00966 12 6522996
info@eliteideas.net
00966 12 6522996
King Abdullah Cross Alamdina Road-Sultan Center-office 206
info@eliteideas.net
Facebook X Instagram Linkedin

SAMA Cybersecurity Framework — Quarterly Self-Assessment Checklist

Type: Blog post (cluster supporting /cybersecurity-saudi-arabia/ pillar) Slug: sama-cybersecurity-framework-quarterly-self-assessment-checklist Yoast title: SAMA Cybersecurity Framework Quarterly Self-Assessment Checklist | EIE Yoast meta: Quarterly SAMA Cybersecurity Framework self-assessment cadence for KSA banks. Month 1, 2, 3 checklists. Third-Party Cybersecurity. Avoid annual audit surprises. Focus keyphrase: sama cybersecurity framework quarterly Categories: Cybersecurity

The Saudi Central Bank (SAMA) Cybersecurity Framework requires quarterly self-assessment by all SAMA-regulated entities — banks, finance companies, insurance companies, payment service providers, and fintech operating under SAMA licence. The framework is comprehensive: four domains, 24 sub-domains, and over 130 specific controls.

Despite the quarterly requirement, most KSA banks run their SAMA self-assessment annually around audit season. The result is predictable: in week 6 of the audit, gaps surface that should have been caught and remediated months earlier. The annual scramble becomes a recurring pattern of audit pressure followed by remediation pressure followed by the next audit.

The fix is operational: instrument the self-assessment as a quarterly cadence, not an annual exercise. This guide presents a working quarterly checklist organized by month, designed to spread the workload and surface gaps when they’re cheap to fix.

The four domains of SAMA Cybersecurity Framework

Before the cadence, a brief refresher on what SAMA CSF actually covers:

Domain 1 — Cybersecurity Leadership and Governance. Board oversight, cybersecurity strategy, policy framework, organizational structure, role definitions, periodic management reporting.

Domain 2 — Cybersecurity Risk Management and Compliance. Risk assessment methodology, asset classification, risk treatment, regulatory compliance, internal audit, third-party risk management.

Domain 3 — Cybersecurity Operations and Technology. Identity and access management, application security, infrastructure security, network security, incident management, business continuity.

Domain 4 — Third-Party Cybersecurity. Vendor due diligence, ongoing assurance, secure development by suppliers, cloud service provider assessment. This is the domain that produces the most audit findings in 2026.

Each domain breaks into 5-7 sub-domains, each with specific controls. SAMA maps to ISO 27001 and NIST CSF with KSA-specific layers added.

The quarterly cadence — what to test each quarter

Rather than testing all 130+ controls every quarter (impractical), the cadence assigns specific controls to specific quarters so that all controls are covered annually, with each quarter manageable in scope.

Q1 — Identity, Access, and People (Month 1 focus). Q2 — Vulnerability and Patch (Month 2 focus). Q3 — Incident Readiness (Month 3 focus). Q4 — Third-Party Cybersecurity (annual deep-dive).

Each quarter has its own primary focus area. The intent: by year-end, every control category has been reviewed, every gap surfaced, and every remediation tracked.

Month 1 checklist — Identity, Access, and People reviews

The first month of any quarter focuses on identity and access. These controls drive the largest insider-threat and lateral-movement risks if they degrade.

Privileged access certifications. – All privileged accounts have been reviewed in the last 90 days? – Account ownership documented and current? – Just-in-time access for admin actions implemented? – PAM vault session recordings reviewed for any anomalies in the quarter?

Dormant account audit. – All accounts with no login activity for 90 days identified? – Dormant accounts disabled or recertified by manager? – Service accounts reviewed separately (no human owner needed but documented ownership required)?

Segregation of duties. – Conflicting privilege combinations reviewed (e.g., developer + production access)? – Findings remediated?

Multi-factor authentication coverage. – MFA enabled on all administrative accounts? – MFA on VPN, cloud admin consoles, financial systems? – MFA on customer-facing systems where customer authentication is required? – MFA bypass conditions documented and reviewed?

Joiner-mover-leaver (JML) process audit. – New joiner provisioning timing met SLA? – Internal movers had old access revoked? – Leavers had access revoked within SLA (typically same-day for sensitive roles)?

Customer / staff security awareness. – Phishing simulation completed this quarter with documented results? – Click-through rate trend (target: declining over time)? – Mandatory training compliance ≥98%?

Output of month 1: Identity and access risk register update. Any findings ≥medium severity logged to remediation tracker. Quarterly summary for cybersecurity steering committee.

Month 2 checklist — Vulnerability and Patch Posture

The second month focuses on the technical defence layer. Vulnerability and patch management is among the most-audited and most-failed control areas.

Critical patch SLA tracking. – Critical vulnerabilities patched within defined SLA (typically 7-14 days)? – High vulnerabilities patched within defined SLA (typically 30 days)? – Patches that missed SLA documented with risk acceptance signed by appropriate authority?

Internet-facing exposure scan. – External vulnerability scan completed this quarter? – All discovered exposures triaged? – Critical/high findings remediated or risk-accepted with documentation? – Pen test if quarter aligns with annual pen test cycle?

Endpoint protection coverage. – All endpoints reporting to endpoint protection management console? – Coverage ≥98% (the 2% being legitimate exceptions like air-gapped systems)? – Indicators of compromise from EDR/XDR investigated and closed?

Patch deployment cadence. – Monthly Patch Tuesday deployed within SLA? – Out-of-band emergency patches deployed within SLA? – Patch deployment failure rate tracked?

Configuration drift. – Servers and network devices reviewed for drift from approved baseline? – Any drift remediated or risk-accepted?

Web application security. – WAF deployed for customer-facing apps? – OWASP Top 10 scan results reviewed? – DAST tooling output this quarter? – Code reviews / SAST for new releases?

Encryption posture. – All data-at-rest encryption operational? – All data-in-transit using TLS 1.2+ minimum? – Encryption key rotation according to policy?

Output of month 2: Vulnerability and patch posture report. Critical and high findings to remediation tracker. Updated risk metrics.

Month 3 checklist — Incident Readiness

The third month tests resilience — what happens when something breaks.

Tabletop exercise. – Conducted at least one tabletop scenario this quarter? – Cross-functional participation (cybersecurity, IT, legal, communications, leadership)? – Documented outcomes and lessons learned? – Action items from tabletop tracked to closure?

Log retention validation. – All key systems generating logs as expected? – Logs reaching SIEM / log aggregator? – Log retention meets SAMA / NCA / regulatory minimum (typically 12 months minimum, longer for some categories)? – Sample log queries verifying log content is usable?

SOC alert tuning. – False positive rate trend (target: declining)? – Alert volume sustainable for analyst staffing? – Critical alert response time SLA met? – Alert tuning changes documented?

IR playbook test. – Latest IR playbooks reviewed for currency? – Contact lists for IR roles current (including 24/7 numbers)? – Vendor escalation contacts current (managed SOC, forensic IR retainer, etc.)? – Tabletop scenario tested at least one IR playbook end-to-end?

Backup integrity testing. – Sample backup restoration performed this quarter? – Restoration time measured against RTO target? – Restored data validated for completeness? – Restoration evidence documented for audit?

Business continuity. – BCP test conducted this quarter (full or partial)? – DR site capacity verified? – Critical applications failover-tested? – Test outcomes documented with any gaps identified?

Output of month 3: Incident readiness report. BCP / DR test results. Outstanding remediation items for next quarter.

The fourth quarter — Third-Party Cybersecurity deep dive

Quarter 4 adds an annual deep-dive on Third-Party Cybersecurity beyond the monthly cadence. This domain produces the most audit findings in 2026 because it’s the most overlooked.

Vendor inventory. – Complete inventory of all third parties with system access or data access? – Risk-tier classification (high / medium / low)?

High-tier vendor assurance. – High-tier vendors have current SAMA Third-Party Cybersecurity assurance evidence? – Contracts include current cybersecurity terms? – SOC 2 Type II or equivalent independent attestations on file?

Cloud service provider assessment. – Each cloud service provider has documented cybersecurity assessment? – Shared-responsibility model documented per service? – Data residency requirements met for each cloud service?

Cybersecurity terms in contracts. – Standard cybersecurity terms in all new vendor contracts? – Legacy contracts being updated as they come up for renewal? – Incident notification clauses with defined timelines?

Supplier breach incidents. – Any supplier-side incidents in the year? – Lessons learned applied to vendor management programme?

Output of Q4 deep-dive: Third-Party Cybersecurity risk register update, annual leadership report, recommendations for next year.

Quarterly report format

Each quarter, produce a one-page executive summary in this structure:

“` SAMA Cybersecurity Framework — Quarterly Self-Assessment Report

Period: Q[X] [Year] Prepared by: [Name, Title] Date: [DD MMM YYYY]

DOMAIN 1 — Leadership and Governance Status: [Green / Amber / Red] Key findings: [bullet list]

DOMAIN 2 — Risk Management Status: [Green / Amber / Red] Key findings: [bullet list]

DOMAIN 3 — Operations and Technology Status: [Green / Amber / Red] Key findings: [bullet list]

DOMAIN 4 — Third-Party Cybersecurity Status: [Green / Amber / Red] Key findings: [bullet list]

OUTSTANDING REMEDIATION ITEMS [list with severity, owner, target date]

REMEDIATIONS COMPLETED THIS QUARTER [list]

RECOMMENDED ACTIONS FOR NEXT QUARTER [list] “`

This format is what SAMA auditors are looking for. It demonstrates the programme is operating on a quarterly cadence, gaps are surfaced and tracked, and the institution has executive-level visibility.

Common pitfalls when implementing quarterly cadence

Pitfall 1: One person doing all of it. SAMA self-assessment is cross-functional. If one person (typically the CISO) does it alone, it becomes the CISO’s annual exercise rather than the organization’s quarterly cadence. Distribute the checklist across control owners.

Pitfall 2: Treating it as paperwork. The cadence is operational. Real testing should occur — actual restoration tests, actual tabletop exercises, actual pen tests. Documentation without underlying testing produces audit findings.

Pitfall 3: Skipping a quarter. The discipline is the cadence. Skipping a quarter (typically Q4 because of holidays) breaks the pattern and produces predictable audit findings the next year.

Pitfall 4: Not closing the loop on remediation. Findings without remediation are still findings. Each quarter should close some items from previous quarters. A growing backlog signals programme weakness.

Pitfall 5: Ignoring third-party. Domain 4 is where most 2026 findings live. Don’t defer the annual third-party deep-dive.

How EIE supports SAMA Cybersecurity Framework compliance

Elite Ideas Establishment helps KSA banks operationalize the SAMA quarterly cadence:

– Initial gap assessment against the full SAMA CSF (4-6 weeks) – Quarterly assessment facilitation — checklist execution, evidence collection, report production – Managed SOC providing 24/7 monitoring with SAMA-aligned reporting – Annual penetration testing with SAMA-aligned report format – Third-Party Cybersecurity audit pack for EIE’s own engagement (provided to all banking customers automatically) – Tabletop exercise facilitation – Board-level cybersecurity reporting cadence

For KSA banks running their first quarterly SAMA self-assessment, EIE provides the structure and facilitation to make the cadence operational. For banks already on quarterly cadence, EIE provides independent verification and external perspective on partial-implementation claims.

Frequently asked questions

Does SAMA Cybersecurity Framework apply to insurance and fintech? Yes. SAMA CSF applies to all SAMA-regulated entities including insurance companies, payment service providers, and fintech operating under SAMA licence.

Can we use a SAMA self-assessment tool / software? Several vendors offer SAMA self-assessment tooling. The tooling supports the cadence; it doesn’t replace the underlying control work. Tooling is helpful for evidence collection, tracking, and reporting.

What’s the relationship between SAMA CSF and NCA? SAMA CSF is the regulator-specific framework for the financial sector. NCA Critical Sectors Controls is the broader baseline. Banks must comply with both, with SAMA typically the primary day-to-day operating framework.

How long should a quarterly self-assessment take? For an organization that has the cadence operationalized: 5-15 working days of cumulative effort across control owners. For organizations doing it for the first time or annually-compressed: significantly longer.

Are penetration tests required quarterly? No. Pen tests typically annual, with quarterly self-assessment validating that pen test findings from the annual test are tracking to remediation.

What if we have a finding we cannot fix this quarter? Findings can be risk-accepted with appropriate documentation and management sign-off. SAMA auditors review risk acceptance trends — a growing list of accepted risks signals programme weakness even if each individual acceptance is appropriate.

Can EIE conduct the quarterly assessment for us as an external party? Yes — independent quarterly assessment is a service we provide. It supplements (not replaces) the internal cadence. Useful when banks want external perspective or when internal staffing is constrained.

How does Third-Party Cybersecurity assessment apply to our managed-services vendors? Any vendor with system access or data access is in scope. Managed SOC providers, IT services partners (including EIE), cloud providers, application vendors. Each should have appropriate cybersecurity assurance evidence on file.

Talk to EIE about SAMA Cybersecurity Framework

EIE has supported SAMA-aligned cybersecurity programmes across KSA banks for years. Whether you’re starting your first quarterly self-assessment or you want independent external assessment of an existing programme, the conversation starts with understanding your current state.

Phone: +966 12 6522 996 Email: info@eliteideas.net Website: eliteideas.net

For deeper context on KSA cybersecurity broadly, see our [Cybersecurity in Saudi Arabia pillar](https://eliteideas.net/cybersecurity-saudi-arabia/).

Previous Post
NCA Critical Sectors Cybersecurity Controls — KSA Implementation Guide
Next Post
PDPL — Saudi Data Subject Access Request Operational Playbook