What services does SKYLINE provide?

We provide specialized divisions including: Data Centre Design & Build (Tier III/IV), Cybersecurity SOC/NOC Operations, SCADA & Automation, Fire Safety, Construction, HVAC, AI Solutions, Server Infrastructure with HPE & Dell, and Software Development.

Does SKYLINE design and build data centres?

Yes, we specialize in Tier III and Tier IV data centre design and construction including electrical infrastructure, precision cooling, raised flooring, fire suppression, and Schneider Electric UPS systems. All our projects are SACS-002 compliant and trusted by major clients like Saudi Aramco and SABIC.

Where is SKYLINE located?

Our headquarters is in Dammam, Eastern Province, Saudi Arabia. We serve all regions of Saudi Arabia and GCC countries including Riyadh, Jeddah, Khobar, Dhahran, and Jubail.

What compliance certifications does SKYLINE hold?

We comply with NCA-ECC (Essential Cybersecurity Controls), SACS-002 (Saudi Communications Standards for Data Centres), ISO 27001 (Information Security Management), and SAMA Cybersecurity Framework.

What experience does SKYLINE have in the Saudi market?

SKYLINE was founded in 2019 with 6+ years of experience, has completed 15+ mega projects including the FIFA Club World Cup, and serves 200+ clients including Saudi Aramco, SABIC, Maaden, and STC.

SKYLINE Industrial & IT Solutions

A practitioner-grade walk-through of One Compliance Project, Five Frameworks — Mapping NCA, SAMA, PDPL, ISO 27001, PCI-DSS. Scope, controls, implementation phases and audit-ready evidence — with sample policies and configs you can adapt for Compliance and Audit.

SKYLINE Engineering @skyline

Published: Dec 9, 2025
Last updated: May 28, 2026
Reading time: 5 min

Overview

A regulated KSA enterprise often answers to all five of NCA ECC, SAMA CSF, PDPL, ISO 27001 and PCI-DSS simultaneously — plus sometimes SACS-210 on top. Treating each as a standalone programme leads to triple audits, triple evidence, and burnout. A unified control matrix collapses ~85% of the work into one shared programme; only the residual 15% needs framework-specific handling. This guide explains how to build that matrix and run a single compliance programme that satisfies all five.

Who this applies to

KSA banks (mandatory NCA ECC + SAMA CSF + PDPL + ISO 27001 best-practice + PCI-DSS for card systems).
Critical infrastructure operators (NCA ECC + CSCC + PDPL + ISO 27001 + sector specifics).
Multinational FinTechs entering KSA.
Enterprise IT departments rationalising their compliance spend.

The five frameworks at a glance

| Framework | Origin | Mandate in KSA | Scope of evidence | |---|---|---|---| | NCA ECC | Saudi NCA | Mandatory for gov + critical sectors | Full organisation | | SAMA CSF | SAMA | Mandatory for FIs | Bank-wide | | PDPL | SDAIA | Mandatory for processors of KSA data | Data-processing activities | | ISO 27001 | ISO/IEC | Voluntary certification | ISMS scope of choice | | PCI-DSS | PCI SSC | Contractual via card schemes | Card-data environment |

The 80/20 rule

When you map these five frameworks against each other, ~80% of objective intent overlaps:

Access control with MFA.
Asset inventory and classification.
Vulnerability management with patching SLA.
Encryption in transit and at rest.
Logging and monitoring.
Incident response.
Business continuity.
Third-party risk management.
Awareness training.

The remaining 20% is framework-unique:

NCA ECC: Saudi-specific data residency, Arabic documentation.
SAMA CSF: payment systems, customer authentication, FI governance.
PDPL: data subject rights, DPIA, cross-border, breach 72h.
ISO 27001: ISMS documentation, internal audit programme, management review.
PCI-DSS: cardholder data environment, segmentation, monthly scans, quarterly ASV scans.

Step 1: Build the unified control matrix

Use a 7-column structure:

| Theme | ECC | SAMA | PDPL | ISO | PCI | Evidence | Owner | Cadence | Status |

Sample rows:

Access reviews quarterly
  ECC: 2-2-1-4
  SAMA: 3-3-1-3
  PDPL: art.31 (security TOM)
  ISO: A.5.18
  PCI: 7.2.4
  Evidence: access-review-q1-2026.xlsx
  Owner: IAM team
  Cadence: quarterly
  Status: Met

Encryption at rest (CMK)
  ECC: 2-6-1
  SAMA: 3-6-1
  PDPL: TOM
  ISO: A.8.24
  PCI: 3.5
  Evidence: kms-inventory.xlsx
  Owner: Platform team
  Cadence: nightly automated check
  Status: Met

Step 2: Single evidence library

Organise by control objective, not by framework:

evidence/
  access-control/
    q1-2026-access-review.xlsx     [labelled ECC 2-2-1, SAMA 3-3-1, ISO A.5.18, PCI 7.2.4]
    pam-vault-quarterly-audit.pdf
  encryption/
    kms-inventory-2026-04.xlsx     [labelled ECC 2-6-1, SAMA 3-6-1, ISO A.8.24, PCI 3.5]
  incident-response/
    ir-tabletop-2026-03.pdf
  vulnerability/
    patch-sla-dashboard-snapshot-2026-04.pdf
  ...

Tag every artefact with all framework references it satisfies.

Step 3: One internal audit programme

Build a 3-year audit plan that covers:

100% of controls every 3 years.
33% of controls every year.
Risk-weighted so high-risk areas (incident, identity, payment) get touched annually.

The same audit serves all five frameworks; the report has a section per framework cross-referencing the same findings.

Step 4: One penetration test

Annual penetration test scoped to the broadest applicable boundary (the union of all five scopes). The report should:

Map every finding to all relevant framework control IDs.
Track retest evidence per finding.

Step 5: One awareness programme

A 12-month training programme that covers:

NCA cyber hygiene.
SAMA banking-specific scenarios.
PDPL data subject rights and breach handling.
ISO 27001 ISMS roles.
PCI-DSS card-data handling.

One LMS, one calendar, single completion KPI per individual.

Step 6: Framework-specific overlays

Where frameworks diverge, build narrow overlays:

PDPL overlay — DSR pipeline, DPIA register, ROPA, breach 72h workflow.
PCI overlay — CDE network diagram, quarterly ASV scans, SAQ / RoC schedule.
SAMA overlay — board reporting pack, customer-authentication design.
NCA overlay — Arabic-language policy versions, KSA residency evidence.
ISO overlay — ISMS documentation set, management review minutes.

Step 7: Audit windows planning

Plan the audit calendar so that:

The NCA assessment and SAMA self-assessment use the same workbook period.
ISO 27001 surveillance audit immediately precedes NCA assessment so any ISO findings are remediated.
PCI ASV scans align with the vulnerability programme.
PDPL inspection (if triggered) can pull from the same evidence library.

Common gotchas

Separate spreadsheets per framework — duplication and contradiction.
Different policy owners for the same objective in different frameworks.
Audits scheduled randomly through the year — perpetual audit mode for the team.
Framework-specific evidence stored in the auditor's mailbox rather than the central library.

Verification

Unified matrix maintained in a central tool (GRC platform / SharePoint with version control).
Evidence library with framework tags per artefact.
Single audit calendar.
One annual cyber risk report rolling up to the board with five-framework view.

Conclusion

Compliance fatigue is self-inflicted. Map the frameworks once, keep one evidence library, run one audit programme, and treat the five sets of auditors as different lenses on the same disciplined operation. The savings compound: less burn-out, better evidence, faster audits, lower cost.

Related guides

SKYLINE Engineering

@skyline

The engineering team at SKYLINE Industrial Solutions. We publish field-tested guides drawn from real KSA and GCC deployments.

See author profile

SKYLINE engineering services

Need this implemented for you?

Reading is free — building it right takes a team. SKYLINE engineers ship Compliance and Audit for Aramco vendors, banks, hospitals and government agencies across Saudi Arabia. Talk to us before you start.

Cybersecurity & Data Centre SACS-210, NCA ECC, SOC, 24/7 ops SACS-210 Aramco Compliance Third-party readiness, audit prep, ICV+CCC

Talk to a SKYLINE engineer WhatsApp · +966 50 993 9334 Call +966 50 993 9334

Aramco Approved Contractor ISO 9001 · ISO 27001 SAMA CSF aligned NCA ECC ready 247+ KSA clients

Comments

0 total · 0 threads

Be the first to leave a comment.