We are living in a rapidly changing business environment where Information Security is quickly becoming one of the most essential aspects of any business. There are growing numbers of stakeholders like Saudi Aramco interested in how their valuable information is handled and protected by their suppliers.
What is SACS-002?
SACS-002, Third Party Cybersecurity Standard (TPCS) sets forth the minimum Cybersecurity requirements for Saudi Aramco Third Parties to protect Saudi Aramco from possible cyber threats and strengthen Third Parties’ security posture.
The goal of Cybersecurity Compliance Certification (CCC) program is to ensure that all third parties obtain a cybersecurity compliance certificate from the authorized audit firm in order to conduct business with Saudi Aramco, confirm their adherence to the applicable cybersecurity requirements of Third-Party Cybersecurity Standard (SACS-002), and ensure ongoing compliance.
SACS is a combination of aspects from different cybersecurity standards like NIST 800-53 (National Institute of Standards and Technology) and ISO/IEC 27001 (the international Standard for best-practice information security management systems). In order to simplify third party efforts for implementing cybersecurity, SACS defines Third Party Controls (TPC) to ensure the major categories of NIST 800-53 are unified into a set of 23 General Requirements or set of 92 Specific Requirements that third parties must comply.
Do I need to obtain CCC / CCC+ Certificate for my organization?
If your organization aims to conduct business and register with Saudi Aramco OR has an active procurement agreement with Saudi Aramco, you must obtain Saudi Aramco Cybersecurity Compliance Certificate (CCC) or Cybersecurity Compliance Certificate Plus (CCC+) based on your company classification.
The types of Aramco suppliers who need to obtain the certificate include general vendors, outsourced infrastructure, customized software, network connectivity, critical data processors and cloud computing service.
What are the benefits of SACS-002 to my organization?
The risks involved in cyber security and data breaches of any kind are too great to ignore. There are many benefits to the companies’ ensuring compliance to Third-Party Cybersecurity Standard (SACS-002), including:
Competitive Advantage
Clear competitive advantage over other companies through compliance with Saudi Aramco requirements .
Customer Confidence
Greater confidence by Saudi Aramco in your products, services, and the information you share with them.
World-class Secuirty
Robust security practices, improving client relationships and client retention.
Proactive Detection
A way to keep your organization secure by proactively detecting potential weak spots and stopping cyber-attacks and data breaches before they affect your business.
Wondering, how we can help your organization?
Whether you are:
- aiming to conduct business and register with Saudi Aramco
- have an active procurement agreement with Saudi Aramco
With our unmatched expertise and the knowledge of information security standards including SACS-002, ISO/IEC 27001, COBIT 5, we can assist your organization in many ways and offer technical assistance and support throughout your journey, like:
THIRD STEP
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Phasellus blandit massa enim. Nullam id varius.
End to end project
Complete advisory and technical services from application submission till the issuance of Cybersecurity Compliance Certificate.
Contact UsTHIRD STEP
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Phasellus blandit massa enim. Nullam id varius.
Technical Assistance
Supporting your team in analyzing, identifying, and applying all the required controls to meet SACS-002 standard. OR assisting your team in closing audit nonconformances raised by the audit firm in the Third-Party Cybersecurity Compliance Report.
Contact UsTHIRD STEP
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Phasellus blandit massa enim. Nullam id varius.
Customized Training
We can provide customized training to educate your workforce about various threats and turn your team into solid line of defense against cyber security threats to your organization.
Contact UsTHIRD STEP
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Phasellus blandit massa enim. Nullam id varius.
GAP Assessment
An initial assessment against the requirements of SACS-002 to determine your readiness level.
Contact UsTHIRD STEP
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Phasellus blandit massa enim. Nullam id varius.
Documentation Assistance
Supporting your team in preparation of policies and procedures in accordance with SACS-002 standard.
Contact UsTHIRD STEP
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Phasellus blandit massa enim. Nullam id varius.
Annual Support
Customized Annual Support to ensure ongoing compliance, maintenance, and improvement of your SACS-002 cybersecurity controls.
Contact UsWe work with all Aramco authorized authorized audit firms
Over 100 satisfied customers in the Kingdom
FAQ's
The standard consists of four major components:
1. Identify:
The identification component consists of four parts:
Asset Management – catalog and classify digital assets
Governance – establish cybersecurity policies, standards, and staffing
Risk Assessment – conduct penetration testing for IT infrastructure and websites
Risk Management Strategy – identify, access, and remediate risks to data and information systems
2. Protect:
Protection consists of four parts:
Access Control – include issuing passwords and security badges, establish visitor management processes, and define other access to restricted systems and facilities
Data Security – describe how to secure systems, data, documents, and applications
Information Protection Processes and Procedures – include disaster recovery and business continuity plans
Protective Technology – describe how key systems and technologies should be protected, including the use of intrusion detection systems (IDS)
3. Detect:
Detection consists of two parts:
Anomalies and Events – describe how technology assets and systems are monitored for unauthorized access or activity
Continuous Monitoring – include physical security measures, account monitoring, vulnerability scans, and use of non-authorized devices
4. Respond:
Response consists of three parts:
Communications – include an incident management policy and plan
Analysis – describe the incident response capability and tracking of all cybersecurity incidents
Mitigation – describe how vulnerabilities should be resolved or mitigated
There are two types of cybersecurity compliance certificates:
The Cybersecurity Compliance Certificate (CCC):
This is for suppliers classified as general vendors, outsourced infrastructure, and customized software.
They need to conduct a self-compliance assessment against SACS-002 and have the compliance assessment package validated remotely by one of the authorized audit firms.
The Cybersecurity Compliance Certificate Plus (CCC+):
This is for suppliers classified as network connectivity and critical data processors.
They need to hire one of the authorized firms to conduct an on-site compliance assessment against SACS-002.
Both certificates are valid for two years from the issuance date.
This depends on the classification that will be done by your proponent from Saudi Aramco, contract owner, in accordance with the Third-Party Cybersecurity Standard (SACS-002). The classification will identify the certificate type that is required for your company.
If you have an active procurement agreement with Saudi Aramco, initiate a request to all proponent organizations within Saudi Aramco that your company has ongoing business with to fill the Third-Party Classification Template, and fill the Third-Party Classification Confirmation Letter.
The classification information should be the current classification of your company based on the feedback form the Saudi Aramco Organization Contract Owner. Based on the classification you can identify applicable certificate type and assessment requirements.
| Company Classification | Certificate Type | Assessment Approach |
| Cybersecurity Compliance Certificate- CCC | A self-compliance assessment against SACS-002, completed by the company, and verified remotely by the Authorized Audit Firm. |
| Cybersecurity Compliance Certificate Plus- CCC+ | An on-site compliance assessment against SACS-002, conducted by the Authorized Audit Firm. |
Note that if your company falls under more than one classification, then all the cybersecurity controls under the determined classifications are required.
If CCC & CCC+ are both applicable based on your company classification, then only CCC+ will be accepted.
The authorized audit firms have been selected by Saudi Aramco ISD to conduct the assessments and issue Cybersecurity Compliance Certificate (CCC) against the SACS-002 Third Party Cybersecurity Standard.
- Baker Tilly
- BDO/Dr. Mohamed Al-Amri & Co.
- Crowe
- Cyberani Solutions
- Deloitte & Touche Middle East Limited
- Defense Cybersecurity Company
- Grant Thornton
- KPMG
- Managed Services
- RSM Saudi Arabia
- sirar by stc
- Trusted Partners
The issued Third Party Cybersecurity Compliance Certificate and the Cybersecurity Compliance Report by the Authorized Audit Firm to Saudi Aramco, is submitted through the e-marketplace system.
CCC is valid for two years from the issuance date. If your company is awarded a new contract that involves a cybersecurity classification type not covered in the current valid certificate, then a new certificate needs to be obtained and submitted. Prior to the end of the two years, your company needs to submit a new CCC.
That will depend on the nature of your engagement. If you fall under the same classification, then you do not need to apply for a new certificate. Otherwise, you will need to approach the audit firm to conduct a cybersecurity compliance assessment against the controls related to the updated classification that will cover the original category, in addition to the new one.
Client's Review
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed eget risus porta, tincidunt turpis at, interdum tortor. Suspendisse potenti. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Fusce ante tellus, convallis non consectetur sed, pharetra nec ex.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed eget risus porta, tincidunt turpis at, interdum tortor. Suspendisse potenti. Lorem ipsum dolor sit amet, consectetur adipiscing elit.
