Brief Takeaway
- Saudi Arabia’s regulatory environment now makes ISO 27001 alignment a practical necessity for any organisation operating under NCA or SAMA oversight
- ISO 27001:2022 Annex A includes 93 controls; most organisations underestimate the documentation and evidence burden required before a certification audit
- The controls where Saudi teams most consistently fall short are supplier security management, threat intelligence, and formal risk treatment documentation
- NCA ECC-2 maps directly to ISO 27001 control domains, meaning a structured gap assessment delivers compliance value across both frameworks simultaneously
- Alnafitha IT’s Enterprise Strategy team conducts ISO 27001:2022 gap assessments, builds remediation roadmaps, and prepares Saudi organisations for certification readiness
Introduction
Saudi Arabia’s cybersecurity regulatory landscape has shifted considerably over the past two years. The NCA’s updated Essential Cybersecurity Controls (ECC-2), now aligned with ISO 27001 and NIST CSF, the full enforcement of the Personal Data Protection Law (PDPL) since September 2024, and SAMA’s mandatory minimum maturity requirements have collectively moved ISO 27001 from a strategic aspiration into a practical business requirement.
For organisations operating within government supply chains, the financial sector, or critical national infrastructure, ISO 27001 certification is increasingly becoming a prerequisite rather than a differentiator. Government procurement frameworks expect it. Aramco’s third-party compliance programme effectively requires it from many suppliers. And non-compliance with NCA standards now carries fines of up to SAR 25 million, alongside licence suspension and public disclosure.
The challenge is that most organisations approach ISO 27001 certification without a clear picture of where they actually stand. A gap assessment is not a formality. It is the diagnostic step that determines whether your organisation is genuinely ready or merely thinks it is.
What an ISO 27001 Gap Assessment Actually Measures
An ISO 27001 gap assessment compares your current security posture against the requirements of the ISO 27001:2022 standard across two distinct layers.
The first covers mandatory management system clauses (Clauses 4 to 10), which address how your organisation governs, plans, operates, and reviews its Information Security Management System (ISMS). The second covers Annex A, which contains 93 controls grouped into four domains: organisational, people, physical, and technical.
The 2022 version of the standard introduced 11 new controls that many organisations have not yet accounted for. These include threat intelligence (A.5.7), cloud service security (A.5.23), data masking (A.8.11), and physical security monitoring (A.7.4). Organisations still working from pre-2022 frameworks or internal checklists built around the old 114-control structure are starting with structural blind spots before their first external audit begins.
The output of a proper gap assessment is a prioritised remediation roadmap, not a pass/fail score. It identifies which gaps are critical, which can be resolved quickly, and which require sustained effort before a certification audit is viable.
The Four Areas Where Saudi Teams Fall Short Most Often

Across ISO 27001 implementations in the Saudi market, four areas consistently surface as underimplemented or underdocumented.
Supplier and third-party security management. Most organisations manage vendor contracts without any structured security assessment process. ISO 27001 Annex A (A.5.19 to A.5.22) requires documented evaluation of supplier security posture, contractual security obligations, and ongoing monitoring. This is not a documentation exercise for its own sake. Third-party failures ranked as the second most common attack vector in IBM’s 2025 Cost of a Data Breach study, averaging $4.91 million per incident. Auditors know this and will probe this domain closely.
Threat intelligence processes. Control A.5.7 in the 2022 standard requires organisations to collect and analyse information about threats relevant to their environment. Very few Saudi organisations have a functioning threat intelligence process. Most operate reactively, responding to incidents rather than monitoring the threat landscape systematically. This is one of the controls that consistently produces major non-conformity findings in first-attempt audits.
Risk treatment documentation. The gap between having security controls in place and being able to prove they were selected through a risk-based process is where most organisations are caught out. A deployed firewall does not satisfy the ISO 27001 requirement. A documented risk register that identifies the threat, records the treatment decision, assigns ownership, and tracks residual risk. Auditors distinguish between operational security and audit-ready security. Many Saudi teams have the former without the latter.
Statement of Applicability (SoA). The SoA is one of the first documents an auditor reviews at Stage 1. It must list all 93 Annex A controls, indicate whether each is applicable, and provide documented justification for any controls excluded from scope. Many organisations either produce an incomplete SoA or skip it altogether in early preparation. A deficient SoA will generate a major non-conformity finding before the substantive audit begins, effectively stopping the certification process.
How NCA and SAMA Compliance Change the Equation
For Saudi organisations, an ISO 27001 gap assessment carries strategic value beyond certification itself.
NCA ECC-2 aligns with ISO 27001 control domains. Research into Saudi organisations’ compliance posture found that ISO 27001-certified entities are approximately 64% compliant with NCA ECC requirements based on control overlap alone. A well-executed ISO 27001 gap assessment, with proper evidence collection, provides direct input to your NCA ECC maturity assessment without duplicating the effort.
SAMA’s Cybersecurity Framework sets Level 3 as the minimum acceptable maturity level for every bank, insurance company, fintech, and regulated financial institution in the Kingdom. That framework draws its control structure from ISO 27001, NIST, and PCI-DSS. Organisations aligned with ISO 27001:2022 typically find that governance, risk management, access control, and supplier security requirements are substantially addressed when they face a SAMA maturity assessment. The investment in ISO 27001 alignment accelerates SAMA compliance readiness rather than competing with it.
For CNI operators and government-linked entities, ISO 27001 certification also signals to the NCA that your security programme has been independently verified, not simply self-reported.
Where Alnafitha’s Enterprise Strategy Team Comes In

Alnafitha IT’s Enterprise Strategy team supports Saudi organisations through the ISO 27001:2022 certification journey, from initial gap assessment through to certification readiness.Â
The engagement covers three phases. The first is a structured gap assessment across all 93 Annex A controls and Clauses 4 to 10, mapped to your current ISMS documentation, policies, and technical controls. The second is a prioritised remediation roadmap that distinguishes between critical gaps requiring immediate attention and incremental improvements that can be scheduled over a longer implementation cycle. The third is certification readiness advisory, which prepares your internal team for both Stage 1 documentation review and Stage 2 operational audit.
Alnafitha’s Enterprise Strategy team brings knowledge of the Saudi regulatory context alongside ISO 27001 implementation experience. This matters because the intersection of NCA ECC, SAMA CSF, and ISO 27001 creates multi-framework obligations that require coordinated evidence management, not three separate compliance programmes running in parallel. Alnafitha’s cybersecurity risk management and compliance solutions address this coordination by connecting your ISO 27001 ISMS to the broader regulatory evidence requirements you face as a Saudi entity.
Conclusion
A failed first ISO 27001 certification audit is not an edge case in the Saudi market. It is the result of starting the formal audit process without understanding what an auditor will examine first. Major non-conformities in the SoA, risk treatment documentation, and supplier security domains are predictable when the gap assessment step has been skipped or rushed.
The organisations that achieve certification on the first attempt do so because they treated the gap assessment as a working document, not a preliminary formality. They identified which controls required substantial effort, allocated time accordingly, and built the evidence base before the auditor arrived.
If your organisation is under NCA, SAMA, or PDPL obligations, or if ISO 27001 certification is a requirement in your current or upcoming contracts, the gap assessment is where the work starts and where the outcome is determined.
Speak with Alnafitha’s Enterprise Strategy team to understand where your organisation stands against ISO 27001:2022 Annex A controls and what a realistic certification roadmap looks like for your environment.
Frequently Asked Questions
Is ISO 27001 certification mandatory in Saudi Arabia? ISO 27001 is not universally mandated by law, but regulatory pressure from NCA, SAMA, and PDPL makes it a practical requirement for a growing number of organisations. Government procurement increasingly expects certified or audit-ready vendors. SAMA-regulated entities must meet a minimum Level 3 maturity under the SAMA CSF, which is built on ISO 27001 control principles. For CNI operators and government entities, NCA ECC compliance is mandatory, and ISO 27001 certification positively influences the NCA maturity assessment score.
How long does an ISO 27001 gap assessment take? For a mid-sized Saudi organisation, a structured assessment typically takes two to four weeks, depending on the scope of systems covered, existing documentation, and internal team availability. Organisations that attempt this process in under two weeks consistently miss critical gaps, which then surface as major non-conformity findings during the formal audit.
What is the relationship between ISO 27001 and NCA ECC-2? NCA ECC-2 (2024) is aligned with ISO 27001 and NIST CSF control domains. ISO 27001-certified organisations are approximately 64% compliant with NCA ECC requirements based on control overlap. A well-executed ISO 27001 gap assessment, with proper evidence documentation, provides direct value for NCA ECC maturity assessment without requiring separate evidence collection efforts.
Does ISO 27001 certification satisfy SAMA CSF requirements? Not directly, but the control overlap is substantial. SAMA CSF draws its structure from ISO 27001, NIST, and PCI-DSS. Organisations aligned with ISO 27001 typically find that governance, risk management, access control, and supplier security requirements under SAMA are substantially covered. ISO 27001 alignment functions as an accelerator for SAMA compliance readiness, not a replacement for it.
What happens if an organisation fails its first ISO 27001 certification audit? A failed first audit typically results from major non-conformity findings in risk documentation, SoA completeness, or internal audit records. The organisation must remediate those findings and undergo a re-audit, adding three to six months and significant cost to the certification timeline. A proper gap assessment before the formal audit prevents this outcome by identifying and resolving these issues in advance.
For more on how Alnafitha supports Saudi organisations with IT governance and compliance frameworks, explore our Enterprise Architecture and Strategy services.Â