What is the primary objective of SAMA CSF?

The primary objective of SAMA CSF is to create a common approach for addressing cybersecurity across Member Organizations, achieve an appropriate maturity level of cybersecurity controls, and ensure cybersecurity risks are properly managed. Version 1.0 (May 2017) prescribes principles, objectives, and control considerations across four domains—Cyber Security Leadership and Governance, Risk Management and Compliance, Operations and Technology, and Third Party Cyber Security—using a six-level maturity model targeting at least Level 3 (Structured and formalized) with policies, standards, procedures, and KPIs.

Who is legally or professionally required to comply with SAMA CSF?

SAMA CSF is mandatory for all SAMA-regulated financial institutions in Saudi Arabia, including banks, insurance and reinsurance companies, financing companies, credit bureaus, and Financial Market Infrastructure providers. All domains apply fully to banks; non-banks have tailored exceptions (e.g., excluding payment systems unless handling cardholder data or SWIFT). Boards, senior management, CISOs, CROs, IT leaders, and third-party risk managers must ensure adoption, with a Saudi national CISO requiring SAMA non-objection.

Does SAMA CSF require an external audit or third-party certification?

No, SAMA CSF does not require external audit or third-party certification; compliance is demonstrated through periodic self-assessments using SAMA-provided questionnaires and subject to SAMA supervisory review and audits. Internal audits by internal audit functions are mandated per accepted standards, with evidence including board minutes, policies, risk registers, and control artifacts organized in GRC systems.

How often should an assessment for SAMA CSF be performed?

SAMA CSF requires periodic self-assessments using SAMA-supplied questionnaires to evaluate maturity levels and control effectiveness across domains. Assessments occur routinely for critical assets (e.g., annual reviews, penetration testing for customer-facing services), with triggers including project initiation, critical changes, outsourcing, new products, and SAMA review cycles to maintain at least Level 3 maturity with KPIs/KRIs.

What are the consequences of non-compliance with SAMA CSF?

Non-compliance with SAMA CSF triggers regulatory enforcement including supervisory actions, remediation demands, elevated scrutiny, audit findings, and potential operational restrictions under SAMA's broader authority. As a mandated framework, failures to achieve Level 3 maturity or report incidents (immediate for medium/high severity) risk financial loss, reputational damage, and systemic interventions, with SAMA retaining authority over incomplete implementations.

An SAMA CSF be mapped to other international frameworks?

Yes, SAMA CSF can be mapped to international frameworks such as NIST CSF, ISO 27001, PCI-DSS, and BASEL, as it is explicitly based on these standards. Domains align with NIST functions (e.g., Identify to governance/risk; Protect to operations), enabling dual-compliance via shared controls, risk assessments, and maturity models, though SAMA adds sector-specific requirements like e-banking MFA and data residency.

What is the first step to begin implementing SAMA CSF?

The first step to implement SAMA CSF is to secure Board and Senior Management sponsorship, establish a project charter, and conduct a control-level gap analysis against the framework's maturity model. Appoint program leadership (e.g., CISO oversight), inventory applicable domains/subdomains, perform initial maturity assessment (targeting Level 3), and produce a baseline gap register using GRC tools.

What is the primary objective of ISO 28000?

ISO 28000 specifies requirements for establishing, implementing, maintaining, and continually improving a security management system (SMS) for supply chain security. Published in 2007 and revised in 2022, it provides a risk-based framework using the PDCA cycle to identify threats, vulnerabilities, and interdependencies across supply chains, protecting people, assets, goods, infrastructure, and information.

Who is legally or professionally required to comply with ISO 28000?

No organizations are legally required to comply with ISO 28000, as it is a voluntary international standard. It applies to all organization sizes—from micro-enterprises to multinationals—in sectors like logistics, manufacturing, retail, pharmaceuticals, energy, ports, and 3PL/4PL providers, driven by contractual obligations, customs programs, tenders, or risk management needs.

Oes ISO 28000 require an external audit or third-party certification?

ISO 28000 does not require external audits or third-party certification, though it supports them via internal or external verification. Certification, per ISO 28003 requirements for bodies, involves accredited Certification Bodies (e.g., ANAB), with Stage 1 (documentation) and Stage 2 (implementation) audits, followed by annual surveillance for three years.

How often should an assessment for ISO 28000 be performed?

ISO 28000 requires internal audits at planned intervals via a risk-based audit program. Risk assessments must be maintained continually (Clause 8.3), with management reviews at planned intervals (Clause 9.3), typically annually or upon significant changes, plus ongoing monitoring of KPIs like incident rates and supplier controls.

What are the consequences of non-compliance with ISO 28000?

Non-compliance with ISO 28000 carries no direct legal penalties, as it is voluntary. Indirect consequences include operational disruptions from security incidents (theft, sabotage), higher insurance premiums, lost contracts, regulatory scrutiny in trade programs, reputational damage, and exclusion from tenders requiring security credentials.

An ISO 28000 be mapped to other international frameworks?

Yes, ISO 28000:2022 aligns with the ISO High Level Structure (HLS), enabling mapping to other management system standards. Its PDCA cycle and clauses (4–10) support integration with frameworks using similar structures, facilitating combined audits, shared risk registers, and unified governance.

What is the first step to begin implementing ISO 28000?

The first step is Phase 0: secure executive sponsorship, define SMS scope, and charter the program. Appoint a Senior Responsible Owner, map supply chains, conduct initial context analysis (Clause 4), and produce a project charter with timeline, resources, and high-level risk exposure.

Standards Comparison

SAMA CSF vs ISO 28000

SAMA CSF

Mandatory

2017

Saudi regulatory framework for financial cybersecurity

ISO 28000

Voluntary

2022

International standard for supply chain security management systems

Quick Verdict

SAMA CSF mandates cybersecurity maturity for Saudi financial institutions via self-assessments and audits, ensuring resilience against cyber threats. ISO 28000 offers voluntary certification for global supply chain security management, helping organizations reduce risks and gain market trust.

Cybersecurity

SAMA CSF

SAMA Cyber Security Framework Version 1.0

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Six-level maturity model targeting Level 3 minimum
Four core domains with detailed subdomains
Principle-based risk management approach
Mandatory for Saudi financial institutions
Board oversight and independent CISO requirements

Supply Chain Security

ISO 28000

ISO 28000:2022 Security management systems Requirements

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Risk-based supply chain security assessment
PDCA cycle for continual improvement
HLS alignment for ISO integration
Supplier and third-party governance
Incident response and resilience plans

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

SAMA CSF Details

What It Is

SAMA Cyber Security Framework (CSF) Version 1.0 is a mandatory regulatory framework issued by the Saudi Arabian Monetary Authority in May 2017. It prescribes principle-based, outcome-oriented cybersecurity controls for SAMA-regulated financial institutions, including banks, insurers, and payment providers. Its primary purpose is to ensure detection, resistance, response, and recovery from cyber threats via a risk-based approach and maturity model.

Key Components

Four domains: Leadership & Governance, Risk Management & Compliance, Operations & Technology, Third-Party Security.
Numerous subdomains with principles, objectives, and control considerations.
Six-level Cyber Security Maturity Model (0-5), minimum Level 3 (structured/formalized).
Self-assessment via questionnaire; aligns with NIST, ISO 27001, PCI-DSS.

Why Organizations Use It

Mandated compliance avoids penalties, audits, operational disruptions. Enhances resilience, reduces incident impacts, enables competitive differentiation, market access, efficiency via standardized controls. Builds stakeholder trust in Saudi's digital financial sector.

Implementation Overview

Phased program: initiation/gap analysis, risk assessment, design/roadmap, deployment, operations/monitoring, audit/improvement. Applies to all SAMA entities; requires board sponsorship, CISO, evidence for self-assessments/SAMA reviews. Iterative, multi-year for higher maturity.

ISO 28000 Details

What It Is

ISO 28000:2022 — Security and resilience — Security management systems — Requirements is an international management system standard for establishing, implementing, maintaining, and improving a security management system (SMS) tailored to supply chain security. It employs a risk-based approach via the PDCA cycle and High Level Structure (HLS) for holistic protection of people, assets, and operations.

Key Components

Clauses 4–10: context, leadership, planning, support, operation, evaluation, improvement
Risk assessment/treatment, security policies, objectives, controls (physical, procedural, personnel)
Supplier governance and incident response
Certification model per ISO 28003 with audits

Why Organizations Use It

Reduces disruptions, theft, sabotage risks
Meets contractual/regulatory demands (e.g., C-TPAT equivalents)
Lowers insurance costs, enables trade facilitation
Boosts resilience, reputation, competitive bidding

Implementation Overview

Phased: scoping, gap analysis, risk strategy, deployment, audits
Scalable across sizes/industries (logistics, manufacturing)
Involves mapping, training, supplier integration
Optional third-party certification with surveillance

Key Differences

Aspect	SAMA CSF	ISO 28000
Scope	Cybersecurity for financial sector info assets	Supply chain security management system
Industry	Saudi financial institutions only	All industries worldwide, supply chain focus
Nature	Mandatory regulatory framework	Voluntary international certification standard
Testing	Periodic self-assessments, SAMA audits	Internal audits, third-party certification
Penalties	Regulatory enforcement, fines, scrutiny	Loss of certification, no legal penalties

Scope

SAMA CSF

Cybersecurity for financial sector info assets

ISO 28000

Supply chain security management system

Industry

SAMA CSF

Saudi financial institutions only

ISO 28000

All industries worldwide, supply chain focus

Nature

SAMA CSF

Mandatory regulatory framework

ISO 28000

Voluntary international certification standard

Testing

SAMA CSF

Periodic self-assessments, SAMA audits

ISO 28000

Internal audits, third-party certification

Penalties

SAMA CSF

Regulatory enforcement, fines, scrutiny

ISO 28000

Loss of certification, no legal penalties

Frequently Asked Questions

Common questions about SAMA CSF and ISO 28000

SAMA CSF FAQ

ISO 28000 FAQ

You Might also be Interested in These Articles...

CIS Controls v8.1, Operationalized: Top 10 Reasons Compliance Monitoring Software Accelerates Real-World Implementation

Operationalize CIS Controls v8.1 with compliance monitoring software. Turn checklists into dashboards, tickets, and audit-proof workflows. Top 10 reasons it acc

Top 10 Reasons CMMC Level 3 Certification Unlocks Competitive Edge for Primes Handling Critical DoD Programs

Discover top 10 reasons CMMC Level 3 certification unlocks competitive edge for DoD primes. Reduced APT risks, procurement prefs, NIST 800-172 compliance via v2

DORA Third-Party Risk Management: A Consultant’s Guide to Mapping Critical ICT Service Providers in 2026

Navigate DORA's complex third-party risk pillar. Step-by-step consultant guide to identify critical ICT providers, remediate Article 30 contracts, and build the

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how SAMA CSF and ISO 28000 compare against other standards

Other SAMA CSF Comparisons

Other ISO 28000 Comparisons

What It Is

Key Components

Four domains: Leadership & Governance, Risk Management & Compliance, Operations & Technology, Third-Party Security.

Numerous subdomains with principles, objectives, and control considerations.

Six-level Cyber Security Maturity Model (0-5), minimum Level 3 (structured/formalized).

Self-assessment via questionnaire; aligns with NIST, ISO 27001, PCI-DSS.

What It Is

Aspect

SAMA CSF

ISO 28000

Scope

Cybersecurity for financial sector info assets

Supply chain security management system

Industry

Saudi financial institutions only

All industries worldwide, supply chain focus

Nature

Mandatory regulatory framework

Voluntary international certification standard

Testing

Periodic self-assessments, SAMA audits

Internal audits, third-party certification

Penalties

Regulatory enforcement, fines, scrutiny

Loss of certification, no legal penalties