GCC
NCA CCC
NCA Cloud Cybersecurity Controls (CCC-1:2020)
CCC-1:2020
55 controls · 24 domains
Mandatory for: Mandatory for cloud computing in KSA
About this framework
The Cloud Cybersecurity Controls extend Saudi Arabia's NCA framework to cloud computing. They set security requirements for both cloud providers and the organisations that use them, covering data residency, access, and shared responsibility.
Who needs this
For Saudi cloud providers and the regulated organisations that rely on cloud services.
Cross-framework coverage
Controls in NCA CCC also cover:
CIS Controls 11 shared
ISO 27001 11 shared
NCA ECC-2 11 shared
Qatar NIA 11 shared
UAE IA 11 shared
See how NCA CCC connects to the rest → the Security Universe
Control domains
1-1 · Cybersecurity Roles and Responsibilities 2
1-1-P-1
In addition to the ECC control 1-4-1, the Authorizing Official shall also identify, document and approve:
In addition to the ECC control 1-4-1, the Authorizing Official shall also identify, document and approve:
1-1-T-1
In addition to the ECC control 1-4-1, the Authorizing Official shall also identify, docu ment and approve:
In addition to the ECC control 1-4-1, the Authorizing Official shall also identify, docu ment and approve:
1-2 · Cybersecurity Risk Management 2
1-2-P-1
Cybersecurity risk management methodology mentioned in the ECC Subdomain 1-5, shall also include for the CSP, as a minimum:
Cybersecurity risk management methodology mentioned in the ECC Subdomain 1-5, shall also include for the CSP, as a minimum:
1-2-T-1
Cybersecurity risk management methodology mentioned in the ECC Subdomain 1-5 shall also include for the CST, as a minimum:
Cybersecurity risk management methodology mentioned in the ECC Subdomain 1-5 shall also include for the CST, as a minimum:
1-3 · Compliance with Cybersecurity Standards, Laws and Regulations 2
1-3-P-1
In addition to the ECC control 1-7-1, the CSP legislative and regulatory compliance should include as a minimum with the following requirements:
In addition to the ECC control 1-7-1, the CSP legislative and regulatory compliance should include as a minimum with the following requirements:
1-3-T-1
In addition to the ECC control 1-7-1, the CST legislative and regulatory compliance should include as a minimum with the following requirements:
In addition to the ECC control 1-7-1, the CST legislative and regulatory compliance should include as a minimum with the following requirements:
1-4 · Cybersecurity in Human Resources 3
1-4-P-1
In addition to subcontrols in the ECC controls 1-9-3 and 1-9-4, the following requirements should be covered prior and during the professional relationship of personnel with the CSP as a minimum:
In addition to subcontrols in the ECC controls 1-9-3 and 1-9-4, the following requirements should be covered prior and during the professional relationship of personnel with the CSP as a minimum:
1-4-P-2
In addition to subcontrols in the ECC control 1-9-5, the following requirements should be in place, as a minimum, for the termination/completion of a human resource’s professional
In addition to subcontrols in the ECC control 1-9-5, the following requirements should be in place, as a minimum, for the termination/completion of a human resource’s professional relationship with the CSP:
1-4-T-1
In addition to subcontrols in the ECC control 1-9-3, the following requirements should be covered prior the professional relationship of staff with the CST shall cover, at a minimum:
In addition to subcontrols in the ECC control 1-9-3, the following requirements should be covered prior the professional relationship of staff with the CST shall cover, at a minimum:
1-5 · Cybersecurity in Change Management 4
1-5-P-1
Cybersecurity requirements for change management within the CSP shall be identified, documented and approved.
Cybersecurity requirements for change management within the CSP shall be identified, documented and approved.
1-5-P-2
Cybersecurity requirements for change management within the CSP shall be applied.
Cybersecurity requirements for change management within the CSP shall be applied.
1-5-P-3
Cybersecurity for change management in the CSP shall cover, as a minimum:
Cybersecurity for change management in the CSP shall cover, as a minimum:
1-5-P-4
Cybersecurity requirements for change management within the CSP shall be applied and reviewed periodically
Cybersecurity requirements for change management within the CSP shall be applied and reviewed periodically. 19 Cloud Cybersecurity Controls
2-1 · Asset Management 2
2-1-P-1
In addition to controls in the ECC control 2-1, the CSP shall cover the following additional controls for cybersecurity requirements for cybersecurity event logs and monitoring man
In addition to controls in the ECC control 2-1, the CSP shall cover the following additional controls for cybersecurity requirements for cybersecurity event logs and monitoring man agement, as a minimum:
2-1-T-1
In addition to controls in the ECC control 2-1, the CST shall cover the following additional controls for cybersecurity requirements for cybersecurity event logs and monitoring man
In addition to controls in the ECC control 2-1, the CST shall cover the following additional controls for cybersecurity requirements for cybersecurity event logs and monitoring man agement, as a minimum:
2-10 · Penetration Testing 1
2-10-P-1
In addition to subcontrols in the ECC control 2-11-3, the CSP shall cover the following ad ditional subcontrols for cybersecurity requirements for penetration testing, as a minimum:
In addition to subcontrols in the ECC control 2-11-3, the CSP shall cover the following ad ditional subcontrols for cybersecurity requirements for penetration testing, as a minimum:
2-11 · Cybersecurity Event Logs and Monitoring Management 2
2-11-P-1
In addition to subcontrols in the ECC control 2-12-3, the CSP shall cover the following additional subcontrols for cybersecurity requirements for cybersecurity event logs and monit
In addition to subcontrols in the ECC control 2-12-3, the CSP shall cover the following additional subcontrols for cybersecurity requirements for cybersecurity event logs and monitoring management, as a minimum:
2-11-T-1
In addition to subcontrols in the ECC control 2-12-3, the CST shall cover the following ad ditional subcontrols for cybersecurity requirements for cybersecurity event logs and mon
In addition to subcontrols in the ECC control 2-12-3, the CST shall cover the following ad ditional subcontrols for cybersecurity requirements for cybersecurity event logs and moni toring management, as a minimum:
2-12 · Cybersecurity Incident and Threat Management 1
2-12-P-1
6 Table 2. CSP’s commitments to cybersecurity controls for cloud computing CSP Controls: Table (2) below shows CSP’s commitments to cloud cybersecurity controls (section no
6 Table 2. CSP’s commitments to cybersecurity controls for cloud computing CSP Controls: Table (2) below shows CSP’s commitments to cloud cybersecurity controls (section no. 10 «Cloud Cybersecurity Controls») by levels. Optional (Recommended) Mandatory 1 With exception of subcontrols
2-13 · Physical Security 1
2-13-P-1
In addition to subcontrols in the ECC control 2-14-3, the CSP shall cover the following additional subcontrols for cybersecurity requirements for physical security, as a minimum:
In addition to subcontrols in the ECC control 2-14-3, the CSP shall cover the following additional subcontrols for cybersecurity requirements for physical security, as a minimum:
2-14 · Web Application Security 1
2-14-P-1
In addition to subcontrols in the ECC control 2-15-3, the CSP shall cover the following additional subcontrols for cybersecurity requirements for web application security, as a min
In addition to subcontrols in the ECC control 2-15-3, the CSP shall cover the following additional subcontrols for cybersecurity requirements for web application security, as a minimum: 28 Cloud Cybersecurity Controls
2-15 · Key Management 8
2-15-P-1
Cybersecurity requirements for key management process within the CSP shall be identified, documented and approved.
Cybersecurity requirements for key management process within the CSP shall be identified, documented and approved.
2-15-P-2
Cybersecurity requirements for key management process within the CSP shall be applied.
Cybersecurity requirements for key management process within the CSP shall be applied.
2-15-P-3
In addition to the ECC subcontrol 2-8-3-2, cybersecurity requirements for key manage ment within the CSP shall cover, at minimum, the following:
In addition to the ECC subcontrol 2-8-3-2, cybersecurity requirements for key manage ment within the CSP shall cover, at minimum, the following:
2-15-P-4
Cybersecurity requirements for key management within the CSP shall be reviewed period ically.
Cybersecurity requirements for key management within the CSP shall be reviewed period ically.
2-15-T-1
Cybersecurity requirements for key management within the CST shall be identified, docu mented and approved.
Cybersecurity requirements for key management within the CST shall be identified, docu mented and approved.
2-15-T-2
Cybersecurity requirements for key management within the CST shall applied.
Cybersecurity requirements for key management within the CST shall applied.
2-15-T-3
In addition to the ECC subcontrol 2-8-3-2, cybersecurity requirements for key manage ment within the CST shall cover, at minimum, the following:
In addition to the ECC subcontrol 2-8-3-2, cybersecurity requirements for key manage ment within the CST shall cover, at minimum, the following:
2-15-T-4
Cybersecurity requirements for key management within the CST shall be applied and re viewed periodically.
Cybersecurity requirements for key management within the CST shall be applied and re viewed periodically.
2-16 · System Development Security 4
2-16-P-1
Cybersecurity requirements for system development within the CSP shall be identified, documented and approved.
Cybersecurity requirements for system development within the CSP shall be identified, documented and approved.
2-16-P-2
Cybersecurity requirements for system development within the CSP shall be applied.
Cybersecurity requirements for system development within the CSP shall be applied.
2-16-P-3
Cybersecurity requirements for system development within the CSP shall include as a min imum the following controls along the development lifecycle:
Cybersecurity requirements for system development within the CSP shall include as a min imum the following controls along the development lifecycle:
2-16-P-4
Cybersecurity requirements for system development within the CSP shall be applied and reviewed periodically.
Cybersecurity requirements for system development within the CSP shall be applied and reviewed periodically.
2-17 · Storage Media Security 4
2-17-P-1
Cybersecurity requirements for usage of information and data media within the CSP shall be identified, documented and approved.
Cybersecurity requirements for usage of information and data media within the CSP shall be identified, documented and approved.
2-17-P-2
Cybersecurity requirements for usage of information and data media within the CSP shall be applied.
Cybersecurity requirements for usage of information and data media within the CSP shall be applied.
2-17-P-3
Cybersecurity requirements for usage of information and data media within the CSP shall cover, at minimum, the following:
Cybersecurity requirements for usage of information and data media within the CSP shall cover, at minimum, the following:
2-17-P-4
Cybersecurity requirements for usage of information and data media within the CSP shall be applied and reviewed periodically
Cybersecurity requirements for usage of information and data media within the CSP shall be applied and reviewed periodically. 30 Cloud Cybersecurity Controls 3-1 Cybersecurity Resilience Aspects of Business Continuity Management (BCM) Objective To ensure the inclusion of the cybersecurity resiliency requirements within the CSPs’ and CSTs’ business continuity management and to remediate and minimize the impacts on systems, information processing facilities and critical e-services from disasters caused by cybersecurity incidents. Controls
2-2 · Identity and Access Management 2
2-2-P-1
In addition to subcontrols in the ECC control 2-2-3, the CSP shall cover the following additional subcontrols for cybersecurity requirements for identity and access management requ
In addition to subcontrols in the ECC control 2-2-3, the CSP shall cover the following additional subcontrols for cybersecurity requirements for identity and access management requirements, as a minimum:
2-2-T-1
In addition to subcontrols in the ECC control 2-2-3, the CST shall cover the following additional subcontrols for cybersecurity requirements for identity and access management requ
In addition to subcontrols in the ECC control 2-2-3, the CST shall cover the following additional subcontrols for cybersecurity requirements for identity and access management requirements, as a minimum:
2-3 · Information System and Information Processing Facilities Protection 2
2-3-P-1
In addition to subcontrols in the ECC control 2-3-3, the CSP shall cover the following ad ditional subcontrols for cybersecurity requirements for information system and processing
In addition to subcontrols in the ECC control 2-3-3, the CSP shall cover the following ad ditional subcontrols for cybersecurity requirements for information system and processing facilities protection requirements, as a minimum:
2-3-T-1
In addition to subcontrols in the ECC control 2-3-3, the CST shall cover the following ad ditional subcontrols for cybersecurity requirements for information system and processing
In addition to subcontrols in the ECC control 2-3-3, the CST shall cover the following ad ditional subcontrols for cybersecurity requirements for information system and processing facilities protection requirements, as a minimum:
2-4 · Networks Security Management 2
2-4-P-1
In addition to subcontrols in the ECC control 2-5-3, the CSP shall cover the following additional subcontrols for cybersecurity requirements for networks security management requir
In addition to subcontrols in the ECC control 2-5-3, the CSP shall cover the following additional subcontrols for cybersecurity requirements for networks security management requirements, as a minimum:
2-4-T-1
In addition to subcontrols in the ECC control 2-5-3, the CST shall cover the following additional subcontrols for cybersecurity requirements for networks security management requir
In addition to subcontrols in the ECC control 2-5-3, the CST shall cover the following additional subcontrols for cybersecurity requirements for networks security management requirements, as a minimum:
2-5 · Mobile Devices Security 2
2-5-P-1
In addition to subcontrols in the ECC control 2-6-3, the CSP shall cover the following addi tional subcontrols for cybersecurity requirements for mobile device security, as a minimum:
In addition to subcontrols in the ECC control 2-6-3, the CSP shall cover the following addi tional subcontrols for cybersecurity requirements for mobile device security, as a minimum:
2-5-T-1
In addition to subcontrols in the ECC control 2-6-3, the CST shall cover the following additional subcontrols for cybersecurity requirements for mobile device security, as a min imum:
In addition to subcontrols in the ECC control 2-6-3, the CST shall cover the following additional subcontrols for cybersecurity requirements for mobile device security, as a min imum:
2-6 · Data and Information Protection 2
2-6-P-1
In addition to subcontrols in the ECC control 2-7-3, the CSP shall cover the following additional subcontrols for cybersecurity requirements for data and information protection req
In addition to subcontrols in the ECC control 2-7-3, the CSP shall cover the following additional subcontrols for cybersecurity requirements for data and information protection requirements, as a minimum:
2-6-T-1
In addition to subcontrols in the ECC control 2-7-3, the CST shall cover the following additional subcontrols for cybersecurity requirements for protecting CST’s data and infor ma
In addition to subcontrols in the ECC control 2-7-3, the CST shall cover the following additional subcontrols for cybersecurity requirements for protecting CST’s data and infor mation in cloud computing , as a minimum: 24 Cloud Cybersecurity Controls
2-7 · Cryptography 2
2-7-P-1
In addition to subcontrols in the ECC control 2-8-3, the CSP shall cover the following ad ditional subcontrols for cryptography, as a minimum:
In addition to subcontrols in the ECC control 2-8-3, the CSP shall cover the following ad ditional subcontrols for cryptography, as a minimum:
2-7-T-1
In addition to subcontrols in the ECC control 2-8-3, the CST shall cover the following ad ditional subcontrols for cryptography, as a minimum:
In addition to subcontrols in the ECC control 2-8-3, the CST shall cover the following ad ditional subcontrols for cryptography, as a minimum:
2-8 · Backup and Recovery Management 1
2-8-P-1
In addition to subcontrols in the ECC control 2-9-3, the CSP shall cover the following ad ditional subcontrols for cybersecurity requirements for backup and recovery management, as a minimum:
In addition to subcontrols in the ECC control 2-9-3, the CSP shall cover the following ad ditional subcontrols for cybersecurity requirements for backup and recovery management, as a minimum:
2-9 · Vulnerabilities Management 2
2-9-P-1
In addition to subcontrols in the ECC control 2-10-3, the CSP shall cover the following additional subcontrols for cybersecurity requirements for vulnerability management re quirements, as a minimum:
In addition to subcontrols in the ECC control 2-10-3, the CSP shall cover the following additional subcontrols for cybersecurity requirements for vulnerability management re quirements, as a minimum:
2-9-T-1
In addition to subcontrols in the ECC control 2-10-3, the CST shall cover the following additional subcontrols for cybersecurity requirements for vulnerability management re quirements, as a minimum:
In addition to subcontrols in the ECC control 2-10-3, the CST shall cover the following additional subcontrols for cybersecurity requirements for vulnerability management re quirements, as a minimum:
3-1 · 3-1 2
3-1-P-1
In addition to subcontrols in the ECC control 3-1-3, the CSP shall cover the following ad ditional subcontrols for cybersecurity requirements for cybersecurity resilience aspects
In addition to subcontrols in the ECC control 3-1-3, the CSP shall cover the following ad ditional subcontrols for cybersecurity requirements for cybersecurity resilience aspects of business continuity management, as a minimum:
3-1-T-1
In addition to subcontrols in the ECC control 3-1-3, the CST shall cover the following ad ditional subcontrols for cybersecurity requirements for cybersecurity resilience aspects
In addition to subcontrols in the ECC control 3-1-3, the CST shall cover the following ad ditional subcontrols for cybersecurity requirements for cybersecurity resilience aspects of business continuity management, as a minimum:
4-1 · Supply Chain and Third-Party Cybersecurity 1
4-1-P-1
In addition to implementing the ECC controls 4-1-2 and 4-1-3, the CSP shall cover the fol lowing additional subcontrols for third-party cybersecurity requirements, as a minimum:
In addition to implementing the ECC controls 4-1-2 and 4-1-3, the CSP shall cover the fol lowing additional subcontrols for third-party cybersecurity requirements, as a minimum:
Ready to assess against NCA CCC?
Start free trial →