The National Cybersecurity Authority (NCA) of Saudi Arabia introduced the Essential Cybersecurity Controls (ECC) to guide organizations in establishing and maintaining robust cybersecurity postures. 

This comprehensive framework enables government entities, critical infrastructure operators, and regulated private sector organizations in Saudi Arabia to systematically implement cybersecurity measures that align with national laws, best practices, and global standards. 

What is the ECC? 

The Essential Cybersecurity Controls (ECC) is a structured framework developed by Saudi Arabia’s National Cybersecurity Authority (NCA) to help organizations implement cybersecurity requirements systematically and effectively. 

Released initially as ECC-1:2018, the guide ensures that organizations: 

• Comply with national cybersecurity laws and regulations. 

• Protect confidentiality, integrity, and availability of information and technology assets. 

• Reduce cyber risks arising from internal and external threats. 

• Build a sustainable cybersecurity posture aligned with global best practices. 

The ECC Implementation Guide serves as a practical resource, illustrating controls, processes, tools, and deliverables organizations need to fulfill the ECC requirements. While the guide is comprehensive, it is flexible enough to be adapted to each organization’s unique environment and operational needs. 

Traffic Light Protocol (TLP) Classification 

The ECC Guide uses TLP: 

• Red: For intended recipients only, no sharing inside or outside the organization. 

• Amber: Share only with specific people inside the organization who need it to act. 

• Green: Share within the organization or sector but not on public channels. 

• White: Free to share publicly without restrictions. 

ECC Domains and Structure 

The ECC framework is organized into five major domains, each focusing on a critical component of cybersecurity within an organization. Each domain is broken down into subdomains, defining specific control areas, guidelines, and deliverables to ensure systematic implementation and measurable progress. 

The Five ECC Domains: 

 1. Cybersecurity Governance 

Establishes the foundational structures, policies, roles, and strategies for cybersecurity management across the organization. 

 2. Cybersecurity Defense 

Focuses on proactive measures to protect assets, manage vulnerabilities, implement access controls, and monitor networks and systems. 

3. Cybersecurity Resilience 

Ensures organizations can continue critical operations during and after cyber incidents, closely aligned with Business Continuity Management (BCM). 

4. Third-Party and Cloud Computing Cybersecurity 

Addresses the cybersecurity requirements for engaging with third-party vendors and managing cloud services securely. 

5. Industrial Control Systems (ICS) Cybersecurity 

Focuses on the protection of Industrial Control Systems and operational technologies critical to many sectors.

ECC Structure at a Glance 

For each domain and subdomain, the ECC guide provides: 

• Objective: The purpose of implementing the control.

• Controls: Specific requirements to achieve the objective. 

Example of Subdomains under Cybersecurity Governance:

• Cybersecurity Strategy

• Cybersecurity Management

• Cybersecurity Policies and Procedures

• Cybersecurity Roles and Responsibilities

• Cybersecurity Risk Management

• Compliance with Regulations

• Periodical Reviews and Audits

• Cybersecurity in Human Resources

• Cybersecurity Awareness and Training Programs  

A closer look at each Domain 

1. Cybersecurity Governance

The Cybersecurity Governance domain establishes the foundational structures and policies that guide and support effective cybersecurity practices across your organization. It ensures accountability, clarity in roles, and alignment with regulatory and business objectives.

This domain consists of 10 subdomains, each addressing a core element of governance: 

1. Cybersecurity Strategy

Purpose: Ensure cybersecurity plans and initiatives align with laws and organizational goals.  

2. Cybersecurity Management 

Purpose: Establish a dedicated, independent cybersecurity function.  

3. Cybersecurity Policies and Procedures 

Purpose: Ensure cybersecurity requirements are documented and followed.  

4. Cybersecurity Roles and Responsibilities 

Purpose: Clearly define and assign cybersecurity roles to prevent gaps and conflicts of interest.  

5. Cybersecurity Risk Management 

Purpose: Identify, assess, and manage cybersecurity risks systematically. 

6. Cybersecurity in Project Management 

Purpose: Integrate cybersecurity into the project lifecycle and change management processes. 

7. Compliance with Laws and Regulations 

Purpose: Ensure alignment with national and approved international cybersecurity laws. 

8. Periodical Cybersecurity Review and Audit 

Purpose: Ensure controls are adequate and aligned with policies and regulations.  

9. Cybersecurity in Human Resources 

Purpose: Manage cybersecurity risks related to personnel throughout employment. 

10. Cybersecurity Awareness and Training Programs 

Purpose: Build a cybersecurity culture and equip staff with essential cybersecurity.

Why Governance Matters 

Effective governance under the ECC ensures:

• Clear accountability and roles.

• Aligned cybersecurity practices with national laws.

• Integration of cybersecurity across all organizational processes.

• Sustainable and auditable cybersecurity maturity.

2. Cybersecurity Defense

The Cybersecurity Defense domain ensures your organization actively protects its systems, data, and networks through structured controls, processes, and monitoring mechanisms. It moves beyond governance to practical, on-the-ground implementation, defending against evolving threats.

This domain includes 15 subdomains, each addressing specific technical and operational areas:

1. Asset Management

Purpose: Maintain an accurate, classified inventory of information and technology assets.  

2. Identity and Access Management 

Purpose: Control and monitor user access to systems and data to prevent unauthorized use.  

3. Protection of Systems and Processing Facilities 

Purpose: Safeguard critical systems and data processing facilities against cyber threats.  

4. Email Protection

Purpose: Prevent phishing and malicious email attacks.  

5. Network Security Management 

Purpose: Protect networks through segmentation, monitoring, and control mechanisms. 

6. Mobile Device Security 

Purpose: Secure mobile devices to prevent data breaches and unauthorized access. 

7. Data and Information Protection 

Purpose: Protect sensitive data in storage, processing, and transit. 

8. Cryptography 

Purpose: Use cryptographic controls to protect data confidentiality and integrity. 

9. Backup and Recovery Management 

Purpose: Ensure data can be recovered in case of loss or cyber incidents. 

10. Vulnerability Management 

Purpose: Identify and remediate vulnerabilities proactively. 

11. Penetration Testing 

Purpose: Simulate attacks to identify exploitable weaknesses. 

 12. Cybersecurity Event Logs and Monitoring Management

Purpose: Monitor systems for suspicious activities and maintain logs for investigation.  

13. Incident and Threat Management 

Purpose: Detect, respond to, and recover from cybersecurity incidents effectively.  

14. Physical Security 

Purpose: Protect physical infrastructure and sensitive areas from unauthorized access.  

15. Web Application Security 

Purpose: Secure web applications against common vulnerabilities.   

Why Cybersecurity Defense is Critical

This domain operationalizes cybersecurity within your organization by:

• Actively detecting and mitigating threats.

• Protecting data, devices, and networks.

• Enabling quick recovery from incidents.

• Supporting continuous monitoring and improvement. 

3. Cybersecurity Resilience

While Cybersecurity Defense focuses on proactive protection, the Cybersecurity Resilience domain ensures your organization can continue critical operations during and after cyber incidents. It aligns cybersecurity with Business Continuity Management (BCM), ensuring that disruptions are minimized and recovery is swift and efficient.

This domain contains one focused subdomain:

1. Cybersecurity Resilience Aspects of Business Continuity Management (BCM)

• Purpose: To integrate cybersecurity considerations within the organization’s business continuity planning, ensuring that critical business functions can withstand and recover from cyber disruptions.

Why Cybersecurity Resilience Matters

Cybersecurity resilience under ECC ensures your organization can:

• Understand and recover from cyber incidents with minimal disruption.

• Maintain critical services during crises.

• Protect stakeholder trust and regulatory compliance.

• Embed cybersecurity within your BCM for a comprehensive resilience strategy. 

4. Third-Party and Cloud Computing Cybersecurity

In today’s interconnected environments, third-party vendors and cloud service providers often handle or process critical business data, expanding the attack surface and increasing cyber risk. The Third-Party and Cloud Computing Cybersecurity domain of ECC ensures organizations systematically identify, manage, and monitor risks associated with outsourcing and cloud adoption.

This domain is divided into two key subdomains:

1. Third-Party Cybersecurity

   Purpose: Ensure that all third parties interacting with your organization’s information and technology assets comply with cybersecurity requirements and do not introduce unacceptable risks.

   
   

2. Cloud Computing and Hosting Cybersecurity

   Purpose: To ensure that cloud and hosting services are securely utilized while maintaining compliance with national regulations and protecting organizational data.

Why This Domain is Critical

Third-party and cloud computing cybersecurity under ECC ensures:

• Vendors and cloud providers align with your cybersecurity requirements. 

• Data and systems managed externally are protected.

• Risks from outsourcing are continuously monitored and managed.

• Incident response and compliance requirements extend across your supply chain.

5. Industrial Control Systems (ICS) Cybersecurity 

 Industrial Control Systems (ICS) are the heart of critical infrastructure in sectors such as energy, manufacturing, water, and transportation. They control physical processes essential for operational continuity and national resilience. The ECC’s ICS Cybersecurity domain ensures these systems are protected against cyber threats while maintaining operational safety and reliability. 

This domain contains one focused subdomain: 

1. Industrial Control Systems (ICS) Protection 

   Purpose: To protect the hardware, software, and networks used in industrial operations, ensuring confidentiality, integrity, and availability of ICS environments against cyber threats. 

Why ICS Cybersecurity Matters 

ICS cybersecurity under ECC ensures: 

• Protection of critical infrastructure from cyber-physical attacks. 

• Operational continuity during cyber incidents. 

• Compliance with national directives for critical sectors. 

• Alignment of cybersecurity with safety and reliability objectives in industrial environments. 

Deliverables and Evidence Requirements under ECC

One of the cornerstones of the Essential Cybersecurity Controls (ECC) is its emphasis on documentation, evidence collection, and structured reporting. This approach ensures that your organization can:

• Demonstrate compliance with national cybersecurity regulations.

• Track the implementation of controls effectively.

• Maintain readiness for internal and external audits.

• Enable clear accountability across teams.  

Why Deliverables Matter

Cybersecurity is often seen as technical but without clear documentation:

• It is impossible to prove that the required controls are in place.

• Audits become stressful and time-consuming.

• There is no systematic method for tracking progress and identifying areas for improvement. 

ECC mandates “evidence of action” through structured deliverables, ensuring your cybersecurity program is not just operational but also visible, measurable, and defensible.

Types of Deliverables Required under ECC 

Across the ECC domains, the following types of deliverables are typically required: 

1. Policies and Procedures: 

• Cybersecurity policies tailored to your environment. 

• Procedures for risk management, incident response, and access control. 

• Acceptable Use Policies for IT and OT Assets. 

2. Plans and Roadmaps: 

• Cybersecurity strategy and implementation roadmap. 

• Business continuity and disaster recovery plans are aligned with cybersecurity needs. 

• Awareness and training plans. 

3. Registers and Inventories: 

• Asset inventories with classification details. 

• Risk registers capture assessments and treatment plans. 

• Access control logs and user provisioning records. 

4. Reports: 

• Vulnerability assessment and penetration testing reports. 

• Incident response and recovery reports. 

• Compliance assessment and periodic review reports. 

5. Approvals and Records: 

• Management approvals for policies and updates. 

• Signed employee acknowledgments for policies and training. 

• Audit logs for changes, access, and monitoring activities. 

6. Evidence of Testing and Exercises: 

• Disaster recovery and incident response drill reports. 

• Awareness training participation logs. 

• Security system test records (including backups, failovers, and monitoring alerts). 

Maintaining Deliverables Effectively 

1. Centralized Documentation: Store deliverables in a secure, organized repository (e.g., SharePoint, DMS, GRC platforms). 

2. Version Control: Track updates and approvals for each document to maintain clarity on current versions. 

3. Periodic Reviews: Ensure all deliverables are reviewed according to the planned intervals or upon regulatory or operational changes. 

4. Automation: Utilize monitoring tools and GRC platforms to generate reports automatically whenever possible, thereby reducing manual effort. 

This structured approach demonstrates not only that you perform scans but also that you manage findings systematically, in alignment with ECC and regulatory expectations. 

Why This Matters for Your Organization 

• Having structured deliverables under ECC enables your organization to: 

• Reduce audit stress with readily available evidence. 

• Track cybersecurity program maturity transparently. 

• Demonstrate accountability and compliance to stakeholders and regulators. 

• Drive continuous improvement through measurable metrics.