NCA

NCA ECC

v2:2024ACTIVE

NCA Essential Cybersecurity Controls

Saudi Arabia's National Cybersecurity Authority Essential Cybersecurity Controls. Mandatory for government entities and critical infrastructure operators.

National Cybersecurity Authority (NCA)

Saudi Arabia

Official Website

Mandatory for:GovernmentBankingTelecommunicationsEnergyHealthcare

Total Controls

Domains

Cross-Framework Mappings

Saudi Arabia

Region

Cybersecurity Governance

حوكمة الأمن السيبراني4

1-1HIGH2 mappings

Cybersecurity Policy

Plain Language

Your organization must have a written cybersecurity policy approved by top management.

Implementation Guidance

Create a concise policy (10-20 pages) covering scope, objectives, roles. Get CEO/board sign-off. Review annually.

Evidence Examples

Signed policy document, board minutes, employee acknowledgment records.

Mapped to Other Frameworks

A.5.1ISO 27001

Policies for information security

EXACT

GV.PO-01NIST CSF

Cybersecurity risk management policy established

EXACT

1-2HIGH2 mappings

Cybersecurity Roles and Responsibilities

Plain Language

A dedicated cybersecurity function must exist with clear roles and reporting lines.

Implementation Guidance

Appoint a CISO. Define reporting to C-suite. Create RACI matrix for security responsibilities.

Evidence Examples

Org chart, CISO appointment, RACI matrix, job descriptions.

Mapped to Other Frameworks

A.5.2ISO 27001

Information security roles and responsibilities

PARTIAL

GV.RR-01NIST CSF

Organizational context for cybersecurity risk management

EXACT

1-3MEDIUM1 mapping

Cybersecurity in Project Management

Mapped to Other Frameworks

A.5.8ISO 27001

Information security in project management

EXACT

1-4HIGH1 mapping

Cybersecurity Awareness

Plain Language

All employees must receive cybersecurity awareness training regularly.

Implementation Guidance

Conduct onboarding training, quarterly phishing simulations, and annual refresher courses.

Evidence Examples

Training attendance records, phishing simulation reports, quiz results.

Mapped to Other Frameworks

A.5.4ISO 27001

Management responsibilities

PARTIAL

Cybersecurity Risk Management

إدارة مخاطر الأمن السيبراني3

2-1HIGH2 mappings

Risk Management

Plain Language

Regularly identify, assess, and treat cybersecurity risks to your organization.

Implementation Guidance

Conduct annual risk assessments. Use ISO 27005 or similar methodology. Maintain risk register. Report to management.

Evidence Examples

Risk assessment reports, risk register, risk treatment plans, management reviews.

Mapped to Other Frameworks

A.5.3ISO 27001

Segregation of duties

PARTIAL

GV.RM-01NIST CSF

Risk management objectives established

EXACT

2-2HIGH

Asset Management

2-3MEDIUM1 mapping

Information Classification

Mapped to Other Frameworks

A.5.10ISO 27001

Acceptable use of information and assets

EXACT

Cybersecurity Operations

عمليات الأمن السيبراني4

3-1HIGH2 mappings

Access Control Policy

Plain Language

Control who can access systems and data based on need-to-know and least privilege.

Implementation Guidance

Implement RBAC. Enforce least privilege. Require manager approval for access. Quarterly access reviews.

Evidence Examples

Access control policy, RBAC matrix, access review reports, privilege account inventory.

Mapped to Other Frameworks

A.5.15ISO 27001

Access control

EXACT

PR.AA-01NIST CSF

Identities and credentials for authorized users managed

EXACT

3-2HIGH1 mapping

Identity Management

Mapped to Other Frameworks

A.5.16ISO 27001

Identity management

EXACT

3-3HIGH2 mappings

Authentication

Mapped to Other Frameworks

A.5.17ISO 27001

Authentication information

EXACT

PR.AA-03NIST CSF

Users, services, and hardware are authenticated

EXACT

3-4CRITICAL1 mapping

Privileged Access Management

Mapped to Other Frameworks

A.8.5ISO 27001

Secure authentication

EXACT

Cybersecurity Technology

تقنيات الأمن السيبراني5

4-1HIGH2 mappings

Secure Configuration

Mapped to Other Frameworks

A.8.9ISO 27001

Configuration management

EXACT

PR.PS-01NIST CSF

Configuration management practices established

EXACT

4-2HIGH1 mapping

Malware Protection

Mapped to Other Frameworks

A.8.7ISO 27001

Protection against malware

EXACT

4-3HIGH2 mappings

Vulnerability Management

Plain Language

Regularly scan for and manage technical vulnerabilities, including timely patching.

Implementation Guidance

Weekly vulnerability scans. Patch critical vulns within 48h, high within 7 days. Subscribe to vendor bulletins.

Evidence Examples

Vulnerability scan reports, patch management records, SLA compliance, remediation tracking.

Mapped to Other Frameworks

A.8.8ISO 27001

Management of technical vulnerabilities

EXACT

ID.RA-01NIST CSF

Vulnerabilities in assets are identified

EXACT

4-4HIGH2 mappings

Security Logging and Monitoring

Mapped to Other Frameworks

A.8.15ISO 27001

Logging

EXACT

DE.CM-01NIST CSF

Networks and network services are monitored

EXACT

4-5HIGH1 mapping

Network Security

Mapped to Other Frameworks

A.8.16ISO 27001

Monitoring activities

EXACT

Incident Management

إدارة الحوادث4

5-1HIGH2 mappings

Incident Response Planning

Plain Language

Have a documented plan for detecting, responding to, and recovering from cybersecurity incidents.

Implementation Guidance

Create IR playbooks for common scenarios. Define escalation paths. Conduct tabletop exercises quarterly.

Evidence Examples

IR plan, playbooks, tabletop exercise reports, contact lists, post-incident reviews.

Mapped to Other Frameworks

A.5.24ISO 27001

Information security incident management planning

EXACT

RS.MA-01NIST CSF

Incident management plan is executed

EXACT

5-2HIGH1 mapping

Incident Detection

Mapped to Other Frameworks

A.5.25ISO 27001

Assessment and decision on information security events

EXACT

5-3HIGH2 mappings

Incident Handling

Mapped to Other Frameworks

A.5.26ISO 27001

Response to information security incidents

EXACT

RS.MI-01NIST CSF

Incidents are contained

EXACT

5-4MEDIUM1 mapping

Lessons Learned

Mapped to Other Frameworks

A.5.27ISO 27001

Learning from information security incidents

EXACT

Business Continuity

استمرارية الأعمال2

6-1HIGH2 mappings

Business Continuity Planning

Mapped to Other Frameworks

A.5.29ISO 27001

Information security during disruption

EXACT

RC.RP-01NIST CSF

Recovery plan is executed

EXACT

6-2HIGH1 mapping

Disaster Recovery

Mapped to Other Frameworks

A.5.30ISO 27001

ICT readiness for business continuity

PARTIAL

Physical Security

الأمن المادي3

7-1MEDIUM1 mapping

Physical Security Perimeters

Mapped to Other Frameworks

A.7.1ISO 27001

Physical security perimeters

EXACT

7-2MEDIUM1 mapping

Physical Entry Controls

Mapped to Other Frameworks

A.7.2ISO 27001

Physical entry

EXACT

7-3MEDIUM1 mapping

Physical Security Monitoring

Mapped to Other Frameworks

A.7.4ISO 27001

Physical security monitoring

EXACT