Banking and fintech

Overlapping frameworks
One program

Financial institutions supervised by the Saudi Central Bank manage overlapping requirements at once: SAMA's Cyber Security and Business Continuity frameworks, PCI DSS v4.0.1 for payments, ISO/IEC 27001 as a baseline, and PDPL where personal data is in scope. HAKTIV maps overlapping requirements to shared controls, and the people who actually hold the evidence take part in the work.

HAKTIVOrg View
BFSI compliance programBank · Riyadh
SAMA CSF
58% implemented
3.1 Leadership & Governancedone
3.2 Risk Management & Compliancepartial
3.3 Operations & Technologypartial
3.4 Third Party Cyber Securitydone
PCI DSS v4.0.1
71%
SAMA Business Continuity
BC exercise due Q3
AC-01 Access Control · shared across SAMA CSF, PCI DSS, ISO1 evidence · 3 frameworks
The problem

Same control, same evidence, more than once

When every framework runs as its own project, the same control gets evidenced two and three times, and the same departments get asked for the same proof every cycle. The overlap that should save work multiplies it.

Parallel programs for the same work

The SAMA assessment, the PCI DSS validation, and the ISO/IEC 27001 audit run as separate tracks, even though their requirements overlap.

access-review-Q2.xlsx
SAMA · PCI · ISO · collected three times
The evidence sits with IT and operations

The people who run the systems hold the proof, while the GRC team is accountable for collecting and reviewing it every time.

Cardholder-env diagram
owned by payments, chased by GRC
Audit seasons collide

A maturity assessment, an annual validation, and an external audit each reopen the same files.

Q3: PCI assessment
Q4: ISO surveillance · Q1: SAMA
SAMA frameworks

SAMA Cyber Security and Business Continuity, as structured controls

Activate what is in scope for your institution, assign control ownership, and track implementation, evidence, and remediation in one place, with status per control and per framework.

See the SAMA frameworks we support
SAMA — Saudi Central Bank
SAMA framework family
for SAMA-supervised financial institutions
SAMA CSF
Cyber Security Framework
Active
SAMA BC
Business Continuity
Activate
PCI DSS v4.0.1
Payment card security
Active
ISO/IEC 27001
Information security
Activate
SAMA frameworks apply to institutions supervised by the Saudi Central Bank; applicability depends on your activities and SAMA's supervision.
Shared controls across frameworks

One control across SAMA, PCI DSS, and ISO/IEC 27001

The Unified Control Library maps overlapping requirements to shared controls and keeps a shared control's evidence, tasks, and status connected across the frameworks it is mapped to. One access-control evidence package may support corresponding requirements across SAMA CSF, PCI DSS v4.0.1, and ISO/IEC 27001 where the mappings apply, so the same proof is not collected twice.

See cross-framework reuse in a demo
Unified Control Library · AC-01 Access ControlImplemented
access-review-Q2.xlsx · shared evidence
AC-01 · Access Control
SAMA CSF
3.3.5 · mapped
PCI DSS v4.0.1
Req 7 · mapped
ISO/IEC 27001
A.5.15 · mapped
One evidence package, counted wherever the mapping applies.
Whole-institution participation

Compliance does not stop at the compliance department

In Org View, the GRC team runs policies, risk, controls, and evidence. In Employee View, the rest of the institution takes part, from IT to operations to HR, without navigating a specialist GRC interface. Every response returns to one auditable workflow, with segregation of duties enforced by the system.

Org View— Compliance & risk team
SAMA CSF · 3.3.5
Identity and Access Management
Awaiting evidenceOwner: IT · Due Sep 15
BC exercise report · SAMA BC
review routed to CRO
In review
Employee View— IT · payments · branches
Information Security Policy v4.0
read and confirm
I Acknowledge and Accept
Access review evidence · IAM
access-review-Q2.xlsx
Upload ↑
Risk questionnaire · payments
4 of 10 answered
Continue
Risk

Your institution's risk methodology, as it is, inside the platform

Financial institutions have established risk methodologies, and HAKTIV adapts to yours rather than imposing a preset matrix. Configure the factors, formulas, ranges, control effectiveness, and asset values, collect input through Employee View, route assessments to the risk owner for approval, and track treatment and evidence in one register.

AI recommends. You decide.
Risk methodology · configured by your institutionConfigurable
Formula
Likelihood × Impact × Asset value
Control effectiveness
Applied · your ranges
Third-party payment processor outage
input collected through Employee View · payments
High
Treatment: MitigateAwaiting risk-owner approval
AI suggests a treatment plan · the risk owner approves it
Security and data

Tenant isolation, and data that stays in the Kingdom

HAKTIV enforces tenant isolation, with encryption in transit and at rest and audit logging at the infrastructure and application levels. For cloud deployments, customer and compliance data is hosted, stored, and processed in the Google Cloud Dammam region, with no processing or transfer outside the Kingdom of Saudi Arabia. A dedicated tenant or on-premises deployment is available for institutions that require it.

SaaS
Dedicated tenant
On-premises · available today
See security and data details
Saudi data residency
Google Cloud · Dammam region
Hosted, stored, processed in-Kingdom
Encrypted in transit and at rest
Tenant isolation enforced
Dammam, KSA

Book a demo built around your frameworks.

A 30-minute walkthrough covering SAMA frameworks, PCI DSS v4.0.1, and ISO/IEC 27001 on shared controls, department participation through Employee View, and your risk methodology.

Book a demo
Shared controls · SAMA · PCI DSS · ISO · your methodology