The Saudi National Cybersecurity Authority’s Essential Cybersecurity Controls — five domains, ~114 controls. BCMStack covers the Cybersecurity Resilience domain natively. We don’t pretend to cover the rest; we link to it.
BCMStack is a Business Continuity Management platform, not a cybersecurity platform. We cover the NCA ECC controls that intersect with BCM — primarily the Cybersecurity Resilience domain. For Cybersecurity Defence (network, endpoint, IAM, vulnerability management) and Industrial Control Systems domains, you need dedicated security tooling. NCA ECC compliance for an in-scope organisation requires both — BCMStack alongside your security stack, not instead of it.
The Essential Cybersecurity Controls (ECC) is the baseline cybersecurity framework published by Saudi Arabia’s National Cybersecurity Authority. First published in 2018 and updated in periodic revisions, it defines the minimum cybersecurity controls that in-scope Saudi organisations must implement.
Structurally, NCA ECC is organised into five main domains covering roughly 114 controls. Each control is detailed with implementation expectations, supporting references and assessment criteria. NCA performs supervisory reviews against the controls; findings flow into the NCA enforcement framework.
For a SAMA-regulated bank in Saudi Arabia that also qualifies as Critical National Infrastructure, NCA ECC sits alongside the SAMA BCM Framework and the SAMA Cybersecurity Framework. The three overlap on resilience and incident-response controls; smart institutions operate one BCMS and map evidence to all three regulators.
NCA ECC is mandatory for specific organisation categories and voluntary for others as a recognised KSA cybersecurity benchmark.
All ministries, agencies, public-sector entities. Mandatory; non-compliance flagged in NCA supervisory reviews.
Energy, telco, transport, healthcare, financial services where SAMA supervision overlaps. Mandatory once designated.
Suppliers handling government data or systems often required to demonstrate ECC alignment as a contractual condition.
Private-sector organisations adopt ECC as a recognised KSA-specific cybersecurity benchmark, especially when bidding for government work.
Domain-by-domain coverage map. Native = BCMStack handles end-to-end · Partial = BCMStack covers BCM-adjacent controls only · Out of scope = needs dedicated security tooling.
Domain 1
Strategy, policy, organisational structure, roles and responsibilities, risk management, compliance reporting.
BCMStack covers BCM-policy artefacts, RBAC, audit log, improvement actions. Broader cybersecurity governance lives in your security GRC.
Domain 2
Network security, endpoint protection, identity and access management, vulnerability management, secure SDLC.
Not BCM territory. Use dedicated tooling — your SIEM, EDR, IAM, vulnerability scanner.
Domain 3
Business continuity, disaster recovery, incident response, recovery testing, crisis communication.
This is BCMStack's home domain. BCP, BIA, Crisis, Exercise modules cover this end-to-end with native ISO 22301 alignment.
Domain 4
Vendor risk assessment, third-party incident response, supply-chain security.
BCMStack tracks vendors as BIA dependencies + critical-vendor scenarios in the exercise programme. Procurement-layer vendor security lives in TPRM tooling.
Domain 5
OT / SCADA / ICS-specific controls for critical infrastructure operators.
Specialist OT-cybersecurity tooling required. BCMStack treats ICS as critical assets but doesn't manage their security controls.
| Control | BCMStack surface | Module |
|---|---|---|
| Business Continuity Planning | BCP module — ISO 22301 §8.4.4 native | bcp |
| Disaster Recovery Planning | BCP module — DR-typed plans + DR-specific exercise capture | bcp |
| Business Impact Analysis | BIA module — configurable matrix + dependencies + RTO/RPO | bia |
| Recovery Testing | Exercise module — ISO 22398 lifecycle + DR-specific failover capture | exercises |
| Crisis Management Communications | Crisis module — communications log + stakeholder matrix | crisis |
| Incident Response Procedures | Crisis module — auto-coded events + action items + reopen support | crisis |
| Continual Improvement | Improvement-actions register + reporting trends | reporting |
ISO 22301 is a BCM-specific certifiable standard. NCA ECC is a broader cybersecurity framework with a BCM-relevant domain. Both can — and often should — operate together.
ISO 22301:2019
NCA ECC
Practical reality. Most KSA institutions maintain ISO 22301 alignment for the BCM clauses + map evidence into NCA ECC’s Resilience domain. One BCMS, two regulator audiences. BCMStack supports this pattern by tagging controls / evidence with both frameworks.
The Saudi National Cybersecurity Authority's Essential Cybersecurity Controls — published in 2018 and updated periodically — is the baseline cybersecurity framework for KSA government bodies and Critical National Infrastructure (CNI) operators. It's structured around five main domains covering ~114 controls. Compliance is mandatory for in-scope organisations and increasingly cited by SAMA and other Saudi regulators in their own supervisory cycles.
Partially. BCMStack covers the Cybersecurity Resilience domain — incident response procedures, business continuity, disaster recovery, recovery testing. We do not cover the Cybersecurity Defense domain (network security, endpoint protection, vulnerability management) or the Industrial Control Systems domain. For full NCA ECC compliance you'll need BCMStack alongside dedicated security tooling. We integrate with that tooling rather than replacing it.
Specifically the Cybersecurity Resilience domain controls: business continuity planning, disaster recovery planning, BIA, recovery testing, plus the cyber-incident-response controls that intersect with crisis management. These map cleanly to BCMStack's BCP, BIA, Crisis, and Exercise modules. The platform's audit log + improvement-actions register additionally support the Cybersecurity Governance domain's continual-improvement requirements.
All Saudi government bodies (ministries, agencies, public-sector entities) and Critical National Infrastructure operators (energy, telco, transport, healthcare, financial services where SAMA supervision overlaps). Some private-sector organisations adopt it voluntarily as a recognised KSA cybersecurity benchmark. NCA performs supervisory reviews; non-compliance flows into NCA's enforcement framework.
NCA ECC and SAMA's regulatory frameworks are complementary. SAMA-licensed financial institutions still report to SAMA; NCA ECC may apply where the institution also qualifies as Critical National Infrastructure. The Cybersecurity Resilience domain of NCA ECC overlaps significantly with SAMA's BCM Framework — many institutions operate one BCMS and map evidence to both supervisors.
We’ll walk you through BCMStack mapped to the Cybersecurity Resilience domain controls and discuss how to integrate with your existing security stack for the other domains.
Book a 20-minute demoAlso see SAMA BCM Framework, ISO 22301:2019, or Qatar NIA.