What is the primary objective of **SAMA CSF**?

**SAMA CSF aims to create a common cybersecurity approach across regulated financial institutions, achieve appropriate maturity levels, and ensure proper risk management.** Issued in May 2017 (Version 1.0), it prescribes principles, objectives, and controls across four domains—**Cyber Security Leadership and Governance**, **Risk Management and Compliance**, **Operations and Technology**, and **Third Party Cyber Security**—using a six-level **maturity model** targeting at least **Level 3 (Structured and Formalized)**, where policies, standards, procedures, and KPIs are defined and monitored.

Who is legally or professionally required to comply with **SAMA CSF**?

**SAMA CSF is mandatory for all SAMA-regulated entities, including banks, insurance/reinsurance companies, financing companies, credit bureaus, and financial market infrastructure providers.** All domains apply fully to banks; non-banks have tailored exceptions (e.g., excluding payment systems unless handling cardholder data or SWIFT). Boards, senior management, CISOs (Saudi nationals with SAMA no-objection), and third-party providers must ensure adoption to meet supervisory expectations.

Does **SAMA CSF** require an external audit or third-party certification?

**No, SAMA CSF requires periodic self-assessments using SAMA-provided questionnaires, with internal audits and SAMA supervisory reviews, but no external certification regime.** Internal audits follow accepted standards; independent reviews of critical assets occur annually, including penetration testing for customer-facing services. Evidence portfolios support maturity demonstrations during SAMA audits.

How often should an assessment for **SAMA CSF** be performed?

**SAMA CSF mandates periodic self-assessments via official questionnaires to evaluate maturity and control effectiveness.** Frequency aligns with reviews of critical assets (annual minimum), risk assessments (project initiation, changes, outsourcing, new products), and audits. Maturity progression requires ongoing KPI/KRI monitoring at Level 3+, with lessons from incidents and tests driving continuous improvement.

What are the consequences of non-compliance with **SAMA CSF**?

**Non-compliance triggers SAMA supervisory actions, including remediation demands, elevated scrutiny, audit findings, and potential operational restrictions.** As a mandated framework, violations fall under broader banking regulations, risking formal enforcement, business conditions, reputational damage, and systemic interventions for high-impact incidents affecting market confidence.

Can **SAMA CSF** be mapped to other international frameworks?

**Yes, SAMA CSF aligns conceptually with frameworks like NIST CSF, ISO 27001, PCI-DSS, and SWIFT CSCF, enabling control mappings for integrated compliance.** Its domains mirror NIST functions (Identify, Protect, Detect, Respond, Recover); institutions leverage existing implementations, with SAMA adding sector-specific mandates like e-banking MFA and payment controls.

What is the first step to begin implementing **SAMA CSF**?

**The first step is securing Board and senior management sponsorship, establishing governance, and conducting a control-level gap analysis against SAMA CSF domains and maturity model.** Form a program team, inventory assets, produce an initial maturity baseline (targeting Level 3 minimum), and develop a project charter with RACI, scope, and roadmap.

What is the primary objective of **MAS TRM**?

**MAS TRM's primary objective is to establish sound technology risk governance and cyber resilience through defence-in-depth controls preserving CIA of data and systems.** Per the January 2021 Guidelines (Preface 1.4), financial institutions must implement proportionate practices across governance (Section 3.1), risk frameworks (Section 4), secure SDLC (Sections 5-6), IT operations (Section 7), resilience (Section 8), and cyber assessments (Sections 9-13).

Who is legally or professionally required to comply with **MAS TRM**?

**MAS TRM applies to all financial institutions supervised by MAS, including banks, insurers, capital market intermediaries, payment service providers, and fintech sandbox participants.** Section 2 positions it as supervisory guidance with implementation commensurate to risk and complexity (Section 2.2); boards and senior management bear accountability (Section 3.1).

Does **MAS TRM** require an external audit or third-party certification?

**MAS TRM mandates an independent internal audit function to assess TRM controls, governance, and risk management effectiveness (Sections 3.1.7, 15), but does not require external audits or certifications.** FIs may incorporate industry standards (Section 3.2.1); external penetration testing is expected annually for Internet-facing systems (Section 13.2.4).

How often should an assessment for **MAS TRM** be performed?

**TRM assessments must occur regularly, with frequency commensurate to system criticality: annual penetration testing for Internet-accessible systems (Section 13.2.4), periodic vulnerability assessments (Section 13.1.1), annual DR plan reviews (Section 8.2.2), and ongoing risk monitoring via registers (Section 4.5).** Policies require periodic reviews amid evolving threats (Section 3.2.1).

What are the consequences of non-compliance with **MAS TRM**?

**Non-compliance risks supervisory actions including fines, license conditions, revocations, and executive prohibitions, as MAS considers TRM observance in supervision (Section 2.2).** Examples: S$27.45M AML/CFT fines across nine FIs; CMS license revocation for governance failures.

Can **MAS TRM** be mapped to other international frameworks?

**Yes, MAS TRM aligns with frameworks like NIST CSF 2.0 (Govern-Identify-Protect-Detect-Respond-Recover) and ISO 27001 via shared controls in governance, risk assessment, and cyber defence.** Section 3.2.1 encourages incorporating industry standards; map asset inventories (3.3) to NIST CSRRs and defence-in-depth to ISO Annex A.

What is the first step to begin implementing **MAS TRM**?

**The first step is board approval of a technology risk appetite/tolerance statement and establishment of governance structures, including CIO/CISO appointments (Section 3.1).** Develop an information asset inventory with classification and ownership (Section 3.3) to enable proportionate controls.

SAMA CSF vs MAS TRM

Standards Comparison

SAMA CSF

Mandatory

2017

Saudi framework for financial sector cybersecurity resilience

MAS TRM

Mandatory

2021

Singapore guideline for technology risk management in finance

Quick Verdict

SAMA CSF mandates maturity-based cybersecurity for Saudi finance firms, while MAS TRM provides proportionate tech risk guidelines for Singapore FIs. Saudi banks ensure resilience via self-assessments; Singapore firms build governance and testing for supervision.

Cybersecurity

SAMA CSF

Saudi Arabian Monetary Authority Cyber Security Framework

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Six-level maturity model targeting minimum Level 3
Four core domains with detailed subdomains
Mandatory for SAMA-regulated financial institutions
Principle-based aligned with NIST and ISO 27001
Board oversight and independent CISO requirements

Technology Risk Management

MAS TRM

MAS Technology Risk Management Guidelines

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Board and senior management accountability
Proportional risk-based implementation
Third-party risk management integration
Annual penetration testing for internet systems
Comprehensive TRM framework lifecycle

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

SAMA CSF Details

What It Is

SAMA Cyber Security Framework (CSF) Version 1.0 is a mandatory regulatory framework issued by the Saudi Arabian Monetary Authority in May 2017. It provides a principle-based, risk-oriented blueprint for cybersecurity in SAMA-regulated financial institutions, focusing on governance, controls, and maturity to protect information assets' confidentiality, integrity, and availability.

Key Components

Four domains: Leadership & Governance, Risk Management & Compliance, Operations & Technology, Third-Party Security.
Numerous subdomains with principles, objectives, and control considerations.
Six-level maturity model (0-5, minimum Level 3: structured policies, standards, procedures, KPIs).
Self-assessment and SAMA review model, aligned with NIST, ISO 27001.

Why Organizations Use It

Mandatory compliance avoids penalties, audits, fines.
Enhances resilience, reduces incident risks, improves efficiency.
Builds trust, enables partnerships, competitive edge in Saudi finance.
Integrates with enterprise risk for strategic advantages.

Implementation Overview

Phased: initiation, gap analysis, design, deployment, operations, improvement.
Applies to banks, insurers, finance firms in Saudi Arabia.
Requires board sponsorship, CISO, tools like SIEM/IAM; periodic self-assessments, no external certification.

MAS TRM Details

What It Is

MAS Technology Risk Management (TRM) Guidelines (revised January 2021) is supervisory guidance from Singapore's Monetary Authority of Singapore (MAS) for financial institutions. It provides a principles-based framework for governing technology and cyber risks, emphasizing proportional implementation based on risk profile, complexity, and criticality to ensure confidentiality, integrity, and availability (CIA) of systems and data.

Key Components

15 sections covering governance, risk frameworks, secure development, IT service management, resilience, access controls, cryptography, cyber operations, assessments, and audit.
Synthesised 12 core principles like board accountability, asset inventories, third-party oversight, and layered cyber defenses.
No fixed controls; relies on risk-based outcomes with independent assurance.

Why Organizations Use It

Meets MAS supervisory expectations to avoid fines, enforcement.
Enhances resilience, reduces cyber incidents, builds customer trust.
Supports digital transformation securely; competitive edge in Singapore finance.

Implementation Overview

**Risk-based roadmapasset inventory, governance setup, control design, testing.
Applies to all MAS-supervised FIs; scalable by size/complexity.
No formal certification; demonstrated via audits, board reporting.

Key Differences

Aspect	SAMA CSF	MAS TRM
Scope	4 domains: governance, risk mgmt, operations, third-party	15 sections: governance to cyber assessment, online services
Industry	Saudi financial institutions (banks, insurance, etc.)	Singapore financial institutions (banks, insurers, fintechs)
Nature	Mandatory principle-based framework with maturity model	Supervisory guidelines, proportionate implementation
Testing	Self-assessments, pen tests, maturity level evidence	Annual PT for internet systems, VA, red teaming, DR tests
Penalties	Regulatory actions, remediation, operational restrictions	Fines, license conditions, supervisory enforcement

Scope

SAMA CSF

4 domains: governance, risk mgmt, operations, third-party

MAS TRM

15 sections: governance to cyber assessment, online services

Industry

SAMA CSF

Saudi financial institutions (banks, insurance, etc.)

MAS TRM

Singapore financial institutions (banks, insurers, fintechs)

Nature

SAMA CSF

Mandatory principle-based framework with maturity model

MAS TRM

Supervisory guidelines, proportionate implementation

Testing

SAMA CSF

Self-assessments, pen tests, maturity level evidence

MAS TRM

Annual PT for internet systems, VA, red teaming, DR tests

Penalties

SAMA CSF

Regulatory actions, remediation, operational restrictions

MAS TRM

Fines, license conditions, supervisory enforcement

Frequently Asked Questions

Common questions about SAMA CSF and MAS TRM

SAMA CSF FAQ

MAS TRM FAQ

You Might also be Interested in These Articles...

NIST CSF 2.0 Deep Dive: Mastering the Updated Framework Core Functions

Unpack NIST CSF 2.0's enhanced Core Functions: Govern, Identify, Protect, Detect, Respond, Recover. Get SME playbooks, governance shifts & strategies for cyber

SOC 2 for Fintech Startups: First 5 Steps to Compliance with Confidentiality Criterion Infographic

First 5 steps to SOC 2 compliance with Confidentiality for fintech SaaS. Infographic maps controls to risks like encryption & TPRM. Integrates GLBA/PCI DSS over

TISAX Tabletop Exercises for ADAS Suppliers: Simulating Prototype IP Leaks and Ransomware in Hybrid Supply Chains (2025 Edition with Hero Scenario Visual)

Master TISAX 'Very High' tabletop exercises for ADAS suppliers with 2024 breach simulations like CAD leaks and ransomware. Get scripts, AAR templates, hybrid ti

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

IFS Food vs FSSC 22000

Compare IFS Food vs FSSC 22000: Uncover key differences in audits, governance, PRPs & requirements for optimal food safety certification. Choose your ideal GFSI scheme now!

COBIT vs SQF

Compare COBIT vs SQF: IT governance meets food safety certification. Explore key differences, implementation strategies, and compliance benefits for regulated industries. Optimize your choice now!

GDPR vs PMBOK

Compare GDPR vs PMBOK: Data privacy regulation meets project management standard. Master principles, compliance, fines & tailoring for secure projects. Elevate success now!

SAMA CSF

MAS TRM

Quick Verdict

SAMA CSF

Key Features

MAS TRM

Key Features

Detailed Analysis

SAMA CSF Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

MAS TRM Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

SAMA CSF FAQ

What is the primary objective of SAMA CSF?

Who is legally or professionally required to comply with SAMA CSF?

Does SAMA CSF require an external audit or third-party certification?

How often should an assessment for SAMA CSF be performed?

What are the consequences of non-compliance with SAMA CSF?

Can SAMA CSF be mapped to other international frameworks?

What is the first step to begin implementing SAMA CSF?

MAS TRM FAQ

What is the primary objective of MAS TRM?

Who is legally or professionally required to comply with MAS TRM?

Does MAS TRM require an external audit or third-party certification?

How often should an assessment for MAS TRM be performed?

What are the consequences of non-compliance with MAS TRM?

Can MAS TRM be mapped to other international frameworks?

What is the first step to begin implementing MAS TRM?

You Might also be Interested in These Articles...

NIST CSF 2.0 Deep Dive: Mastering the Updated Framework Core Functions

SOC 2 for Fintech Startups: First 5 Steps to Compliance with Confidentiality Criterion Infographic

TISAX Tabletop Exercises for ADAS Suppliers: Simulating Prototype IP Leaks and Ransomware in Hybrid Supply Chains (2025 Edition with Hero Scenario Visual)

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

IFS Food vs FSSC 22000

COBIT vs SQF

GDPR vs PMBOK