Saudi Arabia’s National Cybersecurity Authority (NCA) has taken a major step in strengthening national cybersecurity by introducing the Essential Cybersecurity Controls (ECC – 1: 2018). These controls were developed after a thorough analysis of global cybersecurity standards, national regulations, and real-world cyber incidents. The ECC aims to protect government and critical infrastructure organizations across the Kingdom.
What are the Essential Cybersecurity Controls?
The ECC framework is structured into:
- 5 main cybersecurity domains, for example cybersecurity governance
- 29 subdomains, for example cybersecurity management
- 114 specific controls
These controls are aligned with both national and international laws and are mandatory for all government entities and private sector organizations that manage Critical National Infrastructure (CNI) in Saudi Arabia.
Among the specific controls, the ECC requires that specific positions must be filled with full-time and experienced Saudi cybersecurity professionals.
The Saudi Cybersecurity Workforce Framework (SCyWF)
To support the implementation of ECC, the NCA also developed the Saudi Cybersecurity Workforce Framework (SCyWF). This framework defines cybersecurity job roles and outlines the tasks, knowledge, skills, and abilities (TKSAs) required for each role. It serves as a national reference for:
- Workforce planning and development
- Recruitment and promotion
- Education and training alignment
The SCyWF helps organizations create standardized job descriptions and ensures that cybersecurity professionals meet the necessary qualifications.
How ECC and SCyWF Work Together
The ECC includes implementation guidance for all controls including the appointment of full-time and highly qualified cybersecurity professionals to fill specific job roles and positions.
While the SCyWF is not mandatory, it is strongly recommended in the ECC Implementation Guide. Organizations are encouraged to use the SCyWF to define key cybersecurity roles, especially leadership and supervisory positions. This includes specifying experience, academic qualifications, appropriate training and professional certifications.
In fact, the expected deliverables state SCyWF should be relied upon for job descriptions for the head of cybersecurity, supervisory and other critical positions.
ISC2 Certification and SCyWF Alignment
The SCyWF recognizes 19 cybersecurity roles that align with globally respected ISC2 certifications, such as:
These roles span four key categories:
- Cybersecurity Architecture, Research & Development
- Governance, Risk, Compliance & Law
- Leadership & Workforce Development
- Protection & Defense