and NCA ECC obligations. Pristine's integrated programme satisfies both frameworks from a single engagement — common controls implemented once, evidence collected once.

📈

Annual Examination Lifecycle

SAMA compliance is not a one-time project. Pristine retained clients receive continuous evidence collection, monthly health checks, and proactive preparation for every annual self-assessment and examination cycle.

Client Testimonials

What Saudi Financial Leaders Say

★★★★★

We had tried to achieve SAMA Level 4 compliance for 2 years with our previous consultant and kept failing at examination. Pristine completed the programme in 12 weeks and we passed with zero findings — the cleanest result we have ever had. Their Arabic policy documents were specifically formatted for how SAMA examiners review submissions. Exceptional.

BK
Badr Al-Khalid
CISO, Saudi Commercial Bank
★★★★★

As a new SAMA-licensed fintech, we needed compliance from a standing start. Pristine built our entire SAMA CSF programme — policies, technical controls, and annual self-assessment — in 8 weeks. Our first SAMA examination had zero findings. Their understanding of SAMA's fintech examination focus areas was invaluable.

LN
Lena Al-Nasser
Chief Compliance Officer, Saudi Fintech
★★★★★

Our insurance company had significant SAMA compliance debt. Pristine's integrated SAMA and NCA ECC approach was brilliant — we achieved compliance across both frameworks simultaneously, saving significant time and budget. Domain 3 technical implementation was particularly thorough. Highly professional team.

FA
Fahad Al-Anazi
IT Director, Saudi Insurance Company
FAQs

SAMA Cybersecurity Framework FAQs

Maturity Level 3 (Defined) is required for all SAMA-supervised financial institutions. Banks must achieve Level 4 (Quantitatively Managed) — all Saudi commercial banks were required to submit board-approved Level 4 roadmaps to SAMA. Below Level 3 constitutes non-compliance and will result in formal regulatory action during supervisory examination.
SAMA requires an annual self-assessment from all member organisations against all applicable CSF domains. The self-assessment must be completed using SAMA's maturity model, with each subdomain scored and supporting evidence maintained. It is submitted to SAMA's Financial Sector IT Risk Department. Pristine prepares this submission for retained clients — formatted to SAMA's exact requirements.
SAMA enforcement actions include: formal findings requiring mandatory remediation within defined timelines; increased supervisory monitoring; financial penalties; operational restrictions on new product launches; and in serious cases, licence suspension. If you have received findings, Pristine specialises in rapid post-examination remediation and finding response management.
Yes — Saudi financial institutions must comply with both SAMA CSF AND NCA ECC. They are not alternatives. SAMA CSF is specific to the financial sector and enforced by the Saudi Central Bank. NCA ECC applies to all Saudi government entities and CNI operators including financial institutions. They overlap significantly. Pristine's integrated programme satisfies both from a single engagement.
Yes — insurance companies and finance companies have certain subdomain exclusions. Sub-domain 3.2.3 (PCI-DSS) is excluded unless the organisation handles cardholder data or SWIFT services. Sub-domain 3.3.12 is excluded. Sub-domain 3.3.13 (MFA for online customer services) is excluded unless online services are provided. Pristine's initial gap assessment determines precisely which subdomains apply.
Yes — post-examination remediation is one of Pristine's most requested services. We analyse each specific finding, develop targeted remediation, implement controls, collect evidence SAMA will check at re-examination, and prepare a formal Arabic finding response. No Pristine client has ever failed to resolve SAMA findings within the required timeframe.
Free Assessment

Achieve SAMA Level 4.
Pass Every Examination.

Request a free SAMA CSF gap assessment — our financial sector compliance specialists will evaluate your current maturity across all 4 domains and deliver a clear Level 4 roadmap in Arabic and English.

Request Free Assessment → 📞 +966 549983377
📞 +966 549983377
✉️ contact@pristinesaudi.com
🌐 pristinesaudi.com
📍 Riyadh, Saudi Arabia
Get Started

Request Your Free Assessment

A senior Pristine specialist will contact you within 4 business hours.

🔒 Data processed within Saudi Arabia · PDPL compliant · Response within 4 business hours

Related Services

Explore Related Pristine Services

🇸🇦
NCA ECC & CCC
NCA ECC + SAMA delivered simultaneously from one integrated programme.
→ Explore
🏅
ISO 27001/27701
ISO 27001 aligned to SAMA CSF — concurrent delivery available.
→ Explore
🛡️
SOC Monitoring
24/7 SOC covers SAMA Domain 3 cybersecurity event management controls.
→ Explore
🔑
IAM & PAM
SAMA Domain 3 IAM controls — Level 4 privileged access management.
→ Explore