What services does SKYLINE provide?

We provide specialized divisions including: Data Centre Design & Build (Tier III/IV), Cybersecurity SOC/NOC Operations, SCADA & Automation, Fire Safety, Construction, HVAC, AI Solutions, Server Infrastructure with HPE & Dell, and Software Development.

Does SKYLINE design and build data centres?

Yes, we specialize in Tier III and Tier IV data centre design and construction including electrical infrastructure, precision cooling, raised flooring, fire suppression, and Schneider Electric UPS systems. All our projects are SACS-002 compliant and trusted by major clients like Saudi Aramco and SABIC.

Where is SKYLINE located?

Our headquarters is in Dammam, Eastern Province, Saudi Arabia. We serve all regions of Saudi Arabia and GCC countries including Riyadh, Jeddah, Khobar, Dhahran, and Jubail.

What compliance certifications does SKYLINE hold?

We comply with NCA-ECC (Essential Cybersecurity Controls), SACS-002 (Saudi Communications Standards for Data Centres), ISO 27001 (Information Security Management), and SAMA Cybersecurity Framework.

What experience does SKYLINE have in the Saudi market?

SKYLINE was founded in 2019 with 6+ years of experience, has completed 15+ mega projects including the FIFA Club World Cup, and serves 200+ clients including Saudi Aramco, SABIC, Maaden, and STC.

SKYLINE Industrial & IT Solutions

A practitioner-grade walk-through of How to Read an NCA ECC Audit Report and Pass on First Try. Scope, controls, implementation phases and audit-ready evidence — with sample policies and configs you can adapt for NCA Frameworks.

SKYLINE Engineering @skyline

Published: Feb 9, 2026
Last updated: May 28, 2026
Reading time: 5 min

Overview

An NCA ECC audit is not a surprise inspection — it is a scheduled, evidence-driven engagement in which a NCA-approved assessor walks through every applicable control and asks for proof. Entities that pass on first attempt do three things well: they understand the audit phases, they pre-build an evidence binder, and they remediate gaps before the assessor arrives. This guide describes how a real ECC audit unfolds and what the assessor expects to see.

Who this applies to

Government and government-affiliated entities (mandatory annual or biennial cycle).
Critical-system operators (annual).
Any private operator notified by the NCA as in scope.

Audit phases

A typical engagement has six phases over six to eight weeks:

Engagement letter — NCA-approved firm contracted, scope frozen, assessor team named.
Documentation review (off-site, week 1-2) — policies, registers, architecture diagrams.
Walk-throughs (on-site, week 3-4) — interviews with control owners, sample evidence pulled live.
Technical testing (week 4-5) — vulnerability scans, configuration sampling, log inspection.
Draft report (week 6) — findings shared, you have 5 working days to factually challenge.
Final report and management letter (week 7-8) — submitted to NCA and to the audited entity's CEO.

Step 1: Build the evidence binder before kickoff

Organise by ECC control ID. For every control: policy section, owner, evidence file (sanitised), and a remediation column if partial.

evidence/
  1-1-1_strategy/
    cybersecurity-strategy-v3.2.pdf
    board-approval-minutes-2026-02-14.pdf
  1-2-3_risk_register/
    risk-register-q1-2026.xlsx
    risk-committee-minutes-2026-03-15.pdf
  2-2-1_access_control/
    access-control-policy-v2.1.pdf
    access-review-q1-2026.xlsx
    privileged-account-rotation-log.csv
  2-12-1_log_management/
    log-retention-policy-v1.5.pdf
    siem-architecture-diagram.png
    log-volume-monthly-2025.pdf
  ...

Step 2: Common evidence the assessor will ask for

Approved policy register with version, effective date and review cycle.
Asset register filtered to in-scope systems, classified per NCA scheme.
Quarterly access reviews signed by line managers — not just IT.
Privileged-access logs showing MFA + check-in/check-out for the vault.
Vulnerability scan reports dated within 30 days; not just executive summaries — the full host-level findings.
Penetration test report within 12 months, with retest evidence per finding.
Backup restore tests for the last 12 months, including who performed and what was restored.
Incident tickets showing the full lifecycle from detection to closure.
Security awareness training completion records with refresh evidence.
Third-party assurance letters / SOC 2 reports for every critical supplier.

Step 3: How the assessor samples

Expect random sampling. For example, on access control they may pick 15 user accounts and ask:

Show the access request form for each.
Show the line-manager approval.
Show the role-based entitlements matrix.
Show evidence of the most recent quarterly review for each.
Show that the account is still required (or evidence of disablement).

If any one of those 15 fails, the control scores Partial.

Step 4: How findings are scored

Most ECC engagements use a four-level rubric:

| Score | Meaning | |---|---| | Implemented | Control fully in place with evidence and consistent operation. | | Partially Implemented | Documented but inconsistently operated. | | Not Implemented | Documented but not operational, or not documented. | | Not Applicable | Demonstrated as out of scope; assessor signs off. |

Critical-system controls scoring less than Implemented produce a management letter point requiring 90-day remediation.

Step 5: Remediating in real time

If you spot a gap during week 1 documentation review:

Don't try to back-date evidence — auditors catch this and it triggers an integrity finding.
Acknowledge it openly, file a management remediation plan, attach it to the response.
Pre-emptive remediation reduces severity in the management letter.

Step 6: Pre-audit dry run

Run an internal mock audit using your own internal-audit team or an external advisor (not the assessor's firm). Use the NCA self-assessment workbook. Expect to find 10-20% gaps even if you think you are ready.

Common gotchas

Strategy approved by IT but not the board — fails control 1-1-1 even if everything else is perfect.
Asset register out of date by 3+ months — auto-finding.
Log retention claimed at 12 months but disk only has 4 months of data — fails 2-12-1.
Penetration test scoped only to "important" assets — assessor requires the same scope as the audit itself.

Verification — audit-ready evidence checklist

Cybersecurity policy register with last-review date for every policy.
Risk register reviewed in the last quarter.
Asset register dated within the last month.
Access reviews completed in the last quarter.
Vulnerability scan dated within the last 30 days.
Penetration test within 12 months + retest evidence.
Backup restore test within 6 months.
Awareness training completion above 95% in the last 12 months.

Conclusion

A first-time pass is the product of evidence discipline, not a sprint at the end. Build the evidence binder as you go, perform a mock audit 60 days out, and treat the assessor as an ally who is testing the same controls you should already be testing yourselves.

Related guides

SKYLINE Engineering

@skyline

The engineering team at SKYLINE Industrial Solutions. We publish field-tested guides drawn from real KSA and GCC deployments.

See author profile

SKYLINE engineering services

Need this implemented for you?

Reading is free — building it right takes a team. SKYLINE engineers ship NCA Frameworks for Aramco vendors, banks, hospitals and government agencies across Saudi Arabia. Talk to us before you start.

Cybersecurity & Data Centre SACS-210, NCA ECC, SOC, 24/7 ops SACS-210 Aramco Compliance Third-party readiness, audit prep, ICV+CCC

Talk to a SKYLINE engineer WhatsApp · +966 50 993 9334 Call +966 50 993 9334

Aramco Approved Contractor ISO 9001 · ISO 27001 SAMA CSF aligned NCA ECC ready 247+ KSA clients

Comments

0 total · 0 threads

Be the first to leave a comment.