In November 2021, the Saudi Central Bank (SAMA) issued a circular on IT governance frameworks (ITGFs) as part of its cybersecurity rules and instructions. SAMA recognises that – while IT is playing an increasingly fundamental role in today’s data-driven environments – IT also exposes the financial institutions (FIs) it regulates to dynamically evolving IT risks and governance requirements. In response to those risks, SAMA has developed an ITGF that will enable SAMA-regulated businesses to effectively identify and address IT-related risks – and which FIs and SAMA can use to assess maturity levels and evaluate the effectiveness of IT controls.


IT governance and leadership

  • IT governance structure defined, endorsed and supported with appropriate resources
  • IT strategy aligned with strategic objectives and complies with legal and regulatory requirements
  • Enterprise architecture outlines business processes, data and supporting technology layers
  • IT policies and procedures are defined, approved, communicated and implemented
  • IT roles and responsibilities defined and understood
  • Relevant regulations identified, communicated and complied with
  • IT internal audits verify IT controls implemented and operating as intended
  • Staff have required skills and knowledge
  • Efficiency and effectiveness of IT processes and services continuously measured through KPIs

IT risk management

  • ITRM processes defined, approved, implemented, communicated and aligned with ERM processes
  • Assets identified, recorded and maintained
  • Controls and risks analysed based on likelihood of occurrences and resulting impact
  • IT risks associated with IT assets treated based on applicable criteria
  • IT risks treated according to defined treatment plans and effectively reviewed, monitored and reported

Operations management

  • Accurate inventory provided by asset management process
  • Interdependencies for critical assets identified and managed
  • Contractual terms and conditions governing roles, relationships, obligations and responsibilities of stakeholders developed and controlled
  • Business functions supported through service availability and capacity management
  • Physical controls designed and implemented to protect IT facilities and equipment from damage/unauthorised access
  • IT event management and network architecture controls protect network from unauthorised access
  • Batch management process efficiently bulk processes automated tasks
  • IT incident management process identifies, responds and handles incidents and reports relevant incidents to SAMA
  • Procedures to report problems defined to minimise impact
  • Data backup management strategy and procedures defined, approved and implemented
  • Process to create, distribute, store, use and retire virtualised images defined and managed

System change management

  • Change management process ensures asset changes classified, tested and approved before deployment
  • Changes to information assets defined, documented and approved by owner before implementation
  • Acquisition process ensures system acquisition/vendor service risks adequately assessed and mitigated
  • System development methodology ensures system is developed in a strictly controlled manner
  • Information system changes tested in test environment to ensure business requirements are met – and defects/vulnerabilities identified before release to production environment
  • Cyber security requirements defined and tested in a testing environment to identify and mitigate security vulnerabilities before release to production environment
  • Change release management process strictly controls system changes
  • System configuration management process maintains reliable/accurate information about configuration items
  • Patch management process up-to-date with latest applicable/relevant patches installed
  • Process manages IT projects and related risks throughout project lifecycle
  • QA process aligns quality of changes/development with business/user requirements before release to production

Our ITGF assessment methodology

Our market-leading team – which has significant ITGF expertise – can assess the maturity of your current and to be IT governance framework against SAMA’s maturity framework.

Srikant Ranganathan
Senior Director
Tom Gilbert
Share via
Copy link
Powered by Social Snap