FrameworksNCA ECC
control catalogvECC-1:2018Published
Saudi Arabia NCA Essential Cybersecurity Controls
NCA ECC
The NCA Essential Cybersecurity Controls (ECC) establish 114 mandatory cybersecurity controls for Saudi government entities and organizations of national importance, covering governance, defense, resilience, third-party risk, and industrial control systems.
Issuing Body
National Cybersecurity Authority (NCA), Saudi Arabia
Version
ECC-1:2018
Published
2018-01-01
Controls
16
Mapped Laws
—
| Control ID | Title | Domain | Maturity |
|---|---|---|---|
| ECC-1-1 | Cybersecurity Governance Establish cybersecurity governance to manage cybersecurity risks. A cybersecurity governance framework shall be established, documented, and approved by senior management. | — | defined |
| ECC-1-2 | Cybersecurity Risk Management Manage cybersecurity risks. A cybersecurity risk management process shall be established, implemented, and maintained. Risks shall be identified, assessed, treated, and monitored. | — | managed |
| ECC-1-3 | Cybersecurity in Human Resources Manage cybersecurity in human resources. Cybersecurity roles and responsibilities shall be defined. Background checks shall be performed for personnel with access to sensitive information. | — | defined |
| ECC-1-4 | Cybersecurity Awareness and Training Raise cybersecurity awareness and provide training. A cybersecurity awareness program shall be established and implemented. Personnel shall receive cybersecurity training appropriate to their roles. | — | defined |
| ECC-1-5 | Cybersecurity in Information Technology Asset Management Manage cybersecurity in IT asset management. An inventory of IT assets shall be maintained. Assets shall be classified based on their sensitivity and criticality. | — | managed |
| ECC-2-1 | Access Management Manage access to information and systems. Access control policies shall be established and implemented. Access shall be granted based on the principle of least privilege. | — | managed |
| ECC-2-2 | Cryptography Protect information using cryptography. Cryptographic controls shall be used to protect the confidentiality, integrity, and authenticity of information. Encryption shall be used for sensitive data at rest and in transit. | — | managed |
| ECC-2-3 | Physical Security Protect physical facilities and equipment. Physical access controls shall be implemented. Physical security perimeters shall be defined and protected. | — | managed |
| ECC-2-4 | Email Security Protect email communications. Email security controls shall be implemented including anti-spam, anti-phishing, and email authentication (SPF, DKIM, DMARC). | — | managed |
| ECC-2-5 | Network Security Protect network infrastructure. Network security controls shall be implemented including firewalls, intrusion detection/prevention systems, and network segmentation. | — | managed |
| ECC-2-6 | Identity and Access Management Manage digital identities and access. Identity and access management controls shall be implemented. Multi-factor authentication shall be used for privileged access and remote access. | — | managed |
| ECC-2-7 | Cybersecurity in Information Systems Acquisition, Development and Maintenance Manage cybersecurity in system acquisition, development, and maintenance. Security requirements shall be defined for new systems. Secure development practices shall be followed. | — | managed |
| ECC-3-1 | Cybersecurity Incident and Threat Management Manage cybersecurity incidents and threats. An incident response plan shall be established and implemented. Incidents shall be detected, reported, analyzed, and responded to in a timely manner. | — | managed |
| ECC-3-2 | Cybersecurity Resilience Ensure cybersecurity resilience. Business continuity and disaster recovery plans shall include cybersecurity considerations. Backup and recovery procedures shall be established and tested. | — | managed |
| ECC-4-1 | Third-Party and Cloud Computing Cybersecurity Manage cybersecurity in third-party and cloud computing. Third-party cybersecurity risks shall be assessed and managed. Cloud computing security requirements shall be defined and enforced. | — | managed |
| ECC-4-2 | Industrial Control Systems Protection Protect industrial control systems. Cybersecurity controls shall be implemented for ICS/SCADA systems. Network segmentation shall separate ICS from enterprise networks. | — | managed |