SAMA Compliance Checklist for Financial Institutions

Saudi Arabia's financial sector is under mounting pressure. From January to April 2025, threat intelligence firm Foresiet reported a significant rise in both external and internal threats targeting financial systems and critical infrastructure, and with over 280 active fintech firms operating under Vision 2030's expansion mandate, the regulatory stakes have never been higher. A structured SAMA compliance checklist is no longer a project management convenience, it is an operational requirement.

So what does a SAMA compliance checklist actually cover? It spans four control domains, Cyber Security Leadership and Governance, Risk Management and Compliance, Operations and Technology, and Third-Party Cyber Security, and every item must be documented against a six-level maturity model. Level 3 is the mandatory minimum for all Member Organizations.

The SAMA Cybersecurity Framework (CSF) applies to every regulated entity operating in Saudi Arabia's financial sector, banks, insurers, fintechs, payment providers, and exchange companies alike. There are no size exemptions, no grace periods for newer licensees, and no external certification that substitutes for the mandatory annual self-assessment.

This article walks through each domain's checklist items, explains what Level 3 actually requires, names the five most common audit failure points, and shows how device-level controls, including Mobile Device Management, fit directly into the framework.

TL;DR

The SAMA Cybersecurity Framework (CSF) applies to all SAMA-regulated entities, banks, fintechs, insurers, payment providers, and exchange companies, with no size exemptions.
The framework has four control domains: Governance, Risk Management and Compliance, Operations and Technology, and Third-Party Security.
All Member Organizations must reach at least Level 3 (Defined and Formalized) on the six-level maturity scale.
SAMA compliance requires annual self-assessments with documented evidence per control, not just implemented policies.
Mobile Device Management (MDM) is explicitly named in the SAMA Cyber Resilience section as a required technology control.
A checklist is a starting point; continuous monitoring and documented evidence close the gap between paper compliance and real security posture.

What Is the SAMA Cybersecurity Framework and Who Does It Apply To?

If you're already familiar with SAMA's scope and Member Organization definition, skip ahead to the domain-by-domain checklist below.

The SAMA Cybersecurity Framework is a mandatory cybersecurity standard issued by the Saudi Arabian Monetary Authority (also known as the Saudi Central Bank). Version 1.0 was issued in 2017 and applies to all SAMA-regulated entities, banks, insurance companies, finance companies, fintech companies, payment service providers, and exchange companies operating in Saudi Arabia, along with their employees, subsidiaries, and third-party associates. SAMA compliance starts with confirming your organization falls within this scope, because the framework's obligations extend to anyone who handles financial services under a SAMA license.

One distinction matters more than most: SAMA CSF is non-certifiable. There is no external certification body, no third-party auditor who stamps your organization as SAMA-compliant. Organizations self-assess, submit to SAMA, and are held accountable through SAMA's supervisory process. This is fundamentally different from ISO 27001, which can be certified externally. ISO 27001 is complementary and can strengthen your documentation posture, but it does not substitute for the SAMA self-assessment, and treating it as a proxy creates a specific compliance gap that SAMA reviewers have learned to spot.

Regulatory compliance requirements, including SAMA, NCA, and Vision 2030 mandates, are the dominant driver of cybersecurity spending decisions across Saudi Arabia's financial sector, which reflects just how central the CSF has become to institutional planning. The framework's four control domains cover governance, risk, technical operations, and third-party relationships. One additional regime runs in parallel: the Personal Data Protection Law (PDPL), which became enforceable on 14/09/2023, applies independently to all Saudi financial institutions and overlaps with several SAMA CSF controls, particularly in data encryption and breach notification.

SAMA does not tier its requirements by institution size. A 10-person fintech licensed last year faces the same Level 3 obligations as a major commercial bank. Smaller organizations frequently underestimate this, which is one of the most common scoping mistakes practitioners report.

The SAMA Compliance Checklist: Domain-by-Domain Breakdown

SAMA CSF structures its requirements across four primary control domains. Following a domain-by-domain structure is the most efficient way to run a gap assessment, because each domain maps to a distinct ownership area, governance, risk, IT operations, and vendor management. A practical tip from experienced practitioners: start with your highest-risk or lowest-maturity domain, not with controls listed alphabetically or by reference number. This SAMA compliance checklist organizes items the same way SAMA expects them documented.

Before working through the domains, confirm you have a SAMA checklist owner assigned for each domain. Without named ownership, evidence collection becomes a last-minute scramble.

Domain 3.1, Cyber Security Leadership and Governance

Governance must be in place before technical controls are implemented. Without a Cybersecurity Committee and a defined CISO role, technical compliance efforts lack the authority and accountability SAMA requires.

Establish a Cybersecurity Steering Committee with board-level visibility
Define and document the CISO role and reporting line (reaching Level 4 requires a Saudi national CISO with SAMA 'no objection', this is the Level 4 threshold, not Level 3)
Approve and publish a formal Cyber Security Policy with version history
Develop and maintain a documented Cyber Security Strategy aligned to business objectives
Embed cybersecurity requirements into project management processes across the organization
Deliver cybersecurity awareness training to all staff and maintain completion records as evidence
Define roles and responsibilities for cybersecurity across all departments

Evidence expected: Approved policy documents with version history, board meeting minutes showing cybersecurity agenda items, training completion records.

Domain 3.2, Cyber Security Risk Management and Compliance

This domain is where PDPL and SAMA CSF intersect most visibly. Dual compliance pressure here is a live requirement, not a future concern, organizations must manage both obligations in parallel.

Conduct and document a formal Cyber Security Risk Assessment covering all assets, processes, and third parties
Maintain a risk register with defined risk owners and documented treatment plans
Schedule and execute periodic internal Cyber Security Reviews to identify gaps versus current controls
Conduct annual Cyber Security Audits and retain all audit reports as evidence
Define legal and regulatory compliance obligations, include PDPL, NCA ECC-2, and SAMA CSF together
Map PDPL requirements to relevant SAMA CSF controls: data encryption, consent management, and DPO appointment all overlap directly (PDPL effective date: 14/09/2023)

Evidence expected: Dated risk assessment reports, risk register with defined ownership, audit reports, documented PDPL alignment mapping.

Domain 3.3, Cyber Security Operations and Technology

This is the largest domain and the one most likely to require tooling investments. It covers the broadest set of IT compliance controls in the framework, and practitioners on Saudi network administration forums consistently flag device management and access centralization as the most technically demanding items to evidence.

Maintain a complete hardware and software asset inventory, this is the foundational control; every other operational control depends on it
Implement and enforce Identity and Access Management (IAM) with defined access control policies, including all sub-controls under reference 3.3.5
Enforce Multi-Factor Authentication (MFA) across all critical systems and user accounts
Define and implement network security controls: firewalls, IDS/IPS, and network segmentation
Establish a Vulnerability Management process with periodic assessments and a defined patch management cadence
Enforce encryption for data at rest and in transit across all systems
Implement Mobile Device Management (MDM) for all mobile and endpoint devices, SAMA's Cyber Resilience section explicitly names MDM as a required technology category. An MDM solution like Trio MDM can provide the enrollment records, device policy configurations, and automated compliance status that SAMA reviewers expect as evidence for this control.
Define and test Business Continuity and Disaster Recovery plans with documented exercise records
Establish Event Management and Incident Management procedures with defined escalation paths
Conduct regular penetration testing and Vulnerability Assessment and Penetration Testing (VAPT)

Evidence expected: Asset inventory exports, IAM policy documents, MFA enrollment records, vulnerability scan reports, MDM enrollment records and policy configurations, tested BCP/DR plans with exercise records.

Troubleshooting note: If your Domain 3.3 audit evidence is rejected, check whether your asset inventory is current and complete first, it is the foundational dependency for every other operational control in this domain.

Second-order note: Enforcing MFA across all systems will surface legacy applications that do not support modern authentication protocols. Plan for application exceptions documentation before the self-assessment, not during it.

Practitioners consistently report that evidence collection, not control implementation, is the hardest part of the annual self-assessment. The solution is a living evidence repository updated continuously throughout the year, not assembled in the weeks before the submission deadline.

Which SAMA domain should you prioritize first?

No governance structure yet (no Cybersecurity Committee, no documented CISO role) → Start with Domain 3.1. Without governance, technical controls have no authority or accountability behind them.

Governance in place but no formal risk assessment completed → Move to Domain 3.2 first. The risk assessment output feeds directly into the controls you prioritize in Domain 3.3.

Governance and risk assessment complete, now implementing technical controls → Work through Domain 3.3 systematically, starting with asset inventory, it is the dependency for all other operational controls.

Not sure? → Run a gap assessment across all four domains before starting implementation. Map your current state to Level 2 criteria; anything you haven't yet documented is your starting point.

Domain 3.4, Third-Party Cyber Security

Include cybersecurity requirements in all vendor contracts and SLAs (Domain 3.4.1)
Define and implement an outsourcing policy with cybersecurity controls for all outsourced functions (Domain 3.4.2)
Apply specific cybersecurity controls to cloud computing providers, both hybrid and public cloud environments (Domain 3.4.3)
Conduct periodic vendor security assessments and retain results as evidence
For open banking contexts: apply SAMA's API security guidance to third-party fintech integrations, this is an emerging requirement gaining attention in SAMA supervisory communications

Evidence expected: Vendor contract security clauses, outsourcing risk assessments, cloud provider compliance documentation.

SAMA CSF Domain-by-Domain Compliance Checklist at a Glance

Domain	Key Controls Required	Minimum Evidence Expected	Common Failure Point	Maturity Level Threshold
3.1 Governance	Cybersecurity Committee, CISO role, policy documentation, awareness training	Board minutes, approved policy docs, training records	Informal governance with no documented ownership	Level 3: formal documentation required; Level 4: Saudi national CISO with SAMA approval
3.2 Risk Management	Risk assessment, risk register, internal reviews, annual audits	Dated risk assessments, risk register, audit reports	Risk assessment completed once and never updated	Level 3: formalized and repeatable process
3.3 Operations and Technology	Asset inventory, IAM/MFA, network security, MDM, VAPT, encryption	Asset inventory, IAM policy, MFA records, MDM configs, vulnerability scan reports	Incomplete asset inventory invalidating downstream controls	Level 3: all controls documented and implemented
3.4 Third-Party Security	Vendor contract clauses, outsourcing policy, cloud controls	Vendor contracts with security clauses, cloud compliance docs	Foreign vendors refusing SAMA-specific contract language	Level 3: contractual controls in all active vendor relationships
PDPL Overlap	Data encryption, DPO appointment, consent management, breach notification	DPO appointment record, encryption documentation, consent flows	Treating PDPL as separate from SAMA CSF; creating duplicate gaps	Effective since 14/09/2023 for all financial institutions
Self-Assessment Process	Annual questionnaire completion, documented evidence per control, SAMA submission	Completed self-assessment questionnaire with evidence attachments	Evidence assembled only at assessment time, not maintained continuously	Mandatory annually for all Member Organizations
IAM / MFA Controls	Role-based access, privileged access documentation, MFA enforcement	Access control policy, MFA enrollment logs, PAM session records	MFA deployed for some systems but not all critical applications	Level 3: full IAM implementation; control ref 3.3.5
Mobile and Endpoint Controls	MDM enrollment, device security policies, remote wipe capability, encryption	MDM policy configurations, enrollment records, encryption audit	No MDM in place; no evidence of device-level control enforcement	SAMA Cyber Resilience section: MDM explicitly required

The SAMA Cybersecurity Maturity Model: What Level 3 Actually Requires

The maturity model runs from Level 0 to Level 5, and every Member Organization must reach Level 3 at minimum. Each level builds on the one before, you cannot self-assess at Level 3 without satisfying all Level 0, 1, and 2 criteria first.

Here is what each level means in practice:

Level 0: No controls exist, the organization has not addressed cybersecurity requirements at all
Level 1: Controls exist but are undocumented and inconsistently applied across the organization
Level 2: Controls are defined and partially documented, but application is not yet formalized or repeatable
Level 3 (Mandatory Minimum): Controls are formally documented, approved, and implemented at scale. GRC tools are in use. Performance indicators are defined. Security controls are regularly evaluated, not just deployed. Compliance automation tools help maintain the continuous evaluation evidence Level 3 requires, rather than relying on point-in-time snapshots.
Level 4: Key Risk Indicator (KRI) thresholds are defined, a Saudi national CISO holds the role with SAMA 'no objection', a Board-approved cybersecurity roadmap is in place, and advanced threat intelligence is integrated
Level 5: Continuous improvement programs are active, with peer and sector benchmarking

The distinction between Level 2 and Level 3 is where most organizations get stuck during a SAMA audit. Having controls in place is Level 2. Having documented, formally approved, and regularly evaluated controls is Level 3. That gap, between operational reality and documented, reviewed evidence, is exactly where self-assessments fail.

SAMA applies identical Level 3 requirements to all Member Organizations, regardless of size. A recently licensed payment provider faces the same threshold as an established commercial bank. The real obstacle for smaller fintechs is rarely technical capability, it's a documentation culture gap. Informal processes that work in practice have simply never been written down, approved, or formally reviewed.

A second-order effect to plan for: when your team formally documents all controls for Level 3 compliance, it will surface undocumented informal processes that are actually effective. Those processes must then be formally approved before they can serve as audit evidence, which creates a short-term workload spike. Building that sprint into your project plan early prevents it from becoming a bottleneck at submission time.

Five SAMA Compliance Pitfalls That Get Institutions Cited

SAMA reviewers have become increasingly sophisticated at identifying compliance gaps. Organizations building a SAMA compliance Saudi Arabia checklist frequently overlook these five areas, and they are consistently the root cause of cited deficiencies.

Pitfall 1, Weak Governance Documentation

Controls exist, but there is no formal approval trail behind them. Policies are drafted but never submitted to the Cybersecurity Committee or board for approval. SAMA requires version-controlled documentation with a clear approval record, a shared folder of working drafts does not satisfy this requirement.

Pitfall 2, Generic Policy Templates Submitted Without Tailoring

Organizations purchase ISO 27001 or generic ISMS template packages and submit them as SAMA evidence without modification. SAMA reviewers have become effective at identifying copy-paste documentation that lacks Saudi-specific operational context. A policy that references generic "applicable law" instead of SAMA CSF, PDPL, and NCA ECC-2 by name is a flag.

Pitfall 3, Incomplete Asset Inventory

Asset inventory is the foundational control in Domain 3.3, every other operational control depends on knowing what assets exist. Outdated or partial inventories create a cascading problem: if reviewers find gaps in the inventory, they will question the validity of every downstream control that relies on it.

If your self-assessment evidence is challenged by SAMA reviewers, check your asset inventory completeness first, it is the most common root cause of downstream evidence failures.

Pitfall 4, Evidence Assembled Only Before Assessment Time

Organizations that compile their evidence binder from scratch before each annual self-assessment create inconsistencies that experienced reviewers spot immediately, logs that don't match policy dates, training records with gaps, vulnerability scans from outside the assessment period. Using automated compliance software eliminates this scramble by maintaining continuous evidence records throughout the year, not just at submission time.

Pitfall 5, Third-Party Vendor Contracts Without Security Clauses

Domain 3.4 requires documented cybersecurity obligations in every vendor contract. Many organizations have verbal or informal vendor arrangements that have never been formalized with security language. Foreign vendors sometimes actively resist accepting SAMA-specific contract clauses. This is a procurement and legal problem, not an IT problem, looping in procurement and legal teams early in the compliance program is a non-technical bottleneck that delays more organizations than any technical control gap.

Download Our SAMA Compliance Checklist

Download your SAMA Compliance Checklist to gain a clear, actionable overview of SAMA’s regulatory and cybersecurity requirements. Use this resource to evaluate your current controls, identify compliance gaps, and take structured steps toward achieving and maintaining full SAMA compliance.

How Trio MDM Helps With SAMA Compliance

SAMA's Cyber Resilience section explicitly requires Mobile Device Management as a technology control. The SAMA compliance checklist items in Domain 3.3 for endpoint and device controls require documented evidence, enrollment records, applied policy configurations, and proof that controls are actively monitored. Trio MDM addresses these requirements directly.

Centralized device inventory: Trio MDM enrolls and centrally manages devices across Android, iOS/iPadOS, macOS, Windows, and Linux. The Device List provides a real-time view of every enrolled device, including enrollment date, compliance status, serial number, and last check-in time, which directly supports the asset inventory requirement in Domain 3.3.

Security policy enforcement: Trio MDM deploys and enforces security profiles and device policies at scale. Policies are applied automatically, supporting the formalized and consistently implemented controls that Level 3 requires across all enrolled endpoints.

Compliance automation: Trio MDM continuously tests devices against framework controls and provides one-click remediation for most compliance issues. After remediation, devices are retested automatically. This directly addresses Level 3's requirement for controls to be "regularly evaluated", closing the gap between annual SAMA compliance automation cycles and real-time device posture.

MFA support: Trio MDM supports Multi-Factor Authentication, including Google Authenticator, Microsoft Authenticator, hardware security keys, and passkeys, which maps directly to SAMA's IAM and access control requirements in Domain 3.3.

BYOD and COD management: Trio MDM manages both BYOD and corporate-owned devices under separate policy tracks. For BYOD, policies apply only to the managed workspace, isolating corporate data from personal data. For corporate-owned devices, full compliance visibility and policy enforcement apply. This is directly relevant to financial institutions with mixed device fleets.

Remote lock and wipe: Trio MDM includes remote lock and remote wipe capability, supporting the device security controls SAMA reviewers check as part of endpoint management evidence.

These capabilities map directly to the device-level evidence requirements in Domain 3.3. For institutions building toward Level 3, having an MDM solution in place is not optional, SAMA lists it explicitly in the framework. Start your free trial or Book a demo to see how Trio MDM maps to your SAMA compliance checklist.