What services does SKYLINE provide?

We provide specialized divisions including: Data Centre Design & Build (Tier III/IV), Cybersecurity SOC/NOC Operations, SCADA & Automation, Fire Safety, Construction, HVAC, AI Solutions, Server Infrastructure with HPE & Dell, and Software Development.

Does SKYLINE design and build data centres?

Yes, we specialize in Tier III and Tier IV data centre design and construction including electrical infrastructure, precision cooling, raised flooring, fire suppression, and Schneider Electric UPS systems. All our projects are SACS-002 compliant and trusted by major clients like Saudi Aramco and SABIC.

Where is SKYLINE located?

Our headquarters is in Dammam, Eastern Province, Saudi Arabia. We serve all regions of Saudi Arabia and GCC countries including Riyadh, Jeddah, Khobar, Dhahran, and Jubail.

What compliance certifications does SKYLINE hold?

We comply with NCA-ECC (Essential Cybersecurity Controls), SACS-002 (Saudi Communications Standards for Data Centres), ISO 27001 (Information Security Management), and SAMA Cybersecurity Framework.

What experience does SKYLINE have in the Saudi market?

SKYLINE was founded in 2019 with 6+ years of experience, has completed 15+ mega projects including the FIFA Club World Cup, and serves 200+ clients including Saudi Aramco, SABIC, Maaden, and STC.

SKYLINE Industrial & IT Solutions

A practitioner-grade walk-through of SAMA IT Governance Framework — Board-Level Controls Banks Must Implement. Scope, controls, implementation phases and audit-ready evidence — with sample policies and configs you can adapt for SAMA Banking Compliance.

SKYLINE Engineering @skyline

Published: Jan 25, 2026
Last updated: May 28, 2026
Reading time: 4 min

Overview

The SAMA IT Governance Framework (ITGF v1.0) sits above the cybersecurity framework. ITGF is about how the board governs, oversees and invests in IT — including cybersecurity, business technology, digital transformation and IT financial management. It applies to the same set of member organisations as the CSF, with the same enforcement model: annual self-assessment, biennial independent assessment.

Who this applies to

Every SAMA-licensed bank, finance company, insurance company and PSP.
Board members of those organisations carry personal accountability for IT governance outcomes.

Three Lines of Defence

ITGF mandates an explicit three-lines model:

| Line | Owner | Function | |---|---|---| | 1st line | Business units + IT operations | Daily controls, first-level risk ownership | | 2nd line | Risk function + Compliance + Information Security | Policy, oversight, challenge | | 3rd line | Internal Audit | Independent assurance to the Audit Committee |

The CIO and CISO sit in different lines — never the same person.

Key board-level controls

ITGF defines 39 board-level controls. The high-impact ones:

IT Strategy approved by the board every 3 years, reviewed annually.
Annual IT plan aligned to corporate strategy with measurable KPIs.
IT investment governance — project portfolio reviewed quarterly.
Enterprise architecture function with a chief architect.
Vendor and outsourcing governance including concentration risk.
IT risk appetite explicitly set by the board.
Business continuity oversight tied to IT operations.
Talent strategy for IT and cyber retention.

Step 1: Establish IT governance committees

BOARD
 │
 ├── IT Strategy Committee (chaired by a non-executive director)
 │   - Quarterly meetings
 │   - Reviews strategy execution, major investments, vendor concentration
 │
 ├── Audit Committee
 │   - Receives internal audit IT reports
 │
 └── Risk Committee
     - Receives IT risk register, KRI dashboard

Step 2: IT strategy document

Mandatory contents:

3-year horizon with annual milestones.
Linked to corporate strategy KPIs.
Capacity plan (people, money, infrastructure).
Technology bets identified and risk-rated.
Approved exit / sunset list for legacy systems.

Step 3: Board KPIs

Sample minimum dashboard the board should review quarterly:

SAMA Board IT/Cyber Dashboard — Q1 2026

Strategic
  - % strategy milestones on track          : 87%
  - IT spend vs. budget                     : 96.4%
  - Cloud workloads vs. plan                : 71% of target

Risk
  - Open high IT risks                       : 4
  - Open critical cyber findings             : 1 (90-day SLA)

Operations
  - Service availability (T1 apps)           : 99.96%
  - Incidents > P2 in quarter                : 7
  - Patching SLA P1 compliance               : 98.1%
  - PAM coverage of privileged accounts      : 100%

People
  - IT/cyber turnover (rolling 12m)          : 14.2%
  - Open critical roles                      : 3

Step 4: IT investment governance

Quarterly portfolio review:

Projects > SAR 1m approved at the IT Strategy Committee.
Post-implementation review for every major project at month 6 and month 12.
Benefits realisation tracked vs. business case.
Programmes overrunning by > 20% trigger a board-level briefing.

Step 5: Vendor and concentration risk

Track:

Top 10 vendors by spend.
Number of critical services depending on each top vendor.
Concentration risk thresholds (e.g., no single vendor > 30% of total spend on critical IT).
Cloud concentration risk explicitly flagged.

Step 6: Independent assurance

Internal audit must:

Maintain a 3-year audit plan covering all IT/cyber domains.
Audit at least 25% of CSF/ITGF controls annually.
Have direct reporting line to the Audit Committee.
Be staffed with auditors who hold CISA / CRISC / equivalent.

Common gotchas

Strategy approved by the CIO but not the board — fails immediately.
IT portfolio meetings happen but no minutes — assessors will not accept verbal-only.
KPI dashboard manually compiled in PowerPoint each quarter — auditors want a sustainable source.
IT Audit reports go to the CIO before the Audit Committee — independence broken.

Verification

Board-approved 3-year IT strategy + last review minutes.
Quarterly IT Strategy Committee minutes for the past year.
Annual IT plan signed by the board.
Portfolio register with project status.
Vendor concentration analysis dated within the last quarter.
Internal Audit plan + at least four IT audit reports per year.

Conclusion

ITGF makes IT a board-level discipline. The board cannot delegate accountability; it can only delegate execution. Build the dashboards, hold the meetings, and document everything.

Related guides

SKYLINE Engineering

@skyline

The engineering team at SKYLINE Industrial Solutions. We publish field-tested guides drawn from real KSA and GCC deployments.

See author profile

SKYLINE engineering services

Need this implemented for you?

Reading is free — building it right takes a team. SKYLINE engineers ship SAMA Banking Compliance for Aramco vendors, banks, hospitals and government agencies across Saudi Arabia. Talk to us before you start.

Cybersecurity & Data Centre SACS-210, NCA ECC, SOC, 24/7 ops ZATCA & Financial Centre Phase-2 e-invoicing, FATOORA integration, GL controls

Talk to a SKYLINE engineer WhatsApp · +966 50 993 9334 Call +966 50 993 9334

Aramco Approved Contractor ISO 9001 · ISO 27001 SAMA CSF aligned NCA ECC ready 247+ KSA clients

Comments

0 total · 0 threads

Be the first to leave a comment.