Compliance with Saudi NCA-ECC based on ISO/IEC 27001

Organizations are required to implement an information security management system (ISMS) for making a central cybersecurity framework, reducing costs, treating risks, and so on. Several ISMS standards have been issued and implemented locally and internationally. In Saudi Arabia, the most widely implemented international ISMS is ISO/IEC 27001. Currently, the Saudi National Cybersecurity Authority (NCA) issued a local framework called Essential Cybersecurity Controls (NCA-ECC). Therefore, many ISO/IEC 27001 certified organizations in Saudi Arabia are trying to convert from ISO/IEC 27001 to NCA-ECC or comply with both frameworks. Nevertheless, cybersecurity experts need to know which cybersecurity controls are already implemented, based on the ISO/IEC 27001, and which are not. This paper first measures the extent to which certified ISO/IEC 27001 Saudi organizations comply with the NCA-ECC. Second, it presents a framework for complying with the required unimplemented or partially implemented NCA-ECC controls. The framework can also help organization to be in compliance with both frameworks, if required. Three ISO/IEC 27001-certified Saudi public universities are selected as samples. The data is collected by interviewing the cybersecurity officers in the selected universities. This research shows that certified ISO/IEC 27001 organizations are approximately 64% in compliance with the NCA-ECC. The presented framework can help any ISO/IEC 27001 certified Saudi organization convert from ISO/IEC 27001 to NCA-ECC in a quick and cost-effective manner by considering only NCA-ECC nonconformities.