NCA Essential Cybersecurity Controls

NCA Essential Cybersecurity Controls Overview

The National Cybersecurity Authority (referred to in this document as “The Authority” or “NCA”) developed the essential cybersecurity controls (ECC – 1: 2018) after conducting a comprehensive study of multiple national and international cybersecurity frameworks and standards, studying related national decisions, law and regulatory requirements, reviewing and leveraging cybersecurity best practices, analyzing previous cybersecurity incidents and
attacks on government and other critical organizations, and surveying and considering opinions of multiple national organizations.
The main objective of the controls within the ECC is to set the minimum cybersecurity requirements for information and technology assets in organisations within the Kingdom. The requirements are based on industry leading practices which intend to help organisations minimise cybersecurity risks that originate from internal and external threats.
The Essential Cybersecurity Controls consist of the following:
  • 5 Cybersecurity Main Domains.
  • 29 Cybersecurity Subdomains.
  • 114 Cybersecurity Controls.
These cybersecurity controls are linked to related national and international law and regulatory requirements.

ECC Scope & Applicability

These controls are applicable to government organizations in the Kingdom of Saudi Arabia (including ministries, authorities, establishments and others) and its companies and entities, as well as private sector organizations owning, operating or hosting Critical National Infrastructures (CNIs), which are all referred to herein as “The Organization”.
The NCA strongly encourages all other organizations in the Kingdom to leverage these controls to implement best practices to improve and enhance their cybersecurity.
Critical National Infrastructures (CNIs): These are the assets (i.e., facilities, systems, networks, processes, and key operators who operate and process them), whose loss or vulnerability to security breaches may result in:
  • Significant negative impact on the availability, integration or delivery of basic services, including services that could result in serious loss of property and/or lives and/or injuries, alongside observance of significant economic and/or social impacts.
  • Significant impact on national security and/or national defense and/or state economy or national capacities.
These controls have been developed after taking into consideration the cybersecurity needs of all organizations and sectors in the Kingdom of Saudi Arabia. Every organization must comply with all applicable controls in this document.
Applicability to implement these cybersecurity controls depends on the organization’s business and its use of certain technologies. For example:
  • Controls in subdomain 4-2 (Cloud Computing and Hosting Cybersecurity) are applicable and must be implemented by organizations currently using or planning to use cloud computing and hosting services.
  • Controls in main domain 5 (Industrial Control Systems Cybersecurity) are applicable and must be implemented by organizations currently using or planning to use industrial control systems.

Ready to Get Started?

“Our specialists are ready to tailor our security service solutions to fit the needs of your organization. “