This table shows the 20 compliance areas where Saudi NCA ECC and ISO 27001 controls overlap. When you mark a control as implemented in either framework, Venvera automatically propagates the status to the equivalent control in the other.
| Compliance Area | NCA ECC | ISO 27001 |
|---|---|---|
| Information Security Governance | ECC-1-1, ECC-1-2 | A.5.1, A.5.2 |
| Cybersecurity Roles & Responsibilities | ECC-1-3, ECC-1-4 | A.5.2, A.5.4 |
| Cybersecurity Strategy & Planning | ECC-1-5, ECC-1-6 | A.5.1, A.5.36 |
| Information Asset Management | ECC-2-1, ECC-2-2 | A.5.9, A.5.10 |
| Asset Classification & Handling | ECC-2-3, ECC-2-4 | A.5.12, A.5.13 |
| Identity & Access Management | ECC-3-1, ECC-3-2 | A.5.15, A.5.16 |
| Privileged Access Management | ECC-3-3, ECC-3-4 | A.8.2, A.8.5 |
| Authentication Controls | ECC-3-5, ECC-3-6 | A.5.17, A.8.5 |
| Network Security | ECC-4-1, ECC-4-2 | A.8.20, A.8.21 |
| Data Protection & Privacy | ECC-4-3, ECC-4-4 | A.5.34, A.8.11 |
| Cryptographic Controls | ECC-4-5, ECC-4-6 | A.8.24 |
| Physical Security | ECC-5-1, ECC-5-2 | A.7.1, A.7.2 |
| Environmental Controls | ECC-5-3, ECC-5-4 | A.7.5, A.7.11 |
| Vulnerability Management | ECC-6-1, ECC-6-2 | A.8.8 |
| Patch Management | ECC-6-3, ECC-6-4 | A.8.8, A.8.19 |
| Security Event Monitoring | ECC-7-1, ECC-7-2 | A.8.15, A.8.16 |
| Incident Response & Reporting | ECC-7-3, ECC-7-4 | A.5.24, A.5.25, A.5.26 |
| Business Continuity | ECC-8-1, ECC-8-2 | A.5.29, A.5.30 |
| Security Awareness & Training | ECC-9-1, ECC-9-2 | A.6.3 |
| Third-Party & Supplier Security | ECC-10-1, ECC-10-2 | A.5.19, A.5.20, A.5.21 |
For details on how propagation works, thresholds, and the auto-mapped badge, see the Cross-Framework Control Propagation overview article.