Essential Cybersecurity Controls (ECC-1:2018)

The Kingdom of Saudi Arabia is living now in a mutation of the level of the use of Information Technology and Digital Transformation in institutions and companies, and it is so obvious when looking at the huge and massive government investment in information technology. However, this technology may have risks that could lead to threats and shake the national security if the control is lost as a result of a breach or problem with a component of cyberspace.

The National Cybersecurity Authority NCA has developed and launched the Essential Cybersecurity Controls  (ECC-1-2018) to avoid disasters that may results from cyber risks and to define the minimum requirements of cybersecurity in the national institutions that fall under the scope of implementation of these controls.

All national authorities must raise and improve their cybersecurity level to protect their networks, systems, and electronic data and comply to the national cybersecurity authority (NCA) policies, frameworks, standards, controls, and guidelines in this regard.

      – The royal decree number 57231, dated 11/10/1439H.

What are Essential Cybersecurity Controls?

They are organized practices and frameworks developed by national and international organizational authorities and they are contain of measures and countermeasures that institutions must to implement for discovering, preventing, or facing security risks that target the technology and information assets.

The Features of Essential Cybersecurity Controls

ECC-1-2018 are characterized by:

  1. Focuses on the protection of key objectives, which are: confidentiality, integrity, and availability of information.
  2. They’re built based on the best practices, standards, and organizational frameworks (international and local).
  3. These controls give great interest to the pillars that cybersecurity focuses on (Strategy, people, procedures, and technology).

Importance of Essential Cybersecurity Controls

Regardless to the mandatory of implementing essential cybersecurity  controls (ECC-1-2018) for some entities, they provide many benefits to the other organizations, and we mention some of them:

  1. Assist in designing the cyber security strategy and the organization.
  2. Ensure compliance from the tip manager of implementing and managing cybersecurity programs.
  3. Determining and documenting the organizational structure, roles, and responsibilities of cybersecurity within the organization.
  4. Editing, applying and reviewing cybersecurity policies and procedures.
  5. Achieve the national legislative and organizational requirements that related to cybersecurity.
  6. Processing cybersecurity risks that related to human resources.
  7. Protecting the organization’s information and technology assets from cybersecurity external and Internet the risks and threats.
  8. Discover the technical vulnerabilities in the right time, and process them effectively.
  9. Processing cybersecurity risks and the implementation of cybersecurity requirements for cloud computing and hosting appropriately and effectively.

The scope of Essential Cybersecurity Controls (ECC-1-2018)

These controls are prepared to fit the needs of cybersecurity in all organizations and sectors regardless to the business type and size. But these controls are specially implemented in the national organizations on the Kingdom of Saudi Arabia, and they include:

  1. All ministries, authorities, and the national companies, industries, and establishments and their affiliates.
  2. Private sector companies that provide their services to the national authorities.
  3. Companies and organizations that operate and host the critical national infrastructure (CNI).
  4. Other organizations can benefit of these controls, even if compliance is not necessary.

Notice: All organizations within the scope of work of essential cybersecurity controls (ECC-1-2018) must implement what’s achieve permanent and continuous compliance with these controls.

And the National Cybersecurity Authority (NCA) evaluates the range of compliance of the national authorities of these controls.

How can Renad AlMajed for Information Technology (RMG) company helps you?

our special services design  according to the Essential Cybersecurity Controls to help you to assure your institution while achieving compliance to the national legislation at the same time, some of our services are:

  1. Make Gap analysis and maturity assessment.
  2. Implementing the appropriate essential controls to your institution.
  3. Design and develop a cybersecurity strategy
  4. Designing And developing cybersecurity policies and the procedures.
  5. Providing training programs, transferring knowledge, and raising the awareness of the human factor. 
  6. Document review and internal audit.

Why do you choose Renad AlMajed for information technology company (RMG)?

  • Would you ask  Renad AlMajed services, you are allowed do benefit from more than 60 experts and consultants to improve and develop your business.
  • The company is characterized by flexibility, the accuracy of implementation and showing results quickly, Because of the company awareness to the deep dimensions of the pillars and indicators that mentioned in these controls.
  • The company has an expert in implementing a vulnerability assessment.
  • Long experience in implementing a penetration test.
  • The company has an operations center works 24/ 7.
  • The company’s ability to cover all cybersecurity fields, where the company has a previous business in digital transformation, governance, business continuity, ISO standards and Backup, data recovery, and network security.


Frequently asked questions (FAQ)

To comply with item 3 of article 10 of national cybersecurity authority NCS’s mandate and as per the Royal Decree number 57231 dated 10/11/1439 H, All organizations within the scope of these controls must implement whatever is necessary to ensure continuous and permanent compliance with the controls.

According to the above, if the organizations that mentioned Are not implementing the minimum requirements of Cybersecurity, maybe this exposes it to legal accountability.

In order to implement the minimum requirements of cybersecurity, you need first to find out what of Essential Cybersecurity Controls (ECC-1-2018) Suit your organization, Then implement organizational Vulnerabilities Screening Tests and working to solve it, finally, formulate the necessary documents and valuable facts that prove the application of the minimum requirements of cybersecurity.

You can start with Renad AlMajed for information technology company (RMG) through filling out the registration form, and we will contact you as soon possible as to answer your inquiries and select/ determine the side of the next step by side.

We provide this is very services and advice for implementing Essential Cybersecurity Controls (ECC-1-2018). And we also keep continuing with you after the end of the project to provide consultations and advice.