A dedicated cybersecurity function (e.g., division, department) must be established within the organization. This function must be independent from the Information Technology/Information Communication and Technology (IT/ICT) functions (as per the Royal Decree number 37140 dated 14/8/1438H). It is highly recommended that this cybersecurity function reports directly to the head of the organization or his/her delegate while ensuring that this does not result in a conflict of interest.

• Establish a cybersecurity function within the organization to enable it to carry out its cybersecurity tasks as required, taking into account the following points
  • Ensure that the cybersecurity function's reporting line is different from that of the IT department or the digital transformation department, as per Royal Decree No. 37140 dated 14/8/1438H
  • Ensure that the cybersecurity function is reporting to the head of the organization or his/her deputy/assistant for the sectors concerned with regulation, including but not limited to, deputy/assistant head of business sectors or regulatory sectors, or the agents and heads of business sectors in the organization
  • Ensure the following in order to avoid conflict of interest
    • The cybersecurity function is responsible for all cybersecurity monitoring activities (including compliance monitoring, operation monitoring, operations, etc.)
    • The cybersecurity function is responsible for all cybersecurity governance activities (including defining cybersecurity requirements, managing cybersecurity risks, etc.)

• Cybersecurity Function Organizational Structure
• Cybersecurity Roles and Responsibilities Template
• Cybersecurity General Policy Template

• The organization's organizational structure (electronic copy or official hard copy), covering the organizational structure of the cybersecurity function.
• The decision to establish the Cybersecurity functions and its mandate (electronic copy or official hard copy)
• Reports on the cybersecurity policies compliance results