Saudi Arabia’s National Cybersecurity Authority (NCA) Essential Cybersecurity Controls (ECC-2) put vendor-risk assessment on every cybersecurity programme’s roadmap. The control families are clear; translating them into a working vendor-risk questionnaire is the part that always takes longer than expected. This post is a walk-through of the questionnaire a KSA regulated-sector organisation should be able to send to a new SaaS vendor, with answers mapped to ECC-2 controls.
ECC-2 in one page
ECC-2 is the 2024 refresh of NCA’s Essential Cybersecurity Controls. It groups requirements into five domains: Cybersecurity Governance, Cybersecurity Defence, Cybersecurity Resilience, Third-Party Cybersecurity, and Industrial Control Systems. Vendor-risk sits primarily in Domain 4 (Third-Party Cybersecurity), but with hooks into Domains 1 (Governance) and 3 (Resilience) for incident and continuity responsibilities.
The 18 questions, mapped
Governance (Domain 1)
- What is your information-security policy, and when was it last reviewed?
- Do you have a named Chief Information Security Officer or equivalent?
- What external certifications do you hold (ISO 27001, SOC 2, PDPL alignment)?
Defence (Domain 2)
- Describe your identity and access management — MFA, least-privilege, privileged-access review cadence.
- How is encryption handled at rest and in transit? Named algorithms and key-rotation policy.
- What is your vulnerability-management cadence? Patch SLA by severity.
- Describe your logging and monitoring — what you log, retention, SIEM integration.
- Penetration-testing cadence and scope. Can you share the most recent report under NDA?
Resilience (Domain 3)
- Incident-response plan: trigger criteria, communication path, customer notification SLA.
- Business-continuity and disaster-recovery: RTO and RPO targets, last tested date.
- Backup strategy — location, frequency, encryption, test restore cadence.
Third-party (Domain 4)
- List of sub-processors with country of data processing.
- How are sub-processor changes communicated, and over what notice period?
- Do you flow down equivalent security obligations to your sub-processors?
- Data-residency posture — where is production data today, where is it going?
Regulatory / PDPL crossover
- Is your DPA PDPL-aware? (See the eight-question DPA post.)
- What is your breach-notification window, and from which event does it start?
- How do you handle data-subject-rights requests (access, rectification, erasure)?
How to map answers to a risk score
Each question has a 0/1/2 scoring guide — 2 is a strong, documented answer with a link to evidence; 1 is a reasonable answer without evidence; 0 is missing or unsatisfactory. A vendor under 70% on the 36-point scale needs escalation; under 50% is a hard stop. This is a starting point, not policy — every CISO team should tune it against their own risk appetite.
Automating the review routing
Once the responses come back, they should flow automatically into the GRC workflow: high-risk responses get escalated to the security review board; governance questions route to legal; defence/resilience to the SOC lead. Sahl/form’s webhook configuration plus a small routing rule in your GRC tool does this without a separate integration.
Download the template
We’ve packaged the 18 questions above as a Sahl/form template with bilingual labels, a pre-built 0/1/2 scoring column, and a webhook payload schema. You can apply it to your workspace in one click.