As the digital environment advances and new cyber threats emerge, the National Cyber security Authority (NCA) has recognized the need to enhance its cyber security guidelines continuously. In response to these growing challenges, the Authority has updated its Essential Cyber security Controls (ECC), releasing NCA ECC–2:2024, an evolution of the previously established NCA ECC–1:2018). 

 

This new version reinforces Saudi Arabia’s commitment to robust cyber security and addresses the latest vulnerabilities and trends in information security. ECC–2:2024 offers a more comprehensive, updated set of controls that align with international standards and address traditional IT systems and new-age technologies like cloud infrastructure and industrial control systems.

 

Let’s explore the key changes being done in the new version.

 

What is NCA ECC–2:2024?

 

The NCA has introduced an updated version of its Essential Cyber security Controls (ECC–2:2024) after extensively evaluating various global and national cyber security frameworks. This update comes from a thorough analysis that considered international standards, national regulations, and relevant legal requirements. 

 

The NCA also incorporated cyber security best practices and carefully examined past cyber incidents impacting government entities and other critical organizations.

 

NCA ECC–2:2024 is structured into:

 

• 4 Cyber security Main Domains
• 28 Cyber security Subdomains
• 110 Cyber security Controls 
• 90 Cyber security Subcontrols

 

It’s worth noting that this latest version refines the previous ECC–1:2018, which included 5 main domains, 29 subdomains, and 114 controls. The updated structure offers a streamlined and more focused approach, addressing the most pressing cyber security challenges organizations face today.

 

Implementation and compliance

 

All organizations that fall under the NCA ECC–2:2024 framework must take steps to ensure they continuously meet the required cyber security controls. The Authority may check compliance through various methods, including:

 

• Self-assessments by organizations
• Periodic reports from compliance tools
• On-site audits

 

Assessment and compliance tool

 

The NCA will introduce the ECC-2:2024 Assessment and Compliance Tool to help organizations manage their compliance more effectively. This tool will assist organizations in organizing their evaluation processes and measuring how well they meet the ECC requirements.

 

Updates and enhancements in NCA ECC–2:2024

 

The latest version of the NCA ECC framework introduces several modifications to enhance clarity and improve security measures across its main domains. Key changes include:

 

• Modifications in terms and conditions.
• Deletion of Domain 5.
• Adjustments to various controls for better alignment with current cyber security practices.
• Enhancements to existing security protocols to address evolving threats.

 

Notable controls that have been modified include:

 

• Control 1-2-2
• Subcontrol 2-2-3-1
• Subcontrol 2-2-3-2
• Subcontrol 2-4-3-2
• Subcontrol 2-4-3-5
• Control 2-7-3
• Subcontrol 2-15-3-5

 

These updates ensure that organizations can more effectively manage their cyber security responsibilities and respond to emerging risks.

 

NCA ECC–2:2024 domains and structure 

 

NCA ECC–2:2024 is organized into four main cyber security domains, each addressing specific areas of cyber security. These domains are further divided into subdomains that outline detailed controls and practices.

 

Let’s explore each domain, detailing what it entails and its importance in strengthening overall cyber security efforts.

 

1. Cyber security governance 

 

This domain is essential for building a strong cyber security foundation in organizations. It focuses on creating clear strategies and policies that outline how to manage cyber security effectively. Its main goal is to ensure that everyone knows their roles and responsibilities and that there are effective plans in place to handle risks and comply with cyber security standards. 

 

By fostering a culture of security awareness and training, organizations can better protect themselves against cyber threats. Overall, this domain helps organizations create a structured approach to managing cyber security risks, leading to a more resilient security posture.

 

2. Cyber security defense

 

The cyber security defense domain within the NCA ECC–2:2024 framework is vital for enhancing an organization’s security posture. Comprising 15 critical subdomains and 60 controls, this domain helps strengthen defenses against cyber threats. 

 

It focuses on essential areas such as asset management, Identity and Access Management (IAM), network security, and cryptography. Additionally, it includes processes for identifying and managing vulnerabilities. By implementing robust defense strategies, organizations can protect their digital assets, control access to sensitive information, and mitigate potential risks. 

 

 

3. Cyber security Resilience

 

The cyber security resilience domain is dedicated to enhancing an organization’s capability to endure and recover from cyber security incidents. This domain emphasizes integrating cyber security resilience requirements into business continuity management. With a single subdomain focused on “Cyber Security Resilience Aspects of Business Continuity Management (BCM),” it includes four essential controls.

 

This will help organizations minimize cyber incidents’ impact on critical systems, information processing facilities, and e-services. 

 

By focusing on resilience, organizations can better prepare for disruptions, ensuring they can swiftly recover and maintain essential operations even when faced with cyber security challenges.

 

4. Third-party and cloud computing cyber security

 

The third-party and cloud computing cyber security domain focuses on enhancing organizations’ defenses against cyber security risks that come from working with external partners and using cloud services. 

 

This domain includes two important subdomains: “Third-Party Cyber Security” and “Cloud Computing and Hosting Cyber Security,” which collectively feature eight essential controls. By addressing these areas, organizations can better manage risks associated with third-party collaborations and ensure the security of their cloud-based operations.

 

Automate your NCA ECC–2:2024 implementation with CyberArrow GRC

 

Organizations can now automate the implementation of NCA ECC-2:2024 with CyberArrow, simplifying the process of adapting to new updates and requirements. Say goodbye to manual spreadsheets and the hassle of identifying security controls across multiple systems. 

 

With CyberArrow, you can:

 

• Ongoing NCA ECC-2:2024 monitoring: Automatically gather evidence across 50+ integrations and utilize auditor-approved document templates.

 

• Security KPI monitoring: Continuously assess your security posture and automate reporting for security control KPIs, allowing you to focus your time where it’s truly needed.

 

• Automated risk management: Effortlessly manage risk assessments with pre-mapped controls and robust reporting dashboards.

 

• Arabic langugae support: Everything, from technical checks to documentation, is managed in both languages (English & Arabic).

 

Leverage CyberArrow’s powerful features to ensure your organization meets NCA ECC-2:2024 requirements efficiently. 

 

See what our clients say about CyberArrow GRC: