About the CST Standard
The CST (Communications, Space & Technology Commission) Cybersecurity and Data Governance Supplier Standard establishes mandatory cybersecurity requirements for suppliers and service providers in the Saudi telecommunications and technology sector. The standard aims to protect the national telecommunications infrastructure and ensure that all suppliers maintain robust cybersecurity practices.
Audit Methodology
The CST audit follows a structured dual-level review methodology:
Assessor Role
- Leads audit execution
- Evaluates submitted evidence
- Provides feedback per round
- Documents findings
Reviewer Role
- Independent quality assurance
- Validates accuracy and objectivity
- Ensures CST standard alignment
- Signs off on final report
Evidence Review Rounds
The CST audit includes up to 6 rounds of evidence review, providing suppliers multiple opportunities to achieve compliance:
- Round 1-2: Initial evidence submission and review. Assessor provides detailed feedback on gaps and required remediation.
- Round 3-4: Remediation evidence submitted. Focused review on previously identified gaps.
- Round 5-6: Final remediation window. If compliance is not achieved after 6 rounds, a Non-Compliance Report is issued.
- Extension (Round 7): A paid extension may be requested within 5 days of receiving final feedback from Round 6.
Audit Timeline
Outcomes
Compliance Achieved
A CST Supplier Cybersecurity Certificate is issued. The supplier submits the final report directly to CST. The certificate confirms compliance with CST's cybersecurity governance requirements.
Non-Compliance
A Non-Compliance Report is issued and shared with CST. CST may take further regulatory action as deemed appropriate. The supplier may need to restart the audit process.