A Dedicated Cybersecurity Function (e.g., Division, Department) Must Be Established Within The Organization. This Function Must Be Independent From The Information Technology/Information Communication And Technology (IT/ICT) Functions (as Per The Royal Decree Number 37140 Dated 14/8/1438H). It Is Highly Recommended That This Cybersecurity Function Reports Directly To The Head Of The Organization Or His/her Delegate While Ensuring That This Does Not Result In A Conflict Of Interest.

All cybersecurity positions must be filled with full-time and qualified Saudi cybersecurity professionals.

A Cybersecurity Steering Committee Must Be Established By The Authorizing Official To Ensure The Support And Implementation Of The Cybersecurity Programs And Initiatives Within The Organization. Committee Members, Roles And Responsibilities, And Governance Framework Must Be Defined, Documented And Approved. The Committee Must Include The Head Of The Cybersecurity Function As One Of Its Members. It Is Highly Recommended That The Committee Reports Directly To The Head Of The Organization Or His/her Delegate While Ensuring That This Does Not Result In A Conflict Of Interest.