Governance. Risk. Compliance. Cybersecurity.
MAST Consulting Group - Governance, Risk, Compliance and Cybersecurity Logo
Riyadh King Abdullah Financial District skyline at dusk — MAST Saudi Arabia GRC and cybersecurity consulting.
Riyadh · Kingdom of Saudi Arabia

KSA GRC, cybersecurity & compliance, delivered locally.

GRC and cybersecurity consulting aligned to SAMA, NCA and Saudi Vision 2030.

Book a KSA scoping call Explore services
60+
KSA engagements delivered
4
Tier-1 Saudi banks served
Vision 2030
Aligned
MAST in KSA

Local delivery, global standards.

From our Riyadh presence, MAST delivers SAMA CSF, NCA ECC and OTCC, PDPL, CITC and CST-aligned programmes for Saudi banks, payments, energy, healthcare and government clients — with consultants who speak the language of Saudi regulators.

Regulators we cover

The KSA regulatory landscape we work in daily.

SAMA CSF

Saudi Central Bank Cyber Security Framework.

NCA ECC

National Cybersecurity Authority Essential Cybersecurity Controls.

NCA OTCC

Operational Technology Cybersecurity Controls for industrial sectors.

NCA CCC

Cloud Cybersecurity Controls for cloud service providers and tenants.

CITC / CST

Communications, Space & Technology Commission requirements.

SDAIA PDPL

Saudi Personal Data Protection Law and its implementing regulations.

Yakeen / Nafath

Identity and trust services integrations.

Services

What we deliver in KSA.

Each engagement is led by a senior consultant with sector experience in your jurisdiction.

SAMA, NCA & PDPL

Programmes aligned to SAMA CSF, NCA ECC/OTCC/CCC and the Saudi PDPL.

Learn more

ISO 27001 (KSA)

ISMS implementation aligned to NCA ECC and SAMA CSF expectations.

Learn more

PCI DSS v4.0 (KSA)

Mada and SARIE-aware PCI programmes for Saudi issuers and acquirers.

Learn more

Cybersecurity Advisory

vCISO, SOC, threat intel and red team — Arabic and English capable.

Learn more

VAPT (KSA)

Penetration testing aligned to NCA, SAMA and CITC requirements.

Learn more

Managed Compliance

Continuous attestation against NCA and SAMA control sets.

Learn more
KSA case studies

Recent KSA engagements — outcomes you can audit.

Anonymised snapshots of MAST delivery in your jurisdiction. Every engagement is sponsored by a named Lead Auditor.

BankingSAMA CSF · NCA ECC

Saudi retail bank — SAMA CSF maturity raised from 2.6 to 3.8 in 9 months.

Closed 142 prioritised SAMA findings and embedded continuous attestation across 4 lines of business and shared services.

SAMA maturity
2.6 → 3.8
Findings closed
142
Repeat findings
0
Lead Auditor attribution
MAST KSA Banking
Lead — SAMA CSF
ISO 27001 LA · CISA · CRISC
Delivered2024 · Riyadh
Energy / OTNCA OTCC · IEC 62443

Saudi energy major — NCA OTCC programme across 5 plants.

Delivered OT asset visibility, segmentation and incident-response playbooks aligned to NCA OTCC and IEC 62443.

OT assets discovered
+38%
Segmentation zones
23
OTCC compliance
Achieved
Lead Auditor attribution
MAST OT Security
Principal — OT
IEC 62443 · GICSP · CISSP
Delivered2024–2025 · Eastern Province
Cloud / SaaSNCA CCC · ISO 27017

Government cloud tenant — NCA CCC attestation in 16 weeks.

Built tenant-side controls aligned to NCA CCC Level 3 and ISO 27017, with auditable shared-responsibility evidence.

CCC level
L3
Time to attestation
16 wks
Audit findings
0 major
Lead Auditor attribution
MAST Cloud Practice
Lead — Cloud Security
CCSP · CCSK · ISO 27017
DeliveredH2 2024 · Riyadh
PrivacySaudi PDPL

Saudi insurer — PDPL programme covering 8M data subjects.

Implemented PDPL governance, notice & consent, DSR workflows and cross-border transfer assessments end-to-end.

Data subjects covered
8M+
DSR turnaround
< 14 days
DPO function
Operational
Lead Auditor attribution
MAST Privacy Practice
Lead — PDPL
CIPM · CIPP/E · ISO 27701 LA
DeliveredQ1 2025 · Riyadh
PaymentsPCI DSS v4.0 · Mada

Mada-acquirer — PCI DSS v4.0 RoC achieved on first assessment.

End-to-end readiness across acquiring, switching and tokenisation, with QSA on-site assessment support.

RoC outcome
First-pass
Findings remediated
47
Scope reduction
−52%
Lead Auditor attribution
MAST Payments Practice
Lead — PCI DSS
PCIP · QSA-aligned
Delivered2024 · Riyadh
FAQ

KSA delivery — common questions.

Do you have consultants on the ground in Saudi Arabia?

Yes. We deliver engagements from Riyadh with on-site presence in Jeddah, Dammam and Khobar as needed.

Can you map SAMA CSF and NCA ECC to ISO 27001?

Yes. We routinely build a single control framework that satisfies SAMA CSF, NCA ECC and ISO 27001 simultaneously, with one evidence library.

Do you support OT environments (NCA OTCC)?

Yes. We deliver IEC 62443 and NCA OTCC programmes for energy, utilities and industrial operators.

Speak with our KSA team

Local consultants. Lead Auditors. Fixed-fee proposals.

Tell us about your KSA programme — a senior consultant from MAST responds within one business day.

By submitting you agree to be contacted by a MAST consultant. We never share your details.