An honest, technical comparison of the two mid-market BCM platforms most often shortlisted in KSA and GCC RFPs. Where each wins, where each loses, and what an information security committee should ask in a vendor evaluation.
The single most consequential difference between the two platforms. For a SAMA-regulated buyer this is the difference between a yes and a no.
Each customer gets a dedicated Postgres schema (tenant_<uuid>). Application code accesses tenants only via SET LOCAL search_path inside transactions. Cross-tenant access is impossible by construction, not by query filter. An information security committee can list the schemas to confirm isolation.
All customers share the same tables; isolation depends on a tenant_id column being added to every WHERE clause. A bug, a forgotten filter, or a mistuned query plan is the difference between two customers seeing each other's data. Defensive but fragile — and impossible to demonstrate to an auditor visually.
Why this matters. Saudi Central Bank (SAMA) regulated entities increasingly ask for evidence of data isolation. “A query filter we wrote correctly” is not the same artifact as “a Postgres schema list you can \dn”. For information security committees, the difference is structural.
ISO 22301:2019 §8.4.4 specifies eight required pieces of plan content. Where each piece lives — discrete column or buried in a description box — decides whether your auditor can diff plan versions in 5 seconds or 5 hours.
Score 0-10 per module across the dimensions that decide a SAMA deal — data model depth, UI maturity, audit-evidence shape. Higher is better.
LogicManager-class register; Castellan slightly behind
Configurable matrix + impact-over-time + dependencies
§8.4.4 native, §8.4.5 phase split, §8.5 activation log
Auto-coded action items, structured impacts, reopen support
Castellan ships native iOS/Android; BCMStack PWA on roadmap
MSEL injects, observations, AAR lifecycle, SAMA coverage rollup
Castellan has mature report builder; BCMStack ships PDF export
Castellan ships full policy library; BCMStack ships index + attestation
BCMStack integrates with your existing audit system; Castellan replaces it
Scores reflect the May 2026 platform state. Castellan figures inferred from public docs, customer reviews, and analyst reports — not a vendor-direct audit.
Where each platform is shipping today, where it’s on a roadmap, and where it’s absent. Updated when peer capabilities or pricing change.
| Architecture | ||
|---|---|---|
| Feature | BCMStack | Castellan |
| Schema-per-tenant data isolation | Yes | Row-level |
| Modern stack (Next.js 15 / RSC) | Yes | ASP.NET MVC |
| Per-tenant data residency (KSA region) | Roadmap | Limited |
| 5-role RBAC + dept scoping | Yes | 3 roles |
| Cross-module audit log | Yes | Yes |
| BCM modules | ||
| ISO 22301 §8.4.4 native fields | Yes | Free-text |
| §8.4.5 phased recovery (respond/recover/restore) | Yes | Flat list |
| §8.5 activation log as first-class | Yes | No |
| ISO 22398 MSEL injects + AAR lifecycle | Yes | Yes |
| SAMA coverage themes + rollup | Yes | No |
| BIA wizard + impact-over-time | Yes | Yes |
| Polymorphic risk targets | Yes | Limited |
| Platform & tooling | ||
| Public REST API | Roadmap | Limited |
| Webhook / event bus | Roadmap | Limited |
| Native iOS / Android crisis app | No | Yes |
| SSO / SAML / OIDC | Roadmap | Yes |
| MFA / TOTP / WebAuthn | Roadmap | Yes |
| SOC 2 Type 1 attestation | Roadmap | Yes |
| Transparent pricing | Yes | Hidden |
| Region | ||
| SAMA-native data model (committee, sama_submissions, drp_plans) | Yes | No |
| Arabic UI + RTL | Roadmap | No |
| Hijri-calendar support | Roadmap | No |
Castellan’s pricing is hidden. The figure below is inferred from published analyst reports, ITDM customer reviews, and direct buyer reports. Treat as directional. Final pricing depends on user count and add-ons.
Annual contract value, mid-market typical
Included
Extra (priced separately)
Annual contract value, mid-market typical
Included
Extra (priced separately)
Sources: vendor public material where available; G2 / Capterra customer reviews; Forrester / Gartner Magic Quadrant peer reports through 2025.
Castellan implementations are consulting-led — methodology workshops, data-model tuning, then the actual build. BCMStack ships pre-configured for SAMA-regulated organisations and is self-serve from day one.
BCMStack — what fits in 14 days
Castellan — typical phases
Customers with existing BCM practice typically reach the “first BIA approved” milestone faster on either platform. Customers building from scratch should expect the upper end of each range.
We won’t pretend BCMStack wins every case. Below is the buyer profile where each platform is genuinely the better fit.
Yes — BCMStack and Castellan target the same mid-market BCM buyer. BCMStack is built on a more modern stack, is native to ISO 22301 §8.4.4 fields rather than free-text, has transparent pricing, and targets KSA / GCC buyers specifically. Castellan has a longer customer-base history, a deeper consulting bench, and a native iOS / Android crisis-comms app that BCMStack doesn't yet ship.
BCMStack targets $30-60K annual contract value for a mid-market customer. Castellan typically lands at $80-120K based on analyst reports — though their pricing is hidden, so this varies. Roughly 50-60% cheaper on like-for-like deployments.
Yes. CSV import covers process and vendor inventory, BIA assessment data, and BCP metadata. We don't have a one-click Castellan-import wizard, but a typical migration of ~20 plans + ~50 processes takes 2-3 days of customer analyst time.
Not yet. The web app is fully responsive — every page works on a phone browser today — and a Progressive Web App with offline cache and push notifications is on the roadmap. Native iOS / Android apps are a Phase-3 item. If a phone-based crisis console is a hard requirement, Castellan is currently ahead.
Five reasons: schema-per-tenant data isolation that satisfies KSA residency conversations, native ISO 22301 §8.4.4 fields rather than free-text plans, §8.5 activation log as a first-class auditable feature, SAMA-mandated coverage rollup for the annual exercise programme, and transparent pricing in the $30-60K range vs Castellan's six-figure hidden price.
We’ll walk you through the platform, side-by-side with a screenshot tour of Castellan, and answer the questions your information security committee will ask.
Book a 20-minute demoCompared with another peer? See BCMStack vs Fusion, vs Origami Risk, or vs 6clicks.