A KSA inspection-aware method for building and operating cybersecurity governance in NCA, SAMA, and CST-regulated organizations.
الفلق · the break of day
Cybersecurity programs in Saudi organizations fail in predictable ways. They buy platforms before they understand their own assets. They write aspirational policy nobody can measure. They try to enforce every control at once. They produce KRIs that look serious but never drive a decision. They build twin copies of the same work in compliance, audit, and IT, none of them quite agreeing. And they treat resilience as a document, not a tested capability.
FALAQ is how I avoid those failures. Five gates, in order, each producing an artifact the next depends on — wrapped in an operating loop so the program does not just stand up, it survives an inspection cycle and improves between them.
FALAQ does not replace NIST CSF, ISO 27001, COBIT, or the Three Lines Model. It translates them into what actually decides a Saudi program’s fate: passing an NCA assessment or a SAMA examination, on the regulator’s calendar, with evidence that holds. It is a methodology for building a program and keeping it running — not a SOC runbook or a BCM playbook, but not silent on them either. Incident response, resilience, and third-party risk are carried as live tracks, not parked in someone else’s remit.
The gates are non-skippable — you cannot anchor what you have not framed, or quantify what you have not anchored — but execution iterates as new assets, suppliers, incidents, and regulatory findings arrive. Mandatory gates, iterative execution.
Mandate and risk appetite first; then inventory what must be governed.
F0 — Framing: regulatory scope and applicability, board mandate, risk appetite and tolerance, the critical services the business actually runs on, and the decision rights that govern them. You cannot classify an asset, or compute a residual risk, before you know what you are accountable for and how much risk the board will accept.
F1 — Foundation: an asset, data, and service inventory — owner, sensitivity tier, criticality, refresh cadence, evidence owner, and source-of-truth system. Foundation work is unglamorous. Skip it and every downstream control is fiction.
Short, enforceable policy with every clause tied to a control — in Arabic where the work happens.
Policy is the contract that lets every other control hold. It must be short enough to be read, operationally enforceable (no aspirational language nobody can measure), and traceable — every clause maps to a specific NCA control, SAMA expectation, ISO requirement, or PDPL article, and onward to its procedure, owner, and evidence. KSA programs fail when English policy exists but the Arabic operating procedure does not.
Controls deployed in dependency sequence, staged to the inspection calendar.
A common failure mode is trying to enforce all controls at once. Classification precedes handling rules; handling rules precede exception processes; detection without response is theater. Layer controls in the order the dependencies require, and stage the rollout against the audit timeline so adoption can be measured before it becomes a non-conformity. Incident response, BCM/DR, SOC monitoring, and third-party/cloud controls are sequenced here — not as an afterthought.
Three Lines of Defence and board reporting unified at the data layer.
If audit, compliance, and IT each maintain their own version of the same risk, you have three problems, not three perspectives. Alignment unifies the underlying data model so one risk record produces views fit for the assessor, the treatment owner, and the board — without re-keying or reconciliation — with unique IDs linking asset, data set, service, control, obligation, risk, evidence, exception, supplier, and incident.
Risk scored against appetite — a number that changes a decision.
Most KRIs reported to boards are vanity metrics, large numbers detached from any decision. Quantification means scoring residual risk against the appetite set in Framing, with Key Risk Indicators (what changed) and Key Performance Indicators (whether controls work) in the same workflow — so every record resolves to a decision: accept, remediate, transfer, defer-with-expiry, or escalate. This is disciplined risk scoring; full probabilistic quantification comes later, once the data supports it, and is never a day-one promise.
A program that is built once and never operated becomes its own anti-pattern in a regulatory environment that shifts every year. The five gates are wrapped in a loop — Plan → Operate → Test → Evidence → Improve — that re-enters on regulatory change, audit findings, incidents, and M&A.
The score that matters is the regulator’s, not mine. FALAQ’s job is to move you up the scale the assessor actually uses — a FALAQ transformation level is a narrative overlay, never a substitute.
| Layer | What it is | Authority |
|---|---|---|
| Score of record | SAMA CSF maturity (0–5; Level 3+ expected) · NCA compliance % from the national assessment tool | The regulator |
| FALAQ overlay | Reactive → Defined → Aligned → Quantified → Adaptive — a transformation story mapped to the score of record (e.g. “NCA 78%, SAMA avg 2.8, FALAQ Level 2.6 → 3”) | Internal narrative |
Saudi Arabia is not one stack. The first deliverable of any engagement is deciding which obligations actually apply — before a single control is written.
| If you are… | Primary obligation | Likely add-ons |
|---|---|---|
| A regulated bank / fintech | SAMA CSF (+ BCM, CRFR) | NCA ECC, PDPL, CCC (cloud) |
| Government / public sector | NCA ECC-2:2024 | DCC (data), CCC, PDPL, NDMO |
| Critical national infrastructure | NCA CSCC (+ ECC) | CCC, DCC, sector rules |
| Cloud / telecom / hosting | NCA CCC-2:2024, CST | data localization, ECC |
| Anyone processing personal data | PDPL + Implementing Regs (SDAIA) | transfer rules, NDMO data mgmt |
| An Aramco supplier | SACS-002 | ECC, third-party assurance |
FALAQ is not a new taxonomy — it is the canon, sequenced to the KSA inspection calendar and operationalized in Arabic. Stated plainly, because hidden relabeling reads as ignorance and declared translation reads as fluency:
| FALAQ gate | Maps to |
|---|---|
| Framing & Foundation | NIST CSF 2.0 Govern + Identify (ID.AM) · ISO 27001 Cl. 4–6 (context, scope, risk) |
| Anchor | ISO 27001 policy + Statement of Applicability · COBIT management objectives |
| Layering | ISO 27001 risk-treatment plan · NIST Protect / Detect / Respond / Recover |
| Alignment | IIA Three Lines Model · COBIT single integrated framework |
| Quantification | KRI / KPI / residual-risk scoring against board-set appetite |
The original contribution is not the components — it is the order (govern before inventory), the sequencing to the inspection calendar, and the Arabic operating layer.
Most organizations I work with arrive at the regulator’s Level 1–2 with the budget and the will to reach Level 3 operating discipline. A realistic target is 18–24 months for in-scope domains — subject to executive mandate, data quality, tooling maturity, supplier complexity, and remediation budget. The order matters. Frame first. Anchor second. Anything else done before those two collapses under audit.
See FALAQ applied — three real KSA programs, problem to outcome →
Operating depth — PDPL records-of-processing and breach playbooks, exception/waiver governance, the evidence-pack standard, and metric-quality rules — sits beneath each gate and is available on request.
If your organization is preparing for an NCA assessment, a SAMA examination, or a PDPL rollout, I’m open to senior security leadership roles: CISO, Director, or Head of Security.
Discuss a Role