site-logo
site-logo
site-logo
NIS2 Questionnaire

Regulatory Playbook

Saudi OTCC-1:2022 Compliance Checklist

Why Saudi OTCC-1:2022 Should Be on Every ICS Operator's Radar

If you operate industrial control systems anywhere within Saudi Arabia's critical national infrastructure, OTCC-1:2022 isn't a document you can skim once and shelve. Issued by the National Cybersecurity Authority as a formal extension of the Essential Cybersecurity Controls (ECC-1:2018), OTCC sets the mandatory cybersecurity baseline for every organization, government or private sector , that owns, operates, or hosts ICS environments such as DCS, SCADA, PLC-based systems, or Safety Instrumented Systems within Kingdom-based critical facilities.

The scale of the standard catches most compliance teams off guard. OTCC spans four cybersecurity domains, 23 subdomains, 47 main controls, and 122 sub-controls, with applicability scaled across three facility criticality tiers , L1 being the highest-risk, most heavily controlled category, down to L3. For a plant CISO or OT security manager facing that structure for the first time, the real question isn't "what does OTCC require", it's "where do we start, and how do we prove it when an assessor walks in."

That's precisely the gap this checklist closes. Shieldworkz has translated every OTCC subdomain into a working implementation and audit tool, grounded in how OT environments actually function , where safety and uptime take precedence over the confidentiality-first assumptions built into most generic IT cybersecurity frameworks.

Why This Checklist Matters

Most organizations don't fail OTCC compliance because they lack cybersecurity awareness, they fail because the standard sits at an altitude that's hard to operationalize. A control statement like "establish network security management" tells you what's expected, not what an assessor will ask for, what evidence holds up, or what your engineering team needs to change on the plant floor.

This checklist closes that distance. Each of the 23 subdomains, from Cybersecurity Governance and Asset Management through Vulnerability Management, Penetration Testing, Physical Security, and Third-Party Cybersecurity, is broken into ten layers of practical guidance: a plain-language control overview, a verifiable checklist, the exact evidence auditors expect, sequencing-aware implementation guidance, common deficiencies observed in real assessments, residual risks left after implementation, practitioner-style audit interview questions, a five-level maturity model, a priority rating, and a realistic effort estimate.

OTCC compliance in an OT environment isn't the same exercise as IT compliance. You can't push a patch or force an MFA policy across a live SCADA network without accounting for safety systems, legacy protocols, and process continuity. This checklist was built by people who understand that distinction, not as a restatement of the standard, but as an operational bridge between regulatory text and what happens on your control room floor.

Who This Checklist Is Built For

CISOs and program sponsors need a way to sequence investment and report progress upward without drowning the board in control-by-control detail. OT security managers and ICS engineers need something they can work through subdomain by subdomain, without translating regulatory language into engineering tasks themselves. Internal auditors need a structured interview and evidence framework instead of reinventing their assessment methodology from scratch. System integrators delivering OT/ICS projects into Saudi facilities need clarity on how Project Management, Change Management, System Protection, and Third-Party Cybersecurity requirements shape their contractual deliverables.

This checklist speaks to every one of those roles because it's structured around how compliance programs actually run, not around how a regulation reads on paper.

Key Takeaways from the Checklist

The four-pillar structure drives everything. OTCC organizes requirements around Governance, Defense, Resilience, and Third-Party Cybersecurity. Defense alone accounts for 13 of the 23 subdomains, asset management, identity and access management, network security, cryptography, backup, vulnerability management, penetration testing, logging and monitoring, incident management, and physical security, because that's where most technical control gaps concentrate in real OT environments.

Facility level determines your real control count. Depending on whether your facility is classified L1, L2, or L3 through the NCA's Facility Level Identification Tool, your obligation ranges from 56 controls at the lowest tier up to 151 at the highest. Getting this classification right before you scope your program prevents both under-compliance and wasted effort over-engineering controls you don't need yet.

Evidence discipline is where most programs stumble. Across nearly every subdomain, organizations frequently have the right policy on paper but can't produce the audit trail, change record, or walkthrough evidence to prove it's operating in practice. The checklist's evidence-required sections and templates are built specifically to close this gap before an assessor finds it first.

Maturity and priority ratings help you sequence, not just check boxes. Not every control carries equal urgency. The built-in maturity model and priority ratings let you build a phased implementation roadmap, starting with critical risk reduction in the first months and moving toward full program build-out, rather than a flat, all-at-once rollout that stalls under resource constraints.

This is a living reference, not a one-time PDF. Between the audit preparation guide, corrective action tracker, compliance scoring matrix, and implementation roadmap, the checklist is designed to stay open on your desk throughout the compliance lifecycle, not just in the weeks before an assessment.

Strengthen Your OT Security Posture Beyond the Checklist

A checklist gets your program structured. Sustaining OTCC compliance across live ICS environments , with real-time asset visibility, continuous vulnerability management, and threat detection tuned to industrial protocols, takes purpose-built OT security infrastructure behind it. Shieldworkz works with energy, oil & gas, manufacturing, power, and critical infrastructure operators across the region to turn OTCC requirements into operational reality, without disrupting the processes your business depends on.

Download the Free Saudi OTCC-1:2022 Compliance Checklist & Book a Free Expert Consultation

The full Saudi OTCC-1:2022 Compliance Checklist is available free from Shieldworkz. It includes complete coverage of all 23 subdomains, evidence collection templates, an audit preparation guide, a residual risk register, a corrective action tracker, a compliance scoring matrix, and a phased implementation roadmap , everything a CISO, OT security manager, auditor, or system integrator needs to move from regulatory text to a defensible, evidence-backed compliance program.

Fill in the form to download the full Saudi OTCC-1:2022 Compliance Checklist and book a free 30-minute consultation with one of our OT/ICS security experts.

Download your copy today!

Download our free Saudi OTCC-1:2022 Compliance Checklist to evaluate your OT/ICS environment against every critical control required for NCA OTCC compliance.