Overview
If you are already certified to ISO 27001 or aligned to NIST Cybersecurity Framework, you have done most of the work for NCA ECC. The trick is knowing where the three frameworks overlap, where they diverge, and where the NCA goes further than either. A unified control matrix lets one piece of evidence satisfy three audits — provided you label your evidence to all three.
Who this applies to
- Multinational entities operating in KSA and elsewhere.
- KSA entities pursuing ISO 27001 alongside ECC.
- Anyone tendering for international contracts where NIST CSF alignment is requested.
High-level structure comparison
| Aspect | NCA ECC | NIST CSF | ISO 27001:2022 | |---|---|---|---| | Origin | KSA NCA | NIST (US) | ISO/IEC | | Status | Mandatory in KSA | Voluntary | Certifiable | | Structure | 5 domains, 29 sub-domains, 114 controls | 6 Functions (GV-ID-PR-DE-RS-RC) | 4 themes, 93 Annex A controls | | Reporting | NCA + sector regulator | Internal | Certification body | | Renewal | Annual / biennial | Continuous | 3-year cycle + annual surveillance |
Mapping the five ECC domains
ECC Domain 1 — Cybersecurity Governance
| ECC Sub-domain | NIST CSF | ISO 27001 Annex A | |---|---|---| | 1-1 Strategy | GV.OC, GV.SC | A.5.1, A.5.30 | | 1-2 Cybersecurity Management | GV.RR | A.5.2 | | 1-3 Policies and Procedures | GV.PO | A.5.1 | | 1-4 Roles and Responsibilities | GV.RR | A.5.2 | | 1-5 Risk Management | GV.RM | A.5.4, A.5.7 | | 1-6 Project Management | GV.OC | A.5.8 | | 1-7 Third-Party | GV.SC | A.5.19-A.5.23 | | 1-8 Compliance | GV.OV | A.5.31, A.5.36 | | 1-9 Periodic Review | GV.OV | A.5.35 | | 1-10 Awareness & Training | PR.AT | A.6.3 |
ECC Domain 2 — Cybersecurity Defense
| ECC Sub-domain | NIST CSF | ISO 27001 Annex A | |---|---|---| | 2-1 Asset Management | ID.AM | A.5.9-A.5.10 | | 2-2 Identity & Access | PR.AC | A.5.15-A.5.18 | | 2-3 System Hardening | PR.IP | A.8.9 | | 2-4 Mobile Devices | PR.AC, PR.DS | A.8.1 | | 2-5 Data Protection | PR.DS | A.8.11-A.8.12 | | 2-6 Cryptography | PR.DS-2 | A.8.24 | | 2-7 Backup | PR.IP-4 | A.8.13 | | 2-8 Vulnerability Management | ID.RA, DE.CM | A.8.8 | | 2-9 Pen Testing | DE.DP, RS.AN | A.8.29 | | 2-10 Log Management | PR.PT, DE.CM | A.8.15-A.8.16 | | 2-11 Incident Management | RS.RP, RS.CO | A.5.24-A.5.28 | | 2-12 Physical Security | PR.AC, PR.IP | A.7.1-A.7.14 | | 2-13 Web Application Security | PR.IP | A.8.25 |
ECC Domain 3 — Cybersecurity Resilience
| ECC Sub-domain | NIST CSF | ISO 27001 Annex A | |---|---|---| | 3-1 Resilience aspects of BCM | RC.RP, RC.IM | A.5.29, A.5.30 |
ECC Domain 4 — Third-Party and Cloud
| ECC Sub-domain | NIST CSF | ISO 27001 Annex A | |---|---|---| | 4-1 Third-party | GV.SC | A.5.19-A.5.23 | | 4-2 Cloud | GV.SC, PR.DS | A.5.23, A.8.30 |
ECC Domain 5 — ICS
| ECC Sub-domain | NIST CSF | ISO 27001 Annex A | |---|---|---| | 5-1 ICS | All Functions (sector profile) | A.5-A.8 partial (use IEC 62443) |
Where NCA goes further
- Data residency — NCA mandates KSA jurisdiction for many categories of data; NIST and ISO are agnostic.
- Arabic-language documentation — required for KSA government entities.
- CST cloud-operator licensing — KSA-specific licensing tier above ISO 27017.
- 24/7 SOC for critical systems — implied in NIST/ISO but explicit in CSCC.
- Mandatory CISO with reporting line to the CEO/board — explicit in NCA, implicit elsewhere.
Step 1: Build the unified control matrix
Use one column per framework, one row per control objective. For each row record: which evidence file satisfies it.
control-matrix.xlsx
| Theme | ECC | NIST CSF | ISO 27001 | Owner | Evidence file | Status |
| Strategy | 1-1-1 | GV.OC-01 | A.5.1 | CISO | strategy-v3.2.pdf | Met |
| Risk register | 1-5-1 | GV.RM-01 | A.5.4 | CISO | risk-register-q1-2026.xlsx | Met |
| Access reviews | 2-2-1-4 | PR.AC-01 | A.5.18 | IT | access-review-q1.xlsx | Met |
| Pen test | 2-9-1 | DE.DP-04 | A.8.29 | CISO | pentest-2026-02.pdf | Met |
| Log retention | 2-10-1 | PR.PT-01 | A.8.15 | SOC | log-retention-policy.pdf | Met |
Step 2: Single evidence, multiple labels
When you produce the quarterly access review, name it once and reference it from three audit binders. Tag the file with all three framework references so a search returns the same artefact for each audit.
Step 3: Save effort, save budget
A coordinated multi-framework programme typically saves 30-40% of the standalone cost. The biggest savings are in:
- One policy library serving all three frameworks.
- One asset register.
- One internal-audit programme.
- One penetration test with reports labelled for each framework.
- One awareness-training programme.
Common gotchas
- ISO 27001:2013 control numbers differ significantly from 2022 — keep up.
- NIST CSF v2.0 (Feb 2024) introduces the Govern (GV) Function — older mappings against v1.1 must be revisited.
- KSA-specific controls (data residency, Arabic) cannot be substituted by ISO/NIST equivalents.
- Some ISO controls (privacy A.5.34) lean on PDPL in KSA; check PDPL alignment too.
Verification
- Unified matrix exists, owned by the CISO.
- Cross-framework evidence library indexed and version-controlled.
- Internal audit programme covers all three frameworks annually.
- Each major change ticket carries control IDs from all relevant frameworks.
Conclusion
NCA, NIST and ISO are different dialects of the same language. Speak all three by keeping one matrix, one evidence library and one disciplined programme. Then the audits become repeatable rituals rather than once-a-year scrambles.
Comments
0 total · 0 threads