The Essential Cybersecurity Controls from Saudi Arabia's National Cybersecurity Authority are mandatory for in-scope national organizations. Here is which subdomains Alvor helps you satisfy.
All 29 subdomains across the five ECC domains.
An honest map of where Alvor materially contributes. Control ownership stays with you.
About NCA ECC
Who it is for
Organizations operating in Saudi Arabia that must demonstrate ECC compliance to the NCA, and multinationals localizing their security program for the Kingdom.
The Essential Cybersecurity Controls (ECC) are issued by the National Cybersecurity Authority (NCA) of the Kingdom of Saudi Arabia as the minimum cybersecurity baseline for national organizations, government entities, and operators of critical national infrastructure.
The ECC are structured into five main domains (Governance, Defence, Resilience, Third-Party and Cloud Computing, and Industrial Control Systems), broken into 29 subdomains. The map below is grouped by domain and worked at the subdomain level.
Alvor's compliance module is framework-agnostic, so the ECC control set loads alongside the frameworks Alvor ships: you map, assess, and evidence ECC the same way you would ISO 27001 or NIST 800-53.
Control alignment
Grouped by the five ECC domains. Governance, asset management, risk, and third-party controls map directly to Alvor; cryptography, physical, and ICS controls remain operational with Alvor holding the control and evidence.
Alvor performs the control or produces the evidence.
Alvor helps you manage, track, and document it.
You implement it operationally; Alvor stores the control and evidence.
Document the strategy, objectives, and roadmap and track initiatives against them.
ProgramRun the program with assigned ownership, governance cadence, and reporting.
ProgramAuthor, approve, version, and distribute policies and procedures with attestations.
PolicyAssign cybersecurity roles and ownership across the program with accountability tracking.
ProgramIdentify, score, treat, and monitor risk in a living register tied to assets and controls.
RiskEmbed security requirements and review gates into project and change workflows.
Secure by DesignMap controls to ECC and other obligations once and track conformity in real time.
CompliancePlan and run internal reviews and audits and track findings to closure.
ComplianceHold the control and evidence; screening and HR processes run in your HR systems.
ProgramYou run the awareness and training program; Alvor holds the control and its evidence.
ProgramInventory assets from cloud and security integrations, imports, and shadow-asset reconciliation.
AssetsMaintain access policy and reviews; provisioning runs in your identity provider.
PolicyDocument hardening and protection standards for systems and processing facilities.
Secure by DesignRecord the email-protection control; enforcement runs in your mail gateway.
ProgramInventory network assets and map dependencies; configuration runs in your network tooling.
AssetsInventory mobile devices; policy is enforced by your MDM.
AssetsClassify data and track protective controls; encryption and DLP run in your stack.
Data GovernanceRecord the cryptography standard and key-management control and hold the evidence.
Secure by DesignDocument recovery objectives and procedures (RTO/RPO) per asset; backups and restore tests run in your stack.
Business ContinuityPull CVE findings in from your scanner (Veracode) and cloud posture (AWS, OCI), linked to the affected asset and visible to its owners.
RiskDocument scope and cadence; findings flow into the risk register with owners.
RiskRecord the logging and monitoring control; collection runs in your SIEM.
ProgramYou run incident and threat management; Alvor holds the control and its evidence.
ProgramDocument physical-security controls and store the evidence.
ComplianceTrack secure-development and application-security requirements and route findings to risk.
Secure by DesignDocument business continuity and recovery plans with RTO/RPO and review dates, per asset.
Business ContinuityInventory third parties, run and score security assessments, and requeue reassessments on a risk-tiered cadence.
TPRMCatalogue and assess cloud and hosting providers with the same security questionnaire.
TPRMInventory OT and ICS assets where reachable; protective controls operate in your ICS environment.
AssetsThis mapping shows where Alvor materially contributes to each control. It is a guide for scoping, not an attestation or certification: responsibility for implementing and operating every control remains with your organization. Ratings reflect Alvor's product capabilities and may differ from your audited scope.
Get started
Whether you lead security, run IT, manage compliance, or sit in the C-suite - we'll show you your view.