Last updated: July 2026
Looking for a SAMA CSF Compliance Consulting Company in Saudi Arabia? Reach Your Target Maturity Level Without a Multi-Year Program.
We are a SAMA CSF compliance consulting company for Saudi Arabia banks, insurers, financing companies, credit bureaus, and financial market infrastructure. Instead of a budget-draining, multi-year program, we run a maturity gap assessment in around 2 weeks, hand you a phased remediation roadmap within weeks, and implement the controls with your team - mapping SAMA CSF and NCA ECC together so you build once and satisfy both.
Every engagement is led personally by a former Microsoft Security Consulting team member. Fixed price. You review the gap assessment report before you pay.

What Does a SAMA CSF Compliance Consulting Company Do?
A SAMA CSF compliance consulting company prepares your financial institution to meet the Cyber Security Framework issued by the Saudi Central Bank. It assesses your current maturity level against governance, risk management, cybersecurity operations and technology, and third-party risk, builds a phased roadmap to close the gap to your target maturity level, and implements the missing controls with your team.
SAMA CSF is not a one-time checklist. It is a maturity model, which means SAMA expects your institution to reach a defined target maturity level and sustain it over time. A strong consulting partner therefore does two things at once: gets your controls genuinely embedded, and builds the ongoing evidence and monitoring that keeps you at that level between reviews. That is exactly how Atlant Security runs every engagement.
What Is the SAMA Cyber Security Framework?
The SAMA Cyber Security Framework (SAMA CSF) is issued by the Saudi Central Bank, formerly the Saudi Arabian Monetary Authority. It is a sector-specific, mandatory framework for the financial institutions SAMA regulates: banks, insurance and reinsurance companies, financing companies, credit bureaus, and financial market infrastructure providers.
SAMA CSF is more prescriptive than the National Cybersecurity Authority’s Essential Cybersecurity Controls (NCA ECC) in several control areas, and most financial institutions in Saudi Arabia must comply with both frameworks at the same time. Rather than a simple pass or fail control checklist, SAMA CSF is built around a maturity model - your institution is assessed on how consistently and effectively practices are embedded, and SAMA expects you to reach and sustain a defined target maturity level, commonly maturity level 3 and above.
ISO 27001 is a useful shared control base for this work. Because SAMA CSF and NCA ECC share many controls, a single well-mapped implementation can satisfy both, instead of running two separate compliance projects.
The Areas SAMA CSF Assesses
SAMA CSF looks at your institution across governance, risk management, day-to-day cybersecurity operations and technology, and third-party risk, then rates your maturity across these areas.
Governance
Cybersecurity strategy, roles, responsibilities, and reporting lines that give your board and senior management real oversight of cyber risk - not just a policy binder on a shelf.
Risk Management
A structured process to identify, assess, treat, and monitor cybersecurity risk across your institution, aligned to the risk appetite SAMA expects a regulated financial entity to maintain.
Cybersecurity Operations and Technology
The operational controls - access management, monitoring, incident response, secure configuration, and technical safeguards - that SAMA reviews to confirm your maturity claims match reality.
Third-Party Risk
Oversight of vendors, service providers, and outsourced technology, since a weak link in your supply chain is treated as a weak link in your own cybersecurity posture.
Who Must Comply With the SAMA Cyber Security Framework?
SAMA CSF is mandatory for financial institutions regulated by the Saudi Central Bank.
SAMA CSF vs NCA ECC - What Is the Difference?
Most financial institutions in Saudi Arabia must comply with both frameworks. Here is how they compare, and why we map them together instead of running two separate projects.
| SAMA CSF | NCA ECC | |
|---|---|---|
| Issued by | Saudi Central Bank (SAMA) | National Cybersecurity Authority (NCA) |
| Scope | Financial institutions regulated by SAMA only | Baseline framework across Saudi Arabia sectors |
| Assessment model | Maturity-level model with a defined target level | Control implementation against defined domains |
| Prescriptiveness | More prescriptive in several control areas | Broad baseline, less sector-specific detail |
| Who needs it | Banks, insurers, financing companies, credit bureaus, financial market infrastructure | Government and private entities across sectors, including the same financial institutions |
| Control overlap | Shares many controls with NCA ECC | Shares many controls with SAMA CSF |
Need Both SAMA CSF and NCA ECC?
SAMA CSF and NCA ECC share many controls, and ISO 27001 is a useful shared control base for both. We map all three together in one engagement, so your team implements each shared control once instead of running two or three separate compliance projects.
Learn about NCA ECC ComplianceOur SAMA CSF Compliance Process
Five stages from first call to a sustained target maturity level. The difference from most SAMA CSF consultants is stage four: we implement the controls with you, not just hand you a finding list.
Scoping and current-state review
We confirm which SAMA regulatory category you fall under and review your current cybersecurity governance, risk, operations, and third-party controls before we assess anything.
Maturity gap assessment
We assess your institution against the SAMA CSF maturity model and hand you a prioritized gap report against your target maturity level, typically within two weeks.
Phased remediation roadmap
A phased roadmap that closes the highest-risk gaps first, built to fit your budget and internal capacity rather than forcing a single multi-year program.
Hands-on implementation
We implement the missing controls with your team - governance structures, risk processes, technical controls, and third-party oversight - and map SAMA CSF against NCA ECC so you implement each control once for both frameworks.
Reach and sustain your target maturity level
We stay engaged through your SAMA review and help you build the ongoing monitoring and evidence practices that keep you at your target maturity level, not just pass once and drift back down.
SAMA CSF Compliance Timeline
A realistic timeline for a Saudi Arabia financial institution closing the gap to its SAMA target maturity level. Full remediation length depends on your starting maturity and scope.
| Phase | Timing | Outcome |
|---|---|---|
| Scoping and current-state review | Week 1 | Confirmed regulatory category and a clear picture of your starting posture |
| Maturity gap assessment | Weeks 1-2 | Prioritized gap report against your SAMA target maturity level |
| Remediation roadmap | Week 3 | Phased plan with the highest-risk gaps sequenced first |
| Control implementation | Weeks 3-12+ (scope-dependent) | Governance, risk, operational, and third-party controls implemented with your team |
| SAMA CSF and NCA ECC mapping | Parallel | Shared controls implemented once and mapped to both frameworks |
| SAMA review support | Ongoing | Evidence and monitoring in place so your target maturity level is sustained, not a one-time snapshot |
How Much Does SAMA CSF Compliance Cost?
Unlike most SAMA CSF consultants, we publish our starting price. Fixed-price proposals within 48 hours of your strategy call. No open-ended hourly billing, no surprises.
Maturity Gap Assessment
A prioritized maturity gap report against your SAMA target level.
- Maturity assessment across governance, risk, operations, and third-party controls
- Gap analysis against your target maturity level
- SAMA CSF and NCA ECC control mapping
- Prioritized remediation roadmap
Zero-risk: you review the report before you pay.
Full Remediation and Implementation
End to end: from gap assessment to your target maturity level.
- Everything in the Maturity Gap Assessment
- Hands-on control implementation with your team
- Governance and risk process build-out
- SAMA CSF and NCA ECC mapped together
- Support through your SAMA review
- We stay until you reach your target maturity level
Zero-risk: you review the report before you pay.
Full remediation pricing depends on your current maturity level, institution size, and how many gaps need to be closed to reach your target maturity level. We provide a fixed-price proposal within 48 hours of your strategy call.
Who Needs SAMA CSF Compliance Support?
If any of these describe your institution, a SAMA CSF compliance consulting company is your fastest path to your target maturity level.
Why Choose Atlant Over Other SAMA CSF Consultants
Most SAMA CSF consultants sell a finding list and a multi-year program. Here is how we are different.
| Atlant Security | Typical SAMA CSF Consultant | |
|---|---|---|
| Who does the work | A former Microsoft security consultant, personally | Junior or offshore staff you never meet |
| Gap assessment timing | Around 2 weeks | Often 6-8 weeks before you see a finding |
| Pricing | Fixed price - you review the report before you pay | Open-ended hourly billing |
| Control implementation | Hands-on - we implement the controls with you | A checklist and advice, then you are on your own |
| Framework mapping | SAMA CSF and NCA ECC mapped together, implement once | Two separate engagements, duplicate effort |
| Vendor neutrality | 100% independent - zero software commissions | Often resells the GRC tool they recommend |
| Engagement length | We stay until you reach your target maturity level | Report delivered, then the relationship ends |

Every SAMA CSF Engagement Is Led by Alexander Sverdlov
Former Microsoft Security Consulting team member. CISSP certified. Alexander has personally led 234 security assessments across 14 countries since 2013. At Atlant Security, the senior consultant who scopes your SAMA CSF maturity assessment is the same person who implements the controls with your team - never handed to junior staff.
Connect on LinkedInReach Your SAMA Target Maturity Level - Without a Multi-Year Program
Book a free 30-minute strategy call with Alexander. We will discuss your institution, your current maturity level, and exactly what it takes to pass your SAMA review. Fixed-price proposal within 48 hours.
Zero-risk: you review the report before you pay.
Schedule Your Free SAMA CSF Strategy Call
Need an Independent IT Security Audit First?
If you are not yet sure where your institution stands, an independent IT security audit gives you a baseline before you commit to a full SAMA CSF maturity assessment.
Learn about our IT Security AuditFor small projects and ad-hoc work outside our pre-agreed packages or retainers, our standard hourly rate is $460.
SAMA CSF Compliance FAQ
What is SAMA CSF compliance?
Who must comply with the SAMA Cyber Security Framework?
Is SAMA CSF mandatory?
What is the SAMA CSF maturity model and what level do we need?
How much does SAMA CSF compliance cost?
How long does SAMA CSF compliance take?
What is the difference between SAMA CSF and NCA ECC?
Can you help with both SAMA and NCA ECC together?
Related: NCA ECC Compliance - ISO 27001 Readiness - IT Security Audit - All Services