Office of the CISO

Cyber & AI Readiness Assessment

Is your organization ready to deliver on Vision 2030 — securely, and with trustworthy AI? An independent, standards-based answer to where you stand today, and a clear, prioritized path forward.

Global expertise, Saudi execution

Two capabilities rarely found together in one firm.

01

Senior international cyber & AI practitioners with track records in leading Western enterprises and global standards bodies — hands-on experience with ISO/IEC 27001, NIST CSF 2.0, the NIST AI Risk Management Framework, OWASP, and MITRE ATT&CK / ATLAS.

02

Saudi national professionals with current, practitioner-level command of the Kingdom's own regulatory regime — NCA, ECC, SDAIA, SAMA, and CST.

Every engagement pairs these two skill sets on the same workstreams — so findings are simultaneously benchmarked internationally and defensible in front of a Saudi regulator.

Start where it makes sense for you

Three ways in.

Tier 1

Free Introductory Session

45–60 min, no cost

A consultative conversation — not a scored assessment — to review your program at a high level and recommend next steps.

Best for

Organizations exploring where to start

Tier 2

Basic Assessment

1–2 weeks

A structured self-assessment questionnaire across all 18 domains, validated in a half-day workshop, scored at the domain level. No technical testing or deep AI model testing.

Best for

A fast, budget-conscious readiness pulse-check

Tier 3

Comprehensive Assessment

4–6 weeks

The full methodology — document review, 30–50 interviews, technical validation, AI model risk testing, full regulatory gap mapping.

Best for

An audit- and regulator-ready baseline for board, investor, or tender scrutiny

The free session and Basic Assessment are accessible entry points — not a substitute for the full Comprehensive Assessment. If a Basic Assessment surfaces material risk, we'll tell you plainly and recommend moving to the full program.

What you get

A defensible, evidence-based answer.

  • 01An independently validated cyber security and AI maturity score, benchmarked on a consistent 0–5 scale.
  • 02A regulatory compliance gap analysis against NCA ECC-2, PDPL, and SDAIA AI guidance.
  • 03A prioritized, resourced roadmap sequenced across 0–3, 3–12, and 12–24 month horizons.
  • 04Board-ready reporting that translates technical risk into strategic decisions.
  • 05A defensible, evidence-based answer to "are we cyber and AI ready?"
What we assess

18 domains. 5 phases. One integrated view.

Cybersecurity Readiness

10 domains
  1. 01Governance, Risk & Compliance
  2. 02Identity & Access Management
  3. 03Data Protection & Privacy
  4. 04Network & Infrastructure Security
  5. 05Cloud Security
  6. 06Application Security & Secure SDLC
  7. 07Security Operations & Incident Response
  8. 08Third-Party & Supply Chain Risk
  9. 09Business Continuity & Disaster Recovery
  10. 10Security Culture & Awareness

AI Readiness & Trustworthy AI

8 domains
  1. 01AI Strategy & Business Alignment
  2. 02AI Governance & Ethics
  3. 03Data Readiness for AI
  4. 04AI Risk Management
  5. 05AI & LLM Security
  6. 06MLOps & AI Infrastructure Maturity
  7. 07Regulatory & Compliance Readiness
  8. 08Talent, Culture & Change Readiness
How it works

A five-phase methodology.

1
Mobilize
Week 1

Scoping workshop and evidence request.

2
Diagnose
Weeks 2–3

Interviews, technical validation, document review.

3
Benchmark
Weeks 3–4

Scoring against our maturity model and regulatory mapping.

4
Design
Weeks 4–5

Prioritized, resourced roadmap.

5
Deliver
Weeks 5–6

Executive presentation and full report.

Standards that matter

Built on the frameworks your regulators and auditors already recognize.

Saudi National Frameworks

NCA Essential Cybersecurity Controls (ECC-2), NCA Critical Systems Cybersecurity Controls (CSCC), NCA Cloud Cybersecurity Controls (CCC), NCA Data Cybersecurity Controls (DCC), SAMA Cyber Security Framework, PDPL & Implementing Regulations, SDAIA AI Ethics Principles & Generative AI Guidelines, National Strategy for Data & AI (NSDAI), CST cybersecurity regulations.

International Standards

ISO/IEC 27001, 27701, 22301, 42001, 23894, 38507 · NIST Cybersecurity Framework 2.0 · NIST AI Risk Management Framework · CIS Controls v8 · MITRE ATT&CK & ATLAS · OWASP Top 10 & Top 10 for LLM Applications · COBIT 2019 · CSA Cloud Controls Matrix · SOC 2.

Every finding and recommendation is traceable to a named standard or regulatory control — ready to use as audit evidence, board reporting, or regulator submission.

Ready to find out where you stand?

Book your free introductory session.

No cost. No obligation. 45–60 minutes with the Office of the CISO.