SAMA Cyber Security Maturity Model in a Nutshell

Published on : 16 Apr 2021

SAMA Cybersecurity Maturity Model

Assessing the maturity level of an organization’s Cyber Security program is crucial for business. This is because the evaluation process helps the organization determine the areas of improvement. This further enables them to embed strong security policies and controls in their work culture and process.

In Saudi Arabia, Member Organizations who fall in the scope of the SAMA Cyber Security Framework are required to determine and measure the maturity levels against the Cyber Security Maturity Model outlined in the Cyber Security Framework. Explaining this in detail, we have today covered an article that will help you understand the Security Maturity Model outlined by SAMA.

SAMA Cyber Security Maturity Model

For Member Organizations who are unsure of where their security program stands in terms of their preparedness and the capability of their Cyber Security Program, the Security Maturity Model works as a guide for them. It provides a direction to organizations in testing their preparedness against evolving security threats.

Assessing the maturity of an organization’s security level helps them establish, improve and maintain a strong security framework. This is an effective approach for addressing and managing Cyber Security risks within the Financial Sector.

The Cyber Security Maturity Model in the SAMA Security Framework distinguishes 6 maturity levels (0, 1, 2, 3, 4, and 5), which are all briefly summarized in the image below (sourced from the official document). In order to achieve an appropriate Cyber Security Maturity level, the Member Organization must meet all criteria listed in the initial maturity levels (0, 1, & 2) to operate at maturity level 3 or higher as explained below. 

Maturity Level 3 

Level 3 maturity states that the Member Organization should define, approve and implement Cyber Security controls. The organization should have in place policies and procedures that clearly outlines “why”, “what” and “how” Cyber Security controls should be implemented.

The Cyber Security documents comprising the Security Policies, Standards, and Security Procedures must be endorsed and mandated by the board of the Member Organization clearly stating “why” Cyber Security is important to the Member Organization. 

Policy Documents – The document must highlight the information assets that must be protected by establishing Security Principles and Objectives. 

Cyber Security Standards- The Security Standards must be developed in alignment with the Security Policy, highlighting the Cyber Security controls that must be implemented. This would include defining security and system parameters, segregation of duties, setting password rules, monitoring events, and backup and recovery rules. Tasks and activities to be performed by every member including the staff, third parties, or customers of the Member Organization are detailed in the Cyber Security Procedures. 

Procedure Documents- The procedure document should prescribe “how” the Cyber Security Controls must be implemented in an operating environment and secure the information assets in accordance with the Cyber Security Policy and Standards. The process in context to this framework can be defined as a set of activities designed to accomplish specific objectives. The process may include defining the policies, standards, guidelines, procedures, activities, work instructions, roles, and responsibilities, tools, and management control required to deliver the output. 

The actual progress of the implementation, performance, and compliance of the Cyber Security Controls should be periodically monitored and evaluated using key performance indicators (KPIs).

Maturity Level 4

Maturity Level 4 clearly states that the Member Organization should periodically evaluate and measure the effectiveness of the implemented Cyber Security Controls. The Member Organizations must define the Key Risk Indicators (KRIs) that indicate the norm for effective measurement and define thresholds to determine whether the results are below, on, or above the targeted norm. Further, the KRIs are used for trend reporting and identifying the potential areas of improvement. 

Maturity Level 5 

Maturity Level 5 is about the continuous improvement of Cyber Security Controls. This is expected to be achieved through constant analysis of goals and achievements of Cyber Security and identifying structural improvements. Member Organizations must integrate the Security Controls with enterprise Risk Management Practices and be backed with automated real-time monitoring.

Further, business process owners should be accountable for monitoring and measuring the effectiveness of Cyber Security Controls and integrating them with the enterprise Risk Management Framework. Additionally, the performance of Cyber Security Controls should be evaluated using peer and sector data.

Benefits of Assessing against the Security Maturity Model

  • The key to using the Security Maturity Model is to identify and understand the areas of improvement in the organization’s Security Controls and Processes. 
  • The assessment helps the organization understand their security posture and most importantly help in prioritizing processes that need immediate attention. 
  • It can be used as a benchmark to measure your performance and constantly improve and develop your security programs in alignment with your compliance objective.
  • Constant improvement in the security program enables organizations to evolve with the growing security landscape. 
  • The assessment helps design an actionable roadmap that makes the compliance process more achievable. 
  • With the assessment, you can gain better control over your security programs.


The implementation of the Framework is subject to a periodic self-assessment that shall be performed by the Member Organization. The assessment will further be reviewed and audited by the SAMA, based on the level of Compliance with the Framework and the Cyber Security Maturity level of the Member Organization. So, organizations looking to achieve Compliance must evaluate their current Maturity level.

Assessing against the Cyber Security Maturity Model clearly determines the maturity of your practices, processes, and cyber response capabilities. This helps Member Organizations understand whether or not they have reached a level of Cyber Security Maturity to support and protect critical information assets. If not, based on the evaluation, the Member Organization can accordingly improve their Security Programs and achieve the maximum level of maturity in Cyber Security objectively

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.