Sentinel Unity
KSA national, NCA

NCA ECC: Essential Cybersecurity Controls

The National Cybersecurity Authority Essential Cybersecurity Controls are mandatory for Saudi government entities and critical infrastructure. Sentinel Unity maps domains and controls to assessments, evidence, and cross-framework standards.

Issued by: National Cybersecurity Authority (NCA) · Applies to: government and critical infrastructure in the Kingdom

Five

Domains

Fifty-one

Controls (ECC)

Five

Maturity levels

Mandatory

For in-scope entities

Five domains covering cybersecurity governance through ICS

Governance domain

Cybersecurity Governance

Leadership accountability, strategy, policy, and organizational risk management.

  • CISO role
  • Cyber strategy
  • Policy framework
  • Risk management

Defense domain

Cybersecurity Defense

Identity, network, endpoint, and application security controls.

  • IAM
  • Network protection
  • Endpoint security
  • Application security

Resilience domain

Cybersecurity Resilience

Incident response, disaster recovery, and recovery planning capabilities.

  • Incident response plan
  • Disaster recovery
  • Recovery planning
  • Breach notification

Third-party domain

Third-Party & Cloud Security

Vendor risk and cloud environment security.

  • Vendor assessment
  • Cloud baseline
  • Contractual controls
  • Sub-contractor management

ICS domain

Industrial Control Systems

OT/ICS security for industrial environments.

  • ICS risk assessment
  • OT network isolation
  • ICS incident response
  • OT patch management

How Sentinel Unity maps NCA ECC

Controls live in the framework library, linked to assessments, evidence, findings, and reports.

Pre-built assessment templates

Start assessments against ECC controls with questionnaire templates and evidence fields.

Control maturity scoring

Score controls on the ECC maturity scale and track improvement over time.

Evidence management

Attach policies, artefacts, and screenshots to control records for examinations.

Gap analysis reporting

Report current posture versus target maturity by domain and control.

Cross-mapping to ISO 27001 and NIST CSF

Reuse evidence across national and global standards where controls align.

Audit-ready exports

Structured evidence packages for assessors and internal audit.

NCA ECC maturity scale

Maturity scoring in the platform follows the ECC model from initial through optimizing.

Level 1

Initial

Informal or absent controls; no repeatable practice.

Level 2

Developing

Partial implementation; documented but inconsistent.

Level 3

Defined

Documented and consistently applied.

Level 4

Managed

Measured and monitored against metrics.

Level 5

Optimizing

Continuous improvement based on threats and lessons learned.

Assess your NCA ECC posture on one platform

Book a demo with our GRC specialists to see how Sentinel Unity supports programs across the Gulf.

No commitment required. Typical demo is 45 minutes.