Sentinel Unity
KSA financial sector, SAMA

SAMA CSF: Cyber Security Framework

Mandatory for banks, insurers, and financial institutions supervised by SAMA in the Kingdom. Sentinel Unity connects SAMA domains to assessments, cyber risk, and third-party risk programs, with group rollup for GCC headquarters.

Issued by: Saudi Central Bank (SAMA) · Sector: regulated financial institutions in KSA

Five

CSF domains

Vendor

Risk emphasis

Annual

Assessment cycle

Financial

Sector scope

Five SAMA CSF domains

Cyber Security Leadership & Governance

Board and executive accountability, CISO role, strategy, and reporting.

  • Governance
  • Strategy
  • Committee reporting

Cyber Security Risk Management

Risk appetite, assessment, and treatment for financial threats.

  • Risk appetite
  • Assessment
  • Treatment tracking

Cyber Security Operations & Technology

Identity, network, endpoints, logging, and security monitoring.

  • IAM
  • Network
  • Endpoints
  • Monitoring

Third-Party Cyber Security

Vendor tiering, due diligence, contracts, and monitoring.

  • Tiering
  • Due diligence
  • Contracts
  • Re-assessment

Cyber Security Resilience

Incident response, disaster recovery, and recovery for financial operations.

  • Incident response
  • Recovery
  • Crisis management

SAMA-aligned platform capabilities

SAMA CSF assessment templates

Domain-based assessments with maturity and evidence per control.

TPRM module integration

Vendor classification, diligence campaigns, and contract clause tracking aligned to SAMA third-party domain.

Cyber risk registers

Residual risk and treatment linked to CSF control gaps.

Vendor classification

Tier vendors by data access, criticality, and regulatory exposure.

Pre-engagement due diligence

Questionnaires and evidence before onboarding vendors.

Contractual security tracking

Audit rights, notification timelines, and security standards in contracts.

Run SAMA CSF and vendor risk on one GRC platform

Book a demo with our GRC specialists to see how Sentinel Unity supports programs across the Gulf.

No commitment required. Typical demo is 45 minutes.