Jul 2, 2025

Khalifa Al Shehhi
The National Cybersecurity Authority (NCA) of Saudi Arabia introduced the Essential Cybersecurity Controls (ECC) to guide organizations in establishing and maintaining robust cybersecurity postures.
This comprehensive framework enables government entities, critical infrastructure operators, and regulated private sector organizations in Saudi Arabia to systematically implement cybersecurity measures that align with national laws, best practices, and global standards.
What is the ECC?
The Essential Cybersecurity Controls (ECC) is a structured framework developed by Saudi Arabia’s National Cybersecurity Authority (NCA) to help organizations implement cybersecurity requirements systematically and effectively.
Released initially as ECC-1:2018, the guide ensures that organizations:
Comply with national cybersecurity laws and regulations.
Protect confidentiality, integrity, and availability of information and technology assets.
Reduce cyber risks arising from internal and external threats.
Build a sustainable cybersecurity posture aligned with global best practices.
The ECC Implementation Guide serves as a practical resource, illustrating controls, processes, tools, and deliverables organizations need to fulfill the ECC requirements. While the guide is comprehensive, it is flexible enough to be adapted to each organization’s unique environment and operational needs.
Traffic Light Protocol (TLP) Classification
The ECC Guide uses TLP:
Red: For intended recipients only, no sharing inside or outside the organization.
Amber: Share only with specific people inside the organization who need it to act.
Green: Share within the organization or sector but not on public channels.
White: Free to share publicly without restrictions.
ECC Domains and Structure
The ECC framework is organized into five major domains, each focusing on a critical component of cybersecurity within an organization. Each domain is broken down into subdomains, defining specific control areas, guidelines, and deliverables to ensure systematic implementation and measurable progress.
The Five ECC Domains:
1. Cybersecurity Governance
Establishes the foundational structures, policies, roles, and strategies for cybersecurity management across the organization.
2. Cybersecurity Defense
Focuses on proactive measures to protect assets, manage vulnerabilities, implement access controls, and monitor networks and systems.
3. Cybersecurity Resilience
Ensures organizations can continue critical operations during and after cyber incidents, closely aligned with Business Continuity Management (BCM).
4. Third-Party and Cloud Computing Cybersecurity
Addresses the cybersecurity requirements for engaging with third-party vendors and managing cloud services securely.
5. Industrial Control Systems (ICS) Cybersecurity
Focuses on the protection of Industrial Control Systems and operational technologies critical to many sectors.
ECC Structure at a Glance
For each domain and subdomain, the ECC guide provides:
Objective: The purpose of implementing the control.
Controls: Specific requirements to achieve the objective.
Example of Subdomains under Cybersecurity Governance:
Cybersecurity Strategy
Cybersecurity Management
Cybersecurity Policies and Procedures
Cybersecurity Roles and Responsibilities
Cybersecurity Risk Management
Compliance with Regulations
Periodical Reviews and Audits
Cybersecurity in Human Resources
Cybersecurity Awareness and Training Programs
A closer look at each Domain
Cybersecurity Governance
The Cybersecurity Governance domain establishes the foundational structures and policies that guide and support effective cybersecurity practices across your organization. It ensures accountability, clarity in roles, and alignment with regulatory and business objectives.
This domain consists of 10 subdomains, each addressing a core element of governance:
1. Cybersecurity Strategy
Purpose: Ensure cybersecurity plans and initiatives align with laws and organizational goals.
2. Cybersecurity Management
Purpose: Establish a dedicated, independent cybersecurity function.
3. Cybersecurity Policies and Procedures
Purpose: Ensure cybersecurity requirements are documented and followed.
4. Cybersecurity Roles and Responsibilities
Purpose: Clearly define and assign cybersecurity roles to prevent gaps and conflicts of interest.
5. Cybersecurity Risk Management
Purpose: Identify, assess, and manage cybersecurity risks systematically.
6. Cybersecurity in Project Management
Purpose: Integrate cybersecurity into the project lifecycle and change management processes.
7. Compliance with Laws and Regulations
Purpose: Ensure alignment with national and approved international cybersecurity laws.
8. Periodical Cybersecurity Review and Audit
Purpose: Ensure controls are adequate and aligned with policies and regulations.
9. Cybersecurity in Human Resources
Purpose: Manage cybersecurity risks related to personnel throughout employment.
10. Cybersecurity Awareness and Training Programs
Purpose: Build a cybersecurity culture and equip staff with essential cybersecurity.
Why Governance Matters
Effective governance under the ECC ensures:
Clear accountability and roles.
Aligned cybersecurity practices with national laws.
Integration of cybersecurity across all organizational processes.
Sustainable and auditable cybersecurity maturity.
Cybersecurity Defense
The Cybersecurity Defense domain ensures your organization actively protects its systems, data, and networks through structured controls, processes, and monitoring mechanisms. It moves beyond governance to practical, on-the-ground implementation, defending against evolving threats.
This domain includes 15 subdomains, each addressing specific technical and operational areas:
1. Asset Management
Purpose: Maintain an accurate, classified inventory of information and technology assets.
2. Identity and Access Management
Purpose: Control and monitor user access to systems and data to prevent unauthorized use.
3. Protection of Systems and Processing Facilities
Purpose: Safeguard critical systems and data processing facilities against cyber threats.
4. Email Protection
Purpose: Prevent phishing and malicious email attacks.
5. Network Security Management
Purpose: Protect networks through segmentation, monitoring, and control mechanisms.
6. Mobile Device Security
Purpose: Secure mobile devices to prevent data breaches and unauthorized access.
7. Data and Information Protection
Purpose: Protect sensitive data in storage, processing, and transit.
8. Cryptography
Purpose: Use cryptographic controls to protect data confidentiality and integrity.
9. Backup and Recovery Management
Purpose: Ensure data can be recovered in case of loss or cyber incidents.
10. Vulnerability Management
Purpose: Identify and remediate vulnerabilities proactively.
11. Penetration Testing
Purpose: Simulate attacks to identify exploitable weaknesses.
12. Cybersecurity Event Logs and Monitoring Management
Purpose: Monitor systems for suspicious activities and maintain logs for investigation.
13. Incident and Threat Management
Purpose: Detect, respond to, and recover from cybersecurity incidents effectively.
14. Physical Security
Purpose: Protect physical infrastructure and sensitive areas from unauthorized access.
15. Web Application Security
Purpose: Secure web applications against common vulnerabilities.
Why Cybersecurity Defense is Critical
This domain operationalizes cybersecurity within your organization by:
Actively detecting and mitigating threats.
Protecting data, devices, and networks.
Enabling quick recovery from incidents.
Supporting continuous monitoring and improvement.
Cybersecurity Resilience
While Cybersecurity Defense focuses on proactive protection, the Cybersecurity Resilience domain ensures your organization can continue critical operations during and after cyber incidents. It aligns cybersecurity with Business Continuity Management (BCM), ensuring that disruptions are minimized and recovery is swift and efficient.
This domain contains one focused subdomain:
Cybersecurity Resilience Aspects of Business Continuity Management (BCM)
Purpose: To integrate cybersecurity considerations within the organization’s business continuity planning, ensuring that critical business functions can withstand and recover from cyber disruptions.
Why Cybersecurity Resilience Matters
Cybersecurity resilience under ECC ensures your organization can:
Understand and recover from cyber incidents with minimal disruption.
Maintain critical services during crises.
Protect stakeholder trust and regulatory compliance.
Embed cybersecurity within your BCM for a comprehensive resilience strategy.
Third-Party and Cloud Computing Cybersecurity
In today’s interconnected environments, third-party vendors and cloud service providers often handle or process critical business data, expanding the attack surface and increasing cyber risk. The Third-Party and Cloud Computing Cybersecurity domain of ECC ensures organizations systematically identify, manage, and monitor risks associated with outsourcing and cloud adoption.
This domain is divided into two key subdomains:
Third-Party Cybersecurity
Purpose: Ensure that all third parties interacting with your organization’s information and technology assets comply with cybersecurity requirements and do not introduce unacceptable risks.
Cloud Computing and Hosting Cybersecurity
Purpose: To ensure that cloud and hosting services are securely utilized while maintaining compliance with national regulations and protecting organizational data.
Why This Domain is Critical
Third-party and cloud computing cybersecurity under ECC ensures:
Vendors and cloud providers align with your cybersecurity requirements.
Data and systems managed externally are protected.
Risks from outsourcing are continuously monitored and managed.
Incident response and compliance requirements extend across your supply chain.
Industrial Control Systems (ICS) Cybersecurity
Industrial Control Systems (ICS) are the heart of critical infrastructure in sectors such as energy, manufacturing, water, and transportation. They control physical processes essential for operational continuity and national resilience. The ECC’s ICS Cybersecurity domain ensures these systems are protected against cyber threats while maintaining operational safety and reliability.
This domain contains one focused subdomain:
Industrial Control Systems (ICS) Protection
Purpose: To protect the hardware, software, and networks used in industrial operations, ensuring confidentiality, integrity, and availability of ICS environments against cyber threats.
Why ICS Cybersecurity Matters
ICS cybersecurity under ECC ensures:
Protection of critical infrastructure from cyber-physical attacks.
Operational continuity during cyber incidents.
Compliance with national directives for critical sectors.
Alignment of cybersecurity with safety and reliability objectives in industrial environments.
Deliverables and Evidence Requirements under ECC
One of the cornerstones of the Essential Cybersecurity Controls (ECC) is its emphasis on documentation, evidence collection, and structured reporting. This approach ensures that your organization can:
Demonstrate compliance with national cybersecurity regulations.
Track the implementation of controls effectively.
Maintain readiness for internal and external audits.
Enable clear accountability across teams.
Why Deliverables Matter
Cybersecurity is often seen as technical but without clear documentation:
It is impossible to prove that the required controls are in place.
Audits become stressful and time-consuming.
There is no systematic method for tracking progress and identifying areas for improvement.
ECC mandates “evidence of action” through structured deliverables, ensuring your cybersecurity program is not just operational but also visible, measurable, and defensible.
Types of Deliverables Required under ECC
Across the ECC domains, the following types of deliverables are typically required:
Policies and Procedures:
Cybersecurity policies tailored to your environment.
Procedures for risk management, incident response, and access control.
Acceptable Use Policies for IT and OT Assets.
Plans and Roadmaps:
Cybersecurity strategy and implementation roadmap.
Business continuity and disaster recovery plans are aligned with cybersecurity needs.
Awareness and training plans.
Registers and Inventories:
Asset inventories with classification details.
Risk registers capture assessments and treatment plans.
Access control logs and user provisioning records.
Reports:
Vulnerability assessment and penetration testing reports.
Incident response and recovery reports.
Compliance assessment and periodic review reports.
Approvals and Records:
Management approvals for policies and updates.
Signed employee acknowledgments for policies and training.
Audit logs for changes, access, and monitoring activities.
Evidence of Testing and Exercises:
Disaster recovery and incident response drill reports.
Awareness training participation logs.
Security system test records (including backups, failovers, and monitoring alerts).
Maintaining Deliverables Effectively
Centralized Documentation: Store deliverables in a secure, organized repository (e.g., SharePoint, DMS, GRC platforms).
Version Control: Track updates and approvals for each document to maintain clarity on current versions.
Periodic Reviews: Ensure all deliverables are reviewed according to the planned intervals or upon regulatory or operational changes.
Automation: Utilize monitoring tools and GRC platforms to generate reports automatically whenever possible, thereby reducing manual effort.
This structured approach demonstrates not only that you perform scans but also that you manage findings systematically, in alignment with ECC and regulatory expectations.
Why This Matters for Your Organization
Having structured deliverables under ECC enables your organization to:
Reduce audit stress with readily available evidence.
Track cybersecurity program maturity transparently.
Demonstrate accountability and compliance to stakeholders and regulators.
Drive continuous improvement through measurable metrics.