Tools that came out of jobs I was doing, not a tutorial outline. You’ll see crosswalks I needed for an ECC review, a header checker I built for a hardening pass, a JWT inspector I keep around for vendor calls. Everything runs locally.
Designed & built by Mohammed AlYahya
NCA ECC-1:2018 mapped to ISO/IEC 27001:2022SAMA CSF v1.0 (May 2017). Coverage is one-directional (ECC → mapped framework). Mapped at control / control-consideration level.
Currency: NCA issued ECC-2:2024 (4 domains, 108 controls; ICS moved to the separate OT controls, data-localization to SDAIA/NDMO), superseding ECC-1:2018. This crosswalk reflects the expert-audited ECC-1:2018 mapping; an ECC-2:2024 refresh is in progress.
| NCA ECC | Control | Domain | ISO/IEC 27001SAMA CSF | Mapping |
|---|---|---|---|---|
| Cybersecurity strategy | Governance |
5.1
Policies for information security
3.1.2
Cyber Security Strategy
|
Direct Direct | |
| Both establish board-approved policy as the foundation control. Board-approved cyber security strategy in both. | ||||
| Cybersecurity steering committee | Governance |
5.2
Information security roles and responsibilities
3.1.1
Cyber Security Governance
|
Direct Direct | |
| Defines governing body / accountable owner for the cybersecurity function. Steering committee is the core governance structure. | ||||
| Cybersecurity function | Governance |
5.4
Management responsibilities
3.1.4
Cyber Security Roles and Responsibilities
|
Direct Direct | |
| Ownership and authority of the cybersecurity function. Establishing the cyber security function and accountable owner. | ||||
| Cybersecurity in HR | Governance |
6.1
Screening
3.3.1
Human Resources
|
Direct Direct | |
| Pre-employment screening — both require. Cyber security embedded in HR lifecycle. | ||||
| Cybersecurity in HR (T&Cs) | Governance |
6.2
Terms and conditions of employment
3.3.1
Human Resources
|
Direct Direct | |
| Embed security obligations in employment contracts. Cyber security terms and conditions of employment. | ||||
| Cybersecurity awareness and training | Governance |
6.3
Information security awareness, education and training
3.1.6
Cyber Security Awareness
|
Direct Partial | |
| Direct equivalent — programmatic awareness + role-based training. Source spans SAMA Awareness (3.1.6) and Training (3.1.7). | ||||
| Cybersecurity risk management | Governance |
Clause 6.1.2
Information security risk assessment (ISMS clause)
3.2.1
Cyber Security Risk Management
|
Direct Direct | |
| ECC 1-6 maps to ISMS clause 6, not an Annex A control — same risk-process requirement. Same cyber security risk-management methodology. | ||||
| Compliance with regulations | Governance |
5.31
Legal, statutory, regulatory and contractual requirements
3.2.2
Regulatory Compliance
|
Direct Direct | |
| Identification and tracking of applicable regulatory obligations. Compliance with applicable laws and regulatory requirements. | ||||
| Cybersecurity review and audit | Governance |
Clause 9.2
Internal audit (ISMS clause)
3.2.5
Cyber Security Audits
|
Direct Partial | |
| Periodic internal audit of cybersecurity controls — ISMS clause 9.2 is the canonical control. Source spans SAMA Review (3.2.4) and Audits (3.2.5). | ||||
| Asset management | Defence |
5.9
Inventory of information and other associated assets
3.3.3
Asset Management
|
Direct Direct | |
| Inventory of information assets. Identification and inventory of information and technology assets. | ||||
| Identity and access management | Defence |
5.15
Access control
3.3.5
Identity and Access Management
|
Direct Direct | |
| Access control policy + entitlement management. Identity lifecycle and logical access control. | ||||
| Secure authentication | Defence |
8.5
Secure authentication
3.3.5
Identity and Access Management
|
Direct Direct | |
| MFA / strong authentication requirements. Secure authentication is a core IAM requirement. | ||||
| Information system protection | Defence |
8.7
Protection against malware
3.3.8
Infrastructure Security
|
Partial Partial | |
| ECC 2-3 includes EDR/AV + hardening; ISO splits across 8.7 (malware) and 8.9 (configuration management). Host/server protection folded into a broader infrastructure subdomain. | ||||
| System configuration / hardening | Defence |
8.9
Configuration management
3.3.8
Infrastructure Security
|
Direct Partial | |
| Hardened-baseline configuration management. Secure configuration/hardening of infrastructure components (SAMA cc 6.a 'configuration parameters'). | ||||
| Email protection | Defence |
8.23
Web filtering
3.3.8
Infrastructure Security
|
Partial Partial | |
| ISO bundles email + web filtering under 8.23 in 2022; ECC 2-4 is email-specific. No dedicated email subdomain; covered under infrastructure security. | ||||
| Networks security | Defence |
8.20
Networks security
3.3.8
Infrastructure Security
|
Direct Partial | |
| Network design, segmentation, perimeter controls. No dedicated network subdomain; covered under infrastructure security. | ||||
| Network services security | Defence |
8.21
Security of network services
3.3.8
Infrastructure Security
|
Direct Partial | |
| Security of contracted network services (ISP, MPLS, cloud connectivity). Network services security is a subset of infrastructure security. | ||||
| Mobile devices security | Defence |
8.1
User endpoint devices
3.3.10
Bring Your Own Device (BYOD)
|
Direct Partial | |
| Mobile + endpoint device security. Partial overlap; BYOD does not cover all corporate-managed mobile. | ||||
| Data and information protection | Defence |
8.12
Data leakage prevention
3.3.9
Cryptography
|
Direct Partial | |
| DLP coverage of regulated data flows. Data protection via cryptography plus classification (3.3.3 / 3.3.8 cc 6(c)). | ||||
| Data masking / minimisation | Defence |
8.11
Data masking
No SAMA CSF equivalent
|
Direct No equivalent | |
| Data masking for non-prod and analytics paths. No specific data-masking control consideration in SAMA CSF v1.0. | ||||
| Cryptography | Defence |
8.24
Use of cryptography
3.3.9
Cryptography
|
Direct Direct | |
| Cryptographic-controls policy + key management. Cryptographic controls and key management. | ||||
| Backup and recovery | Defence |
8.13
Information backup
3.3.8
Infrastructure Security
|
Direct Partial | |
| Backup policy and recovery testing. SAMA control consideration 6(i) "back-up and recovery procedures". | ||||
| Vulnerabilities management | Defence |
8.8
Management of technical vulnerabilities
3.3.17
Vulnerability Management
|
Direct Direct | |
| Vulnerability identification, prioritisation, remediation cadence. Identification, assessment and remediation of vulnerabilities. | ||||
| Penetration testing | Defence |
8.8
Management of technical vulnerabilities
3.3.17
Vulnerability Management
|
Partial Partial | |
| ISO 27001 does not have a dedicated pen-test control; it folds under 8.8. Penetration testing is a technique within vulnerability management. | ||||
| Cybersecurity event logs and monitoring | Defence |
8.15
Logging
3.3.14
Cyber Security Event Management
|
Direct Direct | |
| Log generation, integrity, retention. Security event logging, collection and monitoring. | ||||
| Monitoring activities | Defence |
8.16
Monitoring activities
3.3.14
Cyber Security Event Management
|
Direct Direct | |
| SOC monitoring + anomaly detection. Monitoring activities under event management. | ||||
| Incident management | Defence |
5.24
Information security incident management planning and preparation
3.3.15
Cyber Security Incident Management
|
Direct Direct | |
| Documented IR plan, roles, runbooks. Incident handling, response and reporting. | ||||
| Physical security | Defence |
7.1
Physical security perimeters
3.3.2
Physical Security
|
Direct Direct | |
| Perimeter, secure areas, visitor control (one of many physical Annex-A.7 controls). Physical and environmental protection of facilities and assets. | ||||
| Web application security | Defence |
8.26
Application security requirements
3.3.6
Application Security
|
Direct Direct | |
| SDLC + secure-coding + app testing requirements. Application (incl. web) security controls. | ||||
| Cybersecurity resilience in BCM | Resilience |
5.30
ICT readiness for business continuity
No SAMA CSF equivalent
|
Direct No equivalent | |
| ICT continuity preparation; ECC 3 maps cleanly to ISO 5.29 and 5.30. Resilience/BCM is covered by SAMA’s separate BCM framework, outside CSF. | ||||
| BCP / DRP tests | Resilience |
5.29
Information security during disruption
No SAMA CSF equivalent
|
Direct No equivalent | |
| Tested continuity plans for security-relevant operations. BCP/DRP testing belongs to SAMA’s separate BCM framework, outside CSF. | ||||
| Third-party cybersecurity | Third-Party |
5.19
Information security in supplier relationships
3.4.1
Contract and Vendor Management
|
Direct Direct | |
| Supplier cybersecurity programme. Cyber security requirements for third parties and vendors. | ||||
| Third-party agreements | Third-Party |
5.20
Addressing information security within supplier agreements
3.4.1
Contract and Vendor Management
|
Direct Direct | |
| Contractual cybersecurity clauses. Third-party agreements / contractual cyber requirements. | ||||
| ICT supply-chain risk | Third-Party |
5.21
Managing information security in the ICT supply chain
3.4.1
Contract and Vendor Management
|
Direct Partial | |
| Upstream supply-chain assurance (SBOM, sub-supplier flow-down). Supply-chain risk; no dedicated supply-chain subdomain (not Outsourcing 3.4.2). | ||||
| Cloud computing and hosting cybersecurity | Third-Party |
5.23
Information security for use of cloud services
3.4.3
Cloud Computing
|
Direct Direct | |
| Cloud service-specific controls (CSCC also overlays for KSA). Cyber security for cloud computing and hosting services. | ||||
| ICS asset management | ICS |
5.9
Inventory of information and other associated assets
No SAMA CSF equivalent
|
Partial No equivalent | |
| ICS-specific asset register; ISO general inventory + ECC requires deeper OT taxonomy. SAMA CSF v1.0 is bank-focused and has no ICS/OT domain. | ||||
| ICS network segregation | ICS |
8.22
Segregation of networks
No SAMA CSF equivalent
|
Direct No equivalent | |
| IT/OT segmentation, Purdue zone separation. SAMA CSF v1.0 is bank-focused and has no ICS/OT domain. | ||||
Showing 37 ECC↔ISO 27001 mappings. Conservative pass — only confident Direct and Partial mappings included.
SAMA CSF mappings are expert-audited and verified against the SAMA Rulebook at control-consideration level. Five ECC controls (info-system, email, networks, network-services, backup) fan into SAMA 3.3.8 Infrastructure Security, which bundles these into control considerations rather than dedicated subdomains.