Log inBook a Demo
SAUDI ARABIA · FINANCIAL SECTOR

SAMA CYBER SECURITY FRAMEWORK COMPLIANCE SOFTWARE FOR SAUDI MEMBER ORGANIZATIONS

Manage SAMA CSF across all 4 domains, 32 subdomains and ~118 control considerations. Maturity assessment on the 6-level model, board reporting, third-party governance, and SAMA submission workbook — automated.

What is the SAMA Cyber Security Framework and who must comply? The SAMA Cyber Security Framework v1.0 (issued May 2017) is the mandatory cyber security framework for all entities supervised by the Saudi Central Bank — banks, insurance and reinsurance companies, financing companies, credit bureaus, and the Financial Market Infrastructure. It is principle-based, structured around 4 control domains and 32 subdomains, and assessed against a 6-level maturity model (0 Non-existent → 5 Adaptive). Member Organizations must operate at Level 3 or higher.

Start Free Trial Book a Demo
Saudi Central BankMember OrganizationsBankingInsuranceFMI
app.venvera.com/sama-csfSAMA CSF ComplianceKSA · Saudi Central Bank · Cyber Security Framework v1.0 (May 2017)COMPLIANCE SCORE74%Target 80%Last assessment14 days agoNext internal auditQ3 · on scheduleOpen gaps12SUBDOMAINS32AT ≥ LEVEL 323GAPS TO TARGET9AVG MATURITY3.4Domain readiness% controls implemented3.1 Leadership & Governance86%3.2 Risk Management & Compliance78%3.3 Operations & Technology64%3.4 Third Party Cyber Security58%
MATURITY ASSESSMENT

CONTINUOUS MATURITY ASSESSMENT ACROSS ALL 32 SUBDOMAINS

SAMA CSF requires a periodic self-assessment scored on its 6-level maturity model (0 Non-existent → 5 Adaptive). Member Organizations must operate at Level 3 (“Structured and Formalized”) or higher. Venvera scores every subdomain against current vs. target maturity, computes per-domain and overall scores in real time, and surfaces remediation priorities. No more annual spreadsheet sprint.

  • 6-level maturity model (Non-existent → Adaptive) per SAMA Section 2.4
  • Per-subdomain current vs. target tracking with auto-computed gap
  • Domain and overall maturity scores with trend over time
  • Evidence notes attached at the subdomain level
  • Sign-off workflow for the periodic self-assessment submission to SAMA
app.venvera.com/sama-csfSAMA CSF ComplianceKSA · Saudi Central Bank · Cyber Security Framework v1.0 (May 2017)COMPLIANCE SCORE72%Target 80%Last assessment14 days agoNext internal auditQ3 · on scheduleOpen gaps12SUBDOMAINS32AT ≥ LEVEL 323GAPS TO TARGET9AVG MATURITY3.4Domain readiness% controls implemented3.1 Leadership & Governance86%3.2 Risk Management & Compliance78%3.3 Operations & Technology64%3.4 Third Party Cyber Security58%
GOVERNANCE

BOARD-LEVEL GOVERNANCE THE WAY SAMA EXPECTS IT

Section 3.1 of SAMA CSF makes the board responsible for cyber security and requires a cyber security committee chaired by an independent senior manager. Venvera tracks committee charter status, meeting cadence, agenda items, and the CISO appointment requirement (including the Saudi-nationality control consideration in 3.1.1). Policy lifecycle, version control, and stakeholder communication are evidenced for the SAMA reviewer.

  • Cyber security committee charter, members, and meeting log
  • CISO role tracking — appointment, qualifications, no-objection from SAMA
  • Cyber security policy lifecycle with board endorsement workflow
  • Strategy alignment to the Banking Sector cyber security strategy (3.1.2)
  • Cyber security awareness and role-specific training programmes
app.venvera.com/sama-csfSAMA CSF ComplianceKSA · Saudi Central Bank · Cyber Security Framework v1.0 (May 2017)Control LibrarySearch controls…All domains ▾+ Add controlREFCONTROLSTATUSOWNER3.1.1.1Cyber security committee mandated by boardIMPLEMENTEDJLJ. Lewis3.1.1.7Independent reporting line for the cyber security functionIMPLEMENTEDJLJ. Lewis3.1.1.9CISO Saudi-nationality requirement metIMPLEMENTEDJLJ. Lewis3.1.2.1Cyber security strategy defined and approvedIMPLEMENTEDJLJ. Lewis3.1.3.1Cyber security policy approved and communicatedPARTIALJLJ. Lewis3.1.4.1Board allocates sufficient cyber security budgetIMPLEMENTEDJLJ. Lewis3.1.6.1Cyber security awareness programmeIMPLEMENTEDJLJ. Lewis3.1.7.1Role-specific cyber security trainingPARTIALJLJ. Lewis
RISK & COMPLIANCE

RISK MANAGEMENT, REGULATORY COMPLIANCE, AND PERIODIC REVIEW

Section 3.2 requires a structured risk management process, ongoing monitoring of SAMA and Kingdom regulatory changes, alignment to international standards (ISO/NIST/PCI/SWIFT where applicable), periodic effectiveness reviews, and independent internal & external audits. Venvera couples its risk register, regulatory updates feed (SAMA + Kingdom + EBA-equivalents), and audit log so the entire 3.2 domain runs as one programme.

  • Cyber security risk register aligned to SAMA risk methodology
  • Regulatory updates feed for SAMA circulars and Kingdom directives
  • Cross-mapping to ISO 27001:2022, NIST CSF 2.0, PCI DSS v4
  • Periodic effectiveness reviews with KPI/KRI tracking
  • Internal & external audit scheduling, findings, and remediation
app.venvera.com/sama-csfSAMA CSF ComplianceKSA · Saudi Central Bank · Cyber Security Framework v1.0 (May 2017)TOTAL128FRESH96STALE24MISSING8Evidence vaultlinked to 114 controlsCyber security risk registerXLSX · 142 risks scoredFRESHCyber security policy v3.1PDF · board-endorsedFRESHInternal audit report — Q1PDF · 28 findingsFRESHExternal audit report — 2025PDF · independentSTALEKRI dashboard snapshotPDF · monthlyFRESHRegulatory change logCSV · 12 updates this quarterFRESH
OPERATIONS & TECHNOLOGY

17 OPERATIONS & TECHNOLOGY SUBDOMAINS, ONE CONTROL CATALOGUE

Section 3.3 is the operational heart of SAMA CSF — 17 subdomains covering everything from HR screening to vulnerability management, payment systems, and electronic banking services. Venvera renders each subdomain as a checklist of control considerations with implementation status, owner, evidence link, and SAMA exclusion flags (3.3.12 and 3.3.13 are excluded for non-bank Member Organizations unless they handle payments or online customer services).

  • All 17 operations & technology subdomains tracked separately
  • Bank vs non-bank applicability automatically applied (3.3.12 / 3.3.13 exclusions)
  • Control owners with sign-off + evidence link per consideration
  • Native incident management module wired to subdomain 3.3.15
  • Vulnerability management cycle aligned to 3.3.17 (KRI-driven)
app.venvera.com/sama-csfSAMA CSF ComplianceKSA · Saudi Central Bank · Cyber Security Framework v1.0 (May 2017)Control LibrarySearch controls…All domains ▾+ Add controlREFCONTROLSTATUSOWNER3.3.5.4Multi-factor authentication for privileged accessIMPLEMENTEDJLJ. Lewis3.3.7.2Change advisory board approval for production changesIMPLEMENTEDJLJ. Lewis3.3.9.3Cryptographic key management standardsPARTIALJLJ. Lewis3.3.12.1Payment systems segregation (banks only)IMPLEMENTEDJLJ. Lewis3.3.13.4E-banking customer authentication strengthIMPLEMENTEDJLJ. Lewis3.3.14.2Centralised SIEM with 24/7 monitoringIMPLEMENTEDJLJ. Lewis3.3.15.5Incident notification to SAMA within required timeIMPLEMENTEDJLJ. Lewis3.3.17.3Vulnerability remediation SLA per severityPARTIALJLJ. Lewis
THIRD PARTY

THIRD PARTY, OUTSOURCING, AND CLOUD COMPLIANCE

Section 3.4 — three subdomains covering vendor contracts, outsourcing governance, and cloud computing — is one of the most-cited gaps in SAMA assessments. Venvera’s TPRM module is wired directly to subdomain 3.4.1: every supplier carries the SAMA-required contractual clauses, security questionnaire results, and sub-outsourcing visibility. Cloud providers are tracked separately under 3.4.3 with data-localisation status and shared-responsibility evidence.

  • Vendor contract clauses tracked against 3.4.1 control considerations
  • Outsourcing governance per 3.4.2 with service criticality classification
  • Cloud provider register per 3.4.3 with shared-responsibility matrix
  • Sub-outsourcing chain visibility (n-th party mapping)
  • Data localisation evidence for KSA residency requirements
app.venvera.com/sama-csfSAMA CSF ComplianceKSA · Saudi Central Bank · Cyber Security Framework v1.0 (May 2017)LATEST BOARD REPORTSAMA CSF · Q2 2026Prepared for: Board of DirectorsGenerated: 2 minutes ago · 18 pages1. Executive summaryp. 22. Control effectivenessp. 53. Key risks & incidentsp. 84. Remediation progressp. 115. Annex — full control matrixp. 14Download DOCXExport to xBRL-CSVRecent exportsAnnual SAMA self-assessmentXLSX · 32 subdomains scoredFINALCyber security committee minutesPDF · last 4 quartersFINALInternal audit programme — currentPDF · risk-based planDRAFTThird-party security questionnaireXLSX · sent to 38 suppliersFINALCloud shared-responsibility matrixPDF · per providerFINALKRI / KPI report for the boardPDF · monthlyFINAL
REPORTING

BOARD AND SAMA SUBMISSION REPORTS, ONE CLICK

SAMA expects the board to be actively engaged. Venvera produces the cyber security committee deck, the periodic self-assessment workbook for SAMA submission, and the auditor evidence package. Templates pre-fill from your live data — no copy-paste between the GRC tool and Word.

  • Cyber security committee board deck (PDF / DOCX)
  • SAMA periodic self-assessment workbook export
  • Auditor evidence package per subdomain
  • KRI/KPI trend reports for the board
  • Risk-acceptance and waiver tracking aligned to SAMA Appendix D
app.venvera.com/sama-csfSAMA CSF ComplianceKSA · Saudi Central Bank · Cyber Security Framework v1.0 (May 2017)LATEST BOARD REPORTSAMA CSF · Q2 2026Prepared for: Board of DirectorsGenerated: 2 minutes ago · 18 pages1. Executive summaryp. 22. Control effectivenessp. 53. Key risks & incidentsp. 84. Remediation progressp. 115. Annex — full control matrixp. 14Download DOCXExport to xBRL-CSVRecent exportsBoard pack — Q2 CyberGenerated 2 min agoFINALManagement review minutesDOCX · 38 pagesFINALRegulator submission — draftxBRL-CSV · 1.2MBDRAFTAuditor requests — responsePDF · 24 artefactsDRAFT
WHY VENVERA

SAMA CSF COMPLIANCE: VENVERA VS MANUAL TRACKING

Capability
Manual Tracking
Venvera
Maturity scoring
Excel spreadsheet, refreshed annually
Live 6-level maturity per subdomain with trend
Control evidence
SharePoint folders by subdomain
Evidence linked at the control consideration
SAMA self-assessment
Manual workbook prep takes weeks
Workbook export from live data, one click
Bank vs non-bank scoping
Manual reasoning on 3.3.12 / 3.3.13
Auto-applied based on entity type
Audit trail
Email approvals, no version history
Append-only audit log per control
Board reporting
Slides assembled by hand each quarter
Board deck generated from live KPIs
See pricing plans

32

Subdomains across 4 SAMA domains

~118

Mandated control considerations

6

Maturity levels (0–5)

5

Member Organization types covered

FAQ

FREQUENTLY ASKED QUESTIONS ABOUT SAMA CSF

RELATED MODULES

COMPLETE YOUR COMPLIANCE STACK

Saudi NCA ECC

Map your SAMA programme to Saudi Essential Cybersecurity Controls.

ISO 27001

Leverage your existing ISMS to satisfy SAMA requirements.

Risk Management

Cyber risk register aligned to SAMA Section 3.2.1.

Incident Management

Workflows for the SAMA incident notification timeframes.

READY TO PASS YOUR NEXT SAMA REVIEW?

Start with a 14-day free trial. Import your existing self-assessment, map your controls to the 32 subdomains in minutes, and generate the SAMA submission workbook from live data. No credit card required.

Start Free Trial Book a Demo
AES-256 Encryption
EU Data Residency
SOC 2 Certified