Operlity gives banks, insurance companies, and fintech organizations regulated by the Saudi Central Bank a structured platform to implement, manage, and demonstrate compliance with the SAMA Cybersecurity Framework — continuously, not just at assessment time.
The Saudi Arabian Monetary Authority Cybersecurity Framework is a mandatory cybersecurity standard issued by SAMA — the Saudi Central Bank — applicable to all financial institutions operating under its regulatory supervision, including banks, insurance companies, and fintech and payment service providers.
First issued in 2017 and subsequently updated, the SAMA Cybersecurity Framework establishes a comprehensive set of cybersecurity controls organized across four domains — Cybersecurity Leadership and Governance, Cybersecurity Risk Management and Compliance, Cybersecurity Operations and Technology, and Third Party Cybersecurity — that regulated entities must implement, assess, and continuously maintain. SAMA conducts regular cybersecurity assessments of regulated entities and expects organizations to demonstrate a maturing cybersecurity posture over time, not just point-in-time compliance.
The framework covers hundreds of controls across governance, risk management, operations, technology, and third party domains — requiring structured implementation tracking and evidence management across the entire organization.
SAMA assesses cybersecurity maturity on a defined scale; organizations must not only implement controls but demonstrate progressive maturity improvement across assessment cycles.
Regulated entities must govern the cybersecurity posture of their technology vendors, service providers, and outsourced operations — a significant undertaking for organizations with extensive vendor ecosystems.
SAMA expects cybersecurity controls to be operating continuously, not just at assessment time — requiring ongoing monitoring, evidence collection, and control operation across all domains.
Financial institutions regulated by SAMA frequently also need to meet ISO 27001, PCI DSS, and GDPR requirements — duplicating compliance effort without a platform that maps controls across frameworks.
SAMA assessments require structured evidence, documented policies, and demonstrated control operation — organizations unprepared for examination face significant remediation pressure.
| SAMA Framework Domain | Operlity Capability |
|---|---|
| Cybersecurity Leadership & Governance | Policy lifecycle management, role and responsibility assignment, and governance program management |
| Cybersecurity Risk Management & Compliance | Enterprise and cyber risk register, risk assessment workflows, and multi-framework compliance tracking |
| Cybersecurity Operations & Technology | Control implementation tracking, vulnerability management, and incident register |
| Third Party Cybersecurity | Third party risk management with vendor due diligence, assessments, and contract oversight |
| Maturity Assessment | Structured maturity assessment workflows with domain-level scoring and progressive improvement tracking |
| Evidence Management | Centralized evidence collection, organization, and verification for SAMA examination readiness |
Scope the SAMA Cybersecurity Framework against your organization and conduct a structured gap assessment across all four domains — establishing your baseline maturity posture and prioritizing remediation efforts.
Implement all applicable SAMA controls with structured tracking, ownership assignment, and evidence collection — maintaining a continuous record of implementation progress across all framework domains.
Audit your vendor and service provider ecosystem — documenting cybersecurity due diligence, conducting third party risk assessments, and managing contractual cybersecurity obligations.
Create and maintain all cybersecurity policies required by the SAMA framework — with documented approval workflows, annual review cycles, and workforce acknowledgement tracking.
Conduct structured internal maturity assessments across all framework domains — identifying gaps, tracking improvement, and building the maturity evidence that SAMA examiners expect to see.
Monitor your SAMA compliance posture continuously — tracking control status, managing incidents, maintaining evidence, and preparing for SAMA examinations as a structured, ongoing program rather than a reactive exercise.