Compliance Guide Guide

How SharkStriker helps you become SAMA  CSF compliant?

SAMA Compliance

How SharkStriker helps you become SAMA  CSF compliant?


The past twelve months have been a shocker for big names such as Twitter, Meta, Apple, and others because of the data breaches they have become victims of.

In March, a bug was reported in Open AI’s Chat GPT that caused the exposure of the personal data of their customers.

It included sensitive financial information such as credit card details, addresses, etc. 

It just goes to show that even known names have become data breach victims because of the lack of a cybersecurity framework that they can count on. 

Now you can imagine the impact on financial institutions with huge customer bases. 

The Saudi Arabian Monetary Authority (SAMA) has created a framework to assist organizations in establishing a fundamental cybersecurity posture with the best practices for information security.

We will look closer at this framework, its benefits, and more…

What is SAMA Framework?

a) Overview 

The following is the overview of the SAMA CSF (Cybersecurity Framework):

  • It was established in 2017 by Saudi Arabian Monetary Authority (SAMA) 
  • Primary Goal: – To protect all member institutions from breaches 
  • It consists of security controls, measures, procedures, and policies for detection and response capabilities.
  • It has taken some of the best practices from PCI DSS, SWIFT, NIST, OWASP, and others.
  • It is aimed primarily at senior and executive management. Everyone who frames, reviews, and implements security controls. Business owners, information assets owners, and CISOs.
  • All the organizations are periodically reviewed based on self-assessments submitted to SAMA.
  • Once these assessments are reviewed, SAMA will determine the security maturity level they belong to.
b) Who are member organizations?

The framework applies to all the organizations in the Kingdom of Saudi Arabia that fall under member institutions including:

  • The entire financial infrastructure
  • Banks
  • Insurance and reinsurance companies
  • Financial companies
  • Credit Bureaus
c) Structure/Framework

What is “Maturity Level”?

The SAMA has categorized organizations according to their cyber resilience into different maturity levels. There are six maturity levels in total. We will take a close look at each level in detail in the figure below:

Maturity level 0 – Non-existent

  • No cybersecurity controls are in place
  • No awareness of the particular risk area  
  • No current plan to implement cybersecurity controls

Maturity level 1 – Ad-hoc 

  • Partial or no defined security controls 
  • Cybersecurity control design and execution changes from department to department 
  • Current controls only partially mitigate risk with inconsistency in the execution of controls 

Maturity level 2 – Repeatable but informal

  • There are repeatable security controls in place without a formal structure or approval  
  • There is no formal review or testing of controls

Maturity level 3 – Structured and formalized

  • Security controls are formally defined, approved, implemented and monitored
  • There are GRC tools in place to monitor policies, standards, and procedures 
  • Key performance indicators are identified and implemented.

Maturity level 4 – Managed and Measurable

  • The security controls are tested for effectiveness regularly and improved if needed
  • Periodic effectiveness testing is done using risk indicators and trend reporting
  • Opportunities for improvement are identified and documented as per testing

Maturity level 5 – Adaptive

  • There is an enterprise-grade program with continuous improvement and compliance 
  • Controls are integrated within the risk management framework and practices 
  • Security controls are tested using peer and sector data

What are its benefits ?

Now that you have at least somewhat idea of what the SAMA CSF framework is, let us take a look at some of its benefits to business:

Establishes a baseline security posture in organizations 

SAMA CSF helps organizations take basic measures for establishing a foundational level of cybersecurity posture. It recommends security measures, guidelines, policies, procedures, and world-class cybersecurity best practices. It ensures that businesses stay protected from the most known vulnerabilities and threats by building resilience against the latest TTPs deployed by sophisticated cyber attackers. 

Protects information assets

It ensures the protection of all the sensitive data of member organizations by recommending a framework that requires implementing security measures for continuous monitoring and damage control measures for cyber incidents.

It makes people accountable and aware of the security measures to protect information at different levels through systematic policies, procedures, and rules.

Prepares them for data breaches and cyber attacks

Cyber attacks like data breaches impact an organization’s operations and reputation.  The framework ensures that every member organization implements a set of measures for incident response planning. An incident response plan is a proactive measure of preparing systematic documentation of all the measures that are to be taken in an event of a cyber attack and defines roles and responsibilities in a cyber incident.

It gives a third-party validation of their security

With SAMA CSF compliance, businesses get third-party validation from a reputed authority, opening up new business opportunities with increased cybersecurity credibility. It empowers them to confidently approach their prospective customers with verified and reviewed information security of all sensitive information.

Improves brand reputation with an increase in stakeholder trust

Becoming SAMA compliant ensures that they are held accountable for customer data and take a minimum set of measures to ensure data protection. By implementing the guidelines in the SAMA CSF, businesses assure their customers that their data is in safe hands. It improves the trustworthiness of the brand and builds the reputation of the brand overall.

Saves cost

The average cost of a data breach last year was around a whopping $4.35 million! By implementing security measures that are inspired by some of the world-class best practices from NESA, GDPR, PCI DSS, etc., an organization ensures that they save costs from a data breach. A data breach cost not only just includes the damage of operational and information loss but also the legal fines that are imposed as a result of non-compliance. SAMA CSF saves an organization from all the heavy costs associated with a data breach. 

How can we help you become SAMA CSF compliant ?

SharkStriker understands that the regulatory environment is constantly changing with time. And as a business owner, it is challenging to be compliant. It can be due to a limited team or lack of resources or expertise, or any other reason.

To assist businesses in their compliance journey, we have come up with a dedicated end-to-end compliance management service for SAMA CSF. From scope framing to conducting a post-implementation audit, we take all the measures necessary to assist you in becoming SAMA compliant.

Our consultants offer round-the-clock support to ensure that you remain updated with all the recent developments in compliance. We take a holistic approach to compliance by undertaking all the necessary actions to ensure you have everything you need under one roof.

The following is our approach to assist you to be SAMA CSF compliant:


It is the first step wherein we:

Identify Assets

  • Identify systems where critical information is stored 
  • Understand compliance requirements 
  • Identify critical services 

Identify Controls  

  • Determine controls that can help bridge identified gaps 
  • Strategize and build a risk treatment plan 

Gap & Risk Assessment

  • Conduct vulnerability and risk assessments
  • Identify compliance gaps in the current information systems 

Compliance Reports

  • Audit the current posture and develop a compliance report 

Rollout and Implementation

It is the most critical step where we:

Implement Security Measures

  • Including policies, and procedures based on the risk treatment plan 

Deploy Technological Controls

  • Implement an architecture that aligns with the risk treatment plan 
  • Configure the tools


  • We run training and awareness programs to mitigate human errors

Management Controls

  • We implement procedural, managerial, and operational controls to mitigate risks
  • Enhance physical security 
  • Use IAMs to assign roles to different users and prevent unauthorized 

Security Services

Next, we engage in rendering security services with:

Periodic Security Testing

  • Vulnerability Assessments 
  • Penetration Testing 
  • Security configuration reviews 

Managed Network Security 

  • Firewall Installation & Management 
  • Firewall Configuration Assessment 
  • Network Security Monitoring 

Threat Detection and Response 

  • Managed SIEM Solution 
  • 24/7 Security Monitoring 
  • Incident Response 

Cloud & Endpoint Security

  • AI-based EDR Solution
  • Cloud Security Assessment
  • Cloud & Endpoint Security Monitoring

Compliance Review

After all the steps, we audit the implementation through:

ISMS Review

  • We review the performance of ISMS  
  • Engage in continuous improvement of ISMS

Mock Audits

  • Conduct mock audits to identify weak and exploitable areas of the ISMS 

SAMA CSF Internal Audits

  • Periodic audits of ISMS and the risk treatment plan to ensure that the plan is still relevant
  • Assess if the business is following the defined metrics and procedures

External Audit Support

  • Assistance with external audits to ensure that your ISMS meets SAMA compliance standards and gets the certified


There is a rise in the number of data breaches worldwide due to the adoption of vulnerable technologies by businesses to improve their customer experience to stand out in the growing competition.

The Saudi Arabian Monetary Authority has created a cybersecurity framework that is to be referred to by organizations that fall under the Maturity level that is defined by SAMA. Through our blog, we have taken a look into SAMA framework structure, its components, benefits and how SharkStriker helps in becoming SAMA compliant through our end-to-end compliance management services that takes a holistic approach to compliance. If you are a member organization as per SAMA, interested in our dedicated compliance services,get a call scheduled with our expert who is better equipped to help you frame a scope and tailor a service that helps you meet all your requirements.

Read More

Endpoint Security