If you are running a BCM programme inside a Saudi-licensed financial institution, you are effectively running two compliance regimes at once: the SAMA BCM Framework and (sooner or later) ISO 22301:2019. The good news is that they overlap heavily. The pragmatic path is to run a single BCMS to ISO 22301 standard and layer the SAMA-specific evidence on top — not to maintain two parallel programmes.
This article walks through the overlap, the SAMA-specific additions, and the practical implementation sequence we have seen work inside KSA banks, insurers and fintechs.
Why ISO 22301 first
Three reasons to anchor the programme on ISO 22301 rather than treating SAMA as the starting point:
- ISO 22301 is the management-system framework. It defines the structure — policy, scope, BIA, plans, exercises, review, improvement — that any credible BCM programme needs. SAMA assumes that structure exists; it adds requirements on top.
- ISO 22301 is certifiable. SAMA-aligned programmes can demonstrate competence informally; an ISO 22301 certificate is independent third-party evidence that the BCMS works.
- Customer and counterparty expectations. International banking counterparties, large enterprise customers and reinsurers increasingly ask for ISO 22301 status in security questionnaires. SAMA compliance, valuable as it is, does not appear on those questionnaires.
A programme built ISO-22301-first satisfies SAMA in roughly 80-90 percent of requirements. The remainder is the KSA-specific evidence layer described below.
The overlap map
Where ISO 22301 and SAMA align:
- BIA methodology — both require a defensible, repeatable BIA process driving recovery objectives. ISO 22301 §8.3 and the SAMA BIA pillar map cleanly.
- BCP content — ISO 22301 §8.4.4 fields satisfy SAMA's plan-content expectations. Activation criteria, RACI, recovery procedures, RTO, RPO — same fields, same scrutiny. See our §8.4.4 article for the detail.
- Exercise programme — ISO 22301 §8.5 and SAMA's exercise expectations are essentially identical. Annual calendar, mixed exercise types, AARs with improvement actions.
- Management review — ISO 22301 §9.3 and SAMA's continual-improvement pillar overlap heavily. The §9.3 review template doubles as a SAMA review template.
- Improvement-action loop — both expect a tracked register with owners, due dates and closure evidence.
If you do those five things to ISO 22301 quality, the SAMA examination starts from a much stronger position.
Where SAMA adds beyond ISO 22301
The KSA-specific layer that ISO 22301 does not cover:
Banking-sector committee composition. ISO 22301 expects "top management" ownership. SAMA expects specific roles on the BCM committee (CRO, CISO, Head of Operations, Head of Treasury, etc.) with documented attendance and decision records. See the committee charter article for the working template.
Periodic SAMA submissions. Quarterly or annual returns covering BCM posture, exercise calendar status and real-world activations. No ISO 22301 equivalent.
KSA data residency. For cardholder data and certain customer records, recovery infrastructure must remain inside KSA. ISO 22301 is location-neutral.
Arabic-language documentation. Where applicable to internal stakeholders and regulators, key BCM documents are expected in Arabic alongside English.
Sector-specific scenario coverage. SAMA examiners explicitly probe cyber, third-party concentration, regional power, regional comms and payment-rail dependency scenarios. ISO 22301 leaves scenario selection to the institution's discretion.
The implementation sequence
For a SAMA-licensed institution starting from a low baseline, the sequence we have seen work:
Months 1-2: Governance and scope. Charter the BCM committee with SAMA-grade composition. Approve the BCM policy and BCMS scope statement. Define the impact matrix.
Months 2-4: BIA cycle. Run BIA workshops for every critical service. Capture impact ratings, dependencies, RTOs and RPOs in structured form. This is where most calendar time lives. The BIA pillar guide covers the methodology.
Months 4-7: Strategy and plans. For each critical service, decide the continuity strategy and author the BCP to §8.4.4 quality. Version-control everything.
Months 7-9: Exercise programme. Build the annual exercise calendar covering every critical plan. Run tabletops for the top three. Capture AARs and improvement actions.
Months 9-10: Management review. First formal review cycle. Capture inputs, decisions, outputs. Refresh the improvement-action register.
Months 10-12: Internal audit + SAMA dialogue. Internal audit covering governance, BIA, BCP, exercises, review. Address findings. Engage SAMA on submission cadence and any sector-specific expectations.
After month 12, the cadence shifts to steady-state operation: quarterly committee meetings, annual BIA refresh, annual exercise calendar, annual internal audit, annual management review. ISO 22301 certification (Stage 1 + Stage 2) can be pursued in parallel with steady-state operation, typically targeting month 14-18.
The artefacts SAMA cares about specifically
Beyond the ISO 22301 artefact set, the SAMA-specific evidence layer includes:
- BCM committee charter with banking-sector composition
- Committee meeting minutes with explicit decisions and decision-rationale
- SAMA submission pack — a bundled set of policy, scope, BIA summary, BCP register, exercise calendar, AAR summary, improvement-action register, management-review minutes and real-world activations
- KSA-residency evidence for cardholder data and protected records
- Arabic-language versions of customer-facing BCM documents (where applicable)
- Sector-specific scenario coverage — exercises explicitly addressing cyber, third-party concentration, payment-rail dependencies
A platform that supports the SAMA layer alongside the ISO 22301 layer reduces the duplicated effort substantially. The BCMStack KSA solutions page walks through the SAMA-mapped surface in detail.
Common implementation traps
Three patterns we see repeatedly:
Trap 1: Building SAMA-only. The programme satisfies SAMA's immediate requirements but is not ISO 22301-shaped. When the institution later pursues certification (or a major customer demands it), large parts of the programme need rework.
Trap 2: Building ISO-only. The programme is ISO 22301-shaped but ignores the SAMA-specific evidence layer. The first SAMA examination surfaces gaps around committee composition, KSA residency or sector-scenario coverage.
Trap 3: Treating SAMA and ISO as separate programmes. Two policies, two committees, two artefact sets, doubled effort, inevitable drift. Don't do this.
The integrated approach — single BCMS, ISO-shaped, with the SAMA layer bolted on — is the path that scales.
Where to start
If you are at the very start of an ISO 22301 + SAMA implementation:
- Read the ISO 22301 implementation pillar and the SAMA BCM Framework pillar.
- Run a gap analysis against both standards simultaneously. Most controls overlap; document the deltas explicitly.
- Build the programme to the union of both. Treat ISO 22301 as the structural backbone, SAMA as the regional layer.
- Get one critical service to full quality across both layers before scaling. The first one teaches you everything you need to know.
The full regulatory context is in the SAMA BCM Framework pillar. The platform surface that supports both layers in one dataset is in the BCMStack KSA solutions page.