Cybersecurity Risk Management  Practices

Public Energy and Utilities Regulatory Commission

The Client

The client’s goal is to enhance the efficiency of the regulatory sector by addressing challenges and improving the quality of government regulatory e-services. As a key player in regulating critical infrastructure services, the organization focuses on complying with all Saudi government regulations and compliance controls as stipulated by the NCA ECC Cybersecurity Framework, supporting small and medium enterprises, promoting local content, increasing competitiveness, improving beneficiaries’ experience, measuring performance indicators, and standardizing procedures and integration between beneficiaries. As a regulatory body, their policies and procedures also require constant updating and review to ensure their risks are managed and reviewed continuously.

Oivan’s experts collaborated with the client to review, update, and modernize their Cybersecurity Risk Management practices.

The Project  Aimed to

  • Review and update the organization’s Risk Management Framework in alignment with NCA and ISO 27005/31000.
  •  Review and update the organization risk register template and document new identified risks to ensure continuous tracking and reporting.
  •  Conduct risk assessment and risk analysis for the organization’s social media, remote work, and cloud computing practices.
  •  Develop procedures for follow-up and monitoring the risk register and escalation and treatment.

The project was scoped to be delivered in 4 weeks of actual work effort with the following deliverables:

  • Revised and updated Cybersecurity Risk Management Framework policy document.
  •  Updated and customized Risk Register to confirm both NCA-ECC and ISO27001/ISO27005 requirements. This also included updated asset categories for Social Media, Remote Work, and Cloud Computing.
  •  Cybersecurity Risk Register Management Process document.
  •  3x Risk Assessment and Analysis Questionnaires for the following areas:
  1. Change Control
  2.  Technology Procurement
  3.  Third Parties and Vendors

Throughout the project, the team of experts engaged with several members from various departments, such as Cybersecurity, IT, and internal Compliance. These interactions helped identify existing policies and procedures, including new risks that required analysis.
Several meetings and workshops were conducted to determine and correlate the various services and assets impacted by these risks and identify open legacy items to be transferred to the new Risk Register.

Feel free to check our Cybersecurity Services or contact Dr. Bilal Al Sabbagh, Head of Cybersecurity at for more information.