If you supply Saudi Aramco — or want to — someone has told you that you need "the CCC." Perhaps a procurement officer mentioned it in passing. Perhaps your registration stalled. Perhaps a consultant called and offered to sell you a gap assessment against a standard you have never read.
This guide is the article we wanted to exist when clients in Dammam, Khobar and Jubail started asking us that question. It is written against the primary source: Aramco's own SACS-002 Third Party Cybersecurity Standard, downloaded from Aramco's supplier resources pages, plus Aramco's own CCC Third Party Manual. Where the public record is clear, we say so and cite it. Where it is genuinely murky — and on one important point in 2026, it is — we say that too, rather than inventing a confident answer.
One disclosure up front, because it changes how you should read everything below: Skyline is not an Aramco Authorized Audit Firm. No consultancy can issue you a CCC. Only the firms on Aramco's published list can. Anybody who tells you otherwise is selling you something that does not exist. What a firm like ours does is get you audit-ready. What follows is most of that knowledge, given away.
The 60-second answer
- SACS-002 is the standard — Aramco's Third Party Cybersecurity Standard, which sets the minimum cybersecurity requirements for every third party that does business with Aramco under a contractual agreement.
- CCC (Cybersecurity Compliance Certificate) is the certificate proving you meet it. CCC+ is the tougher, on-site version.
- The certificate is issued by an Aramco-authorized audit firm, not by Aramco and not by your consultant.
- It is valid for two years, and you must renew it.
- The current published issue of SACS-002 is dated February 2022 and contains 92 controls, numbered TPC-1 to TPC-92 — 23 that apply to everybody and 69 more that apply according to how Aramco classifies you.
- There is no partial pass. Aramco's own manual is explicit: the audit firm issues the certificate if you are 100% compliant against all applicable requirements.
That last point is the one that ambushes people, so it is worth repeating. This is not a maturity score. You do not get a B+. You are compliant against every applicable control, or you are not certified.
Get the vocabulary right first
Half the confusion in this market is people using four words interchangeably when they mean four different things. Fix this before you spend a riyal.
| Term | What it actually is |
|---|---|
| SACS-002 | The standard document itself — Aramco's Third Party Cybersecurity Standard. Written by Aramco's Information Security Department. This is the thing you comply with. |
| CCC | Cybersecurity Compliance Certificate. The certificate you obtain by proving compliance with SACS-002. Assessment is a self-assessment, verified remotely by an authorized audit firm. |
| CCC+ | Same certificate family, harder route: an on-site assessment conducted by the authorized audit firm. Required for the higher-risk classifications. |
| CCC Portal | Aramco's platform for requesting the certificate and dealing with audit firms. Per Aramco's FAQ, it is "the only way to request a CCC certificate." |
| NCA CCC | A completely unrelated thing. The Saudi National Cybersecurity Authority also uses the initials "CCC" for its Cloud Cybersecurity Controls. Different regulator, different document, different obligations. Do not let a proposal blur them — see our NCA Cloud Cybersecurity Controls guide. |
| SACS-210 | A successor standard widely discussed in 2026. Read the honest verification section below before you act on anything you have been told about it. |
Which issue are you actually being audited against?
Here is something no other guide seems to mention, and it matters more than any single control.
SACS-002 has been revised. The first issue is dated May 2020. The issue Aramco currently publishes is dated February 2022. They are meaningfully different documents — different control counts, different numbering, and in one case a deadline that changed by a factor of nearly five.
A great deal of the SACS-002 material circulating online — including material published by firms selling compliance services — is quietly describing the retired 2020 issue. If you see "86 controls," "24 general controls," "62 specific controls," or "critical vulnerabilities must be patched within 3 days," you are reading about the old issue.
What actually changed:
| May 2020 issue | February 2022 issue (current) | |
|---|---|---|
| Control range | TPC-1 – TPC-86 (86) | TPC-1 – TPC-92 (92) |
| General Requirements (everyone) | 24 controls | 23 controls |
| Specific Requirements (by class) | 62 controls | 69 controls |
| Supplier classifications | 4 | 5 — adds Cloud Computing Service |
| Critical-risk vulnerability fix | within 3 calendar days | within 14 calendar days |
| High-risk vulnerability fix | within 7 calendar days | within 1 month |
| Medium / low-risk fix | 1 month / 3 months | Medium and low: within 3 months |
| Anti-virus full system scan | weekly | every two weeks |
| Cloud-specific controls | none | pen-testing of cloud services, MFA to the cloud provider, session encryption, key management, WAF and DDoS protection for cloud services |
| Secure development lifecycle | not an explicit control | explicit control (TPC-74) |
| Off-boarding | remove all access | remove all access and return of assets |
| "Disable remember passwords in browsers" | explicit control | removed |
| Permanent photo-ID badges for staff | explicit control | removed |
Read that vulnerability row again. Under the current standard you have fourteen days for a critical-risk vulnerability, not three. Firms are still writing three-day patching SLAs into their policies — and then failing to meet a promise the standard no longer asks them to make.
What to do: before you write a single policy, confirm with your Aramco proponent or your chosen audit firm, in writing, the standard and issue date your assessment will be conducted against. Download the standard from Aramco directly rather than trusting a PDF a vendor emailed you.
The five classifications — and why you do not choose your own
SACS-002 applies to all third parties with a contractual agreement with Aramco. On top of that baseline, additional requirements attach according to which of five classes describe you. In the current issue, they are:
- Network Connectivity — your computing infrastructure is given connectivity into Aramco's corporate network to reach intranet services, via leased lines or VPN (SSL VPN over private links, or site-to-site VPN over the internet).
- Outsourced Infrastructure — you manage, maintain or support computing infrastructure on Aramco's behalf.
- Critical Data Processor — you develop, access or process Aramco Critical Data (data whose loss or leak would cause high adverse impact: reputational, financial, operational, loss of proprietary information or competitive advantage).
- Customized Software — you develop or host a customised software, application, website or solution for Aramco.
- Cloud Computing Service — you provide a public cloud service that hosts, stores or processes Aramco data. Explicitly covers SaaS, PaaS and IaaS.
Two things people get wrong here.
You can be in more than one class. The standard says so plainly, and then the controls stack. A systems integrator who has a VPN into Aramco and writes custom software and holds critical data carries all three sets.
You do not self-declare your class. The classification is confirmed through Aramco's own process: you request the Third Party Classification Template from the Aramco department (the "proponent") you actually do business with, and complete a Third Party Classification Confirmation Letter. Suppliers who quietly minimise their own classification to reduce work tend to be re-classified upward later — after they have built the wrong programme.
You will also see blog posts and proposals describing SACS-002 in terms of "Segment A/B/C/D," or "eight control families," or an IEC 62443 mapping. Aramco's published standard uses none of that language. If a proposal describes your obligations in vocabulary that does not appear in the standard, ask the author which document they are reading.
CCC or CCC+? Aramco's own table
| Your classification | Certificate | How it is assessed |
|---|---|---|
| General Requirements (registration) · Outsourced Infrastructure · Customized Software · Cloud Computing | CCC | You complete a self-compliance assessment against SACS-002; an Authorized Audit Firm verifies it remotely. |
| Network Connectivity · Critical Data Processor | CCC+ | An Authorized Audit Firm conducts an on-site compliance assessment. |
Three rules that follow from this, straight from Aramco:
- If both CCC and CCC+ apply to you, only the CCC+ will be accepted. You cannot take the easier route.
- A company merely registering to do business with Aramco needs, at minimum, the CCC covering the General Requirements.
- If you are later awarded a contract involving a classification your current certificate does not cover, you need a new certificate — the two-year clock does not protect you.
What the 23 General Requirements actually demand
These apply to every third party, full stop. They are organised against the NIST Cybersecurity Framework — which is the only reference SACS-002 cites. If you have already done NCA ECC work, you will recognise the shape; see our NCA ECC full compliance guide and the crosswalk to NIST CSF and ISO 27001.
| NIST function | Category | Controls | In plain language |
|---|---|---|---|
| IDENTIFY | Governance | TPC-1 | A written, communicated Cybersecurity Acceptable Use Policy. |
| PROTECT | Access Control | TPC-2 – TPC-6 | Password rules (8+ chars, 12-password history, 90-day max age, lockout at 10 failures, 15-minute screen lock); no written-down or clear-text passwords; MFA on all remote access; MFA on all cloud services including cloud email; tell Aramco when a person with Aramco credentials leaves or moves. |
| PROTECT | Awareness & Training | TPC-7 – TPC-9 | Annual mandatory security training covering internet/social-media safety, acceptable use, phishing and social engineering, credential sharing and data security; a stated ban on using personal email for Aramco data; a stated ban on disclosing Aramco policies or data. |
| PROTECT | Data Security | TPC-10 – TPC-17 | Everything password-protected; OS/app patching; anti-virus updated daily with a full scan every two weeks; SPF on your mail server; SPF enforced for the aramco.com and aramco.com.sa domains; an SPF record published in DNS; anti-spam inspection of inbound internet mail; a private email domain — Gmail and Hotmail are prohibited. |
| PROTECT | Info Protection Processes | TPC-18 – TPC-19 | Formal off-boarding including return of assets and removal of access; media sanitisation aligned to NIST SP 800-88 at end of the data lifecycle, including backup copies — plus a signed letter to Aramco certifying the sanitisation was completed. |
| PROTECT | Protective Technology | TPC-20 – TPC-22 | Obtain the CCC from an authorized audit firm per your classification and submit it via the Aramco e-Marketplace; renew every two years; host firewalls enabled on endpoints. |
| RESPOND | Communications | TPC-23 | On discovering a cybersecurity incident, notify Aramco within 24 hours and follow the incident-response instructions in Appendix A. |
Notice how much of that baseline is email. Four of the twenty-three general controls (TPC-13, TPC-14, TPC-15, TPC-17) are about mail-server hygiene and owning a real domain, and a fifth (TPC-5) puts MFA on your cloud mailbox. A meaningful number of Eastern Province SMEs fail their first CCC assessment not on firewalls but because the company still runs on a free webmail address, or because nobody ever published an SPF record.
The 69 Specific Requirements — the shape of them
These stack on top, according to your class. The standard presents them as a matrix: every control is a row, and the five classifications are columns, with a mark showing which classes it applies to. You must read down your own column — and this is precisely why the classification letter matters so much.
We are deliberately not reproducing all 69 rows here; the standard is Aramco's copyright and Aramco publishes it. What is useful is the map, so you know what is coming:
| NIST function | Category | Controls | Representative demands |
|---|---|---|---|
| IDENTIFY | Asset Management · Governance · Risk Assessment · Risk Management | TPC-24 – TPC-31 | Information classification policy; documented cybersecurity policies and standards; a named employee whose primary job is cybersecurity; annual external penetration testing of infrastructure and internet-facing apps; annual pen test of cloud services used by Aramco; annual pen test of any Aramco website you host; data-centre certified by a recognised authority; a recurring cyber risk-assessment process. |
| PROTECT | Access Control | TPC-32 – TPC-49 | Unique logins, no generic accounts (unless explicitly approved); semiannual user access reviews; privileged accounts limited and justified; no remote admin access from the internet unless approved; MFA on privileged accounts; logical or physical segregation of Aramco data-at-rest from other customers' data; network segmentation; DMZ for internet-facing servers; WPA2/WPA2-Enterprise for wireless; data-centre tier rating and HA failover as determined by Aramco; MFA for users reaching the cloud provider and its content-management services; locked comms rooms and racks; visitor management and escorting; a dedicated access-restricted work area for staff touching the Aramco network. |
| PROTECT | Data Security | TPC-50 – TPC-62 | Backup media physically secured; licensed and vendor-supported internet-facing systems; encryption in transit (SSH/FTPS/HTTPS/TLS/IPSEC); encrypted, authenticated, timing-out sessions to public cloud; AES-256 at rest for sensitive data; encryption key management defined and reviewed; device control (e.g. blocking USB storage); content filtering; encrypted Critical Data documents; remote wipe on mobiles handling Critical Data; input validation; error messages that leak nothing; no plain-text passwords anywhere. |
| PROTECT | Info Protection Processes | TPC-63 – TPC-74 | Hardening baselines (default credentials reset, unneeded software/services disabled, local admin removed); regular backups; off-site backups encrypted with AES-256; NIST 800-88 sanitisation before assets are transferred or disposed; a Disaster Recovery plan; a Business Continuity plan covering nine named scenarios from equipment failure to environmental disaster; BC owners named and the plan reviewed annually; BC drills at least annually; on-boarding with background checks; source-code and security scanning of developed applications with all findings closed before production; change control through a test environment; a secure SDLC. |
| PROTECT | Protective Technology | TPC-75 – TPC-79 | Retain audit logs for one (1) year; perimeter firewalls allowing only required services; IDS or IPS at the perimeter; up-to-date firewall/IDS/IPS signatures; a WAF for any Aramco website, application or cloud-based web app you host. |
| DETECT | Anomalies & Events · Continuous Monitoring | TPC-80 – TPC-87 | Monitoring for unauthorised access and activity; central aggregation and correlation of logs from firewalls, IDS/IPS and anti-virus (in practice: a SIEM — see our SOC build-out guide); physical security with card access and cameras; privileged-account activity logged and monitored; personal devices barred from Aramco data; monthly vulnerability scans; physical access reviewed regularly; auditable events logged per Appendix C. |
| RESPOND | Communications · Analysis · Mitigation | TPC-88 – TPC-92 | A documented incident management policy and plan; a real incident-response capability (preparation, detection, containment, eradication, recovery, evidence preservation, lessons learned); every incident tracked and classified; vulnerability remediation within the mandated timeframes; DDoS protection for any Aramco website or cloud service you provide. |
The SACS-002 compliance calendar
Strip out the prose and SACS-002 is, operationally, a set of clocks. Miss a clock and you are non-compliant regardless of how good your firewall is. This is the table we pin on the wall:
| Clock | Requirement | Control |
|---|---|---|
| 24 hours | Notify Aramco after discovering a cybersecurity incident — then keep reporting every 24 hours until it is resolved | TPC-23 + Appendix A/B |
| 14 calendar days | Remediate critical-risk vulnerabilities (from vendor patch release, Aramco notification, or discovery of a breach — whichever is earliest) | TPC-91 |
| 1 month | Remediate high-risk vulnerabilities | TPC-91 |
| 3 months | Remediate medium and low-risk vulnerabilities | TPC-91 |
| Daily / every 2 weeks | Anti-virus signature updates / full system scan | TPC-12 |
| Monthly | Vulnerability scans across configuration, patches and services | TPC-85 |
| Every 90 days | Maximum password age | TPC-2 |
| Semiannually | Review user access to OS, applications and databases | TPC-33 |
| Annually | External penetration test; security awareness training; BC plan review; BC drill | TPC-27/28/29, TPC-7, TPC-69, TPC-70 |
| 1 year | Minimum audit-log retention for systems touching Aramco data | TPC-75 |
| 2 years | Renew the CCC | TPC-21 |
How certification actually runs
Condensed from Aramco's CCC Third Party Manual and its current programme page:
- Prepare. Registration-stage vendors comply with the General Requirements. Contracted vendors get the Third Party Classification Template filled in by every Aramco proponent they work with, and complete the Classification Confirmation Letter. Implement every applicable control.
- Self-assess (CCC route only). Complete the Third Party Cybersecurity Compliance Report in full. CCC+ candidates skip this and go to the on-site assessment.
- Select an Authorized Audit Firm from Aramco's published list, via the CCC Portal, and contract with them.
- Verification and issuance. For CCC, the firm verifies your package remotely. For CCC+, the firm comes on site. If you are 100% compliant, the certificate is issued. If not, the firm returns the non-compliant controls; you remediate and resubmit.
- Submit. Send the issued certificate and the compliance report to Aramco through the e-Marketplace system.
- Renew before two years elapse — and get a new certificate immediately if a new contract puts you into a classification your current one does not cover.
On evidence, Aramco is unusually specific, and it is where self-assessments die. Your answers must be comprehensive and clearly described; your evidence must be readable, time-stamped, demonstrably related to your company, and the relevant part must be highlighted or pointed out in the screenshot. An untimed, uncaptioned screenshot of a settings page is not evidence. Build the pack as you implement, not the week before.
Who can certify you
Aramco publishes the list of Authorized Audit Firms, and it changes — older guides that say "eight firms" are out of date; when we last checked Aramco's programme page (May 2026 capture) it listed fourteen, including Baker Tilly, BDO, Crowe, Cyberani, Deloitte, Defense Cybersecurity Company, Grant Thornton, KPMG, RSM, Sirar by stc, Managed Services, Trusted Partners, Seven Technologies and Cipher. Always take the current list from Aramco's CCC programme page rather than from a blog — including this one.
Is SACS-210 real? What we can and cannot verify
This is the question Eastern Province suppliers are being telephoned about in 2026, so let us be precise about what is established and what is not.
What multiple Saudi consultancies are publishing: that a successor standard, SACS-210, was issued around February 2026; that it carries a larger baseline of around 33 general controls; that it leans harder on OT security and ransomware resilience; that existing SACS-002 certificates remain valid until their normal expiry; and that a transition or grace period runs to about 26 August 2026.
What we were able to verify independently: none of the above from an Aramco-published document. We checked the standard Aramco itself distributes — it is SACS-002, issue date February 2022 — and we checked Aramco's public CCC programme page. In the most recent version of that page we could obtain, it referred to SACS-002 exclusively, described the CCC and CCC+ as assessments "against SACS-002," and offered the SACS-002 PDF as the download. We found no Aramco-published SACS-210 document, no Aramco announcement of it, and no Aramco page naming it. The consultancy articles asserting the August 2026 deadline do not cite an Aramco source either.
How to hold both facts at once. This does not prove SACS-210 is fiction. There is an entirely plausible explanation: SACS-002 is marked confidential to third parties, and the standard itself states that revisions are communicated to third parties directly, annually or when a significant requirement changes. A new issue could therefore be pushed to registered suppliers through the CCC Portal and e-Marketplace well before — or instead of — a public web update. Aramco has revised this standard before (2020 → 2022) without fanfare.
So do this, and do not do that.
- Do ask your Aramco proponent, or an Authorized Audit Firm, to confirm in writing which standard and which issue date your next assessment will be run against. They are the authority; a blog is not, and neither are we.
- Do log in to the CCC Portal and read what Aramco has actually sent you.
- Do not buy a "SACS-210 gap assessment" priced off a blog post you cannot trace to an Aramco document.
- Do build the controls anyway. Almost everything in the SACS-002 baseline — MFA, patching discipline, logging, backups, incident response, a real email domain — is in every successor standard, every NCA framework, and every serious customer's vendor questionnaire. That work is never wasted, whichever number is on the cover page.
We will update this article when Aramco publishes something we can point at. If you have received an official Aramco communication about SACS-210, we would genuinely like to see it.
What SACS-002 is not
- It is not ISO 27001. An ISO certificate does not get you a CCC, though the management-system work overlaps heavily and makes the evidence pack far easier.
- It is not an NCA framework. SACS-002 is a customer's contractual requirement; the NCA's controls are national regulation. Both can apply. If you serve Aramco and operate critical systems, you are likely also in scope for NCA CSCC, and if you touch ICS/SCADA, for NCA OTCC. Build one control set and map it to both — do not run two programmes.
- It is not a one-off project. It is a two-year certificate wrapped around a set of monthly, semiannual and annual obligations. Firms that treat it as a document exercise fail the renewal.
Where Eastern Province suppliers actually fail
From what we see in Dammam, Khobar, Dhahran and Jubail, the failures are boringly consistent, and rarely exotic:
- The company operates from a free email domain, or a domain with no SPF record — an instant fail against TPC-13 through TPC-17, and the cheapest control on the entire list to fix.
- No MFA on remote access or on the cloud mailbox (TPC-4, TPC-5) — the second cheapest.
- Logs kept for 30 days, because that is the appliance default. The standard says one year (TPC-75).
- A firewall is presented as satisfying the IDS/IPS requirement (TPC-77). It is not the same control.
- Backups exist but are not encrypted off-site (TPC-65), and nobody has ever run a BC drill (TPC-70).
- No named cybersecurity owner (TPC-26) — "the IT guy also does security" does not survive an on-site assessment.
- Evidence is assembled in a panic: undated screenshots, no highlighting, no traceability to the company.
- The sub-contractor question is ignored until the auditor asks it.
None of that requires a large budget. It requires someone to own it.
Frequently asked questions
Is the SACS-002 standard public? Aramco publishes the PDF on its supplier resources pages, even though the document itself is marked confidential to third parties. Download it from Aramco directly so you know you have the current issue.
How much does a CCC cost? Aramco does not set the price — you contract directly with an Authorized Audit Firm, and fees vary with your classification, scope and number of sites. CCC+ costs more than CCC because it involves an on-site assessment. Get more than one quote from the published list.
How long does it take? The assessment is not the long part; the remediation is. For a supplier starting from a standing start, the pacing item is usually the annual external penetration test and the evidence pack, not the audit firm's calendar.
Can I get a CCC before I have an Aramco contract? Yes — and you generally need to. Vendors at the registration stage are expected to hold a CCC covering the General Requirements.
Do I need a CCC+ or a CCC? CCC+ if Aramco classifies you as Network Connectivity or Critical Data Processor. CCC otherwise. If both apply, only CCC+ is accepted.
What if I fail some controls? There is no partial credit. The audit firm reports the non-compliant controls, you fix them and resubmit. The certificate is issued at 100% compliance against your applicable controls.
My certificate is valid but I just won a different kind of contract. Am I covered? Probably not. If the new contract brings a classification your current certificate does not cover, Aramco requires a new certificate — regardless of the time left on the old one.
Does a CCC cover my sub-contractors? Your certificate covers your company. If sub-contractors touch Aramco data or systems under your contract, the obligations flow down to them, and you should expect to have to demonstrate that.
Is SACS-210 replacing SACS-002? Possibly — but we could not verify it against any Aramco-published document, and Aramco's own CCC pages still pointed to SACS-002 (February 2022) when we checked. Ask your Aramco proponent or an Authorized Audit Firm to confirm the standard and issue date in writing before you spend money on it.
Where to go next
If you take one thing from this article, take this: confirm your issue date, confirm your classification, then build the evidence pack as you implement. Everything else is detail.
Two practical offers, and then we will get out of the way.
The email controls (TPC-13 to TPC-17, and TPC-5) are the fastest points on the board, and they are also the ones that quietly disqualify small suppliers: a real company domain instead of free webmail, SPF published in DNS, inbound anti-spam, and MFA on the mailbox. If that is where you are stuck, Skyline Cloud gives you business email and hosting on your own domain with Saudi data residency, SPF/DKIM/DMARC and multi-factor sign-in — you can start a free 14-day trial with no credit card and have that control family closed this week.
For the rest of it — classification, gap assessment against the correct issue of the standard, evidence packs, penetration testing, logging and SIEM, incident-response runbooks, and readiness for an on-site CCC+ — that is what our Aramco third-party cybersecurity practice does, from Dammam, for suppliers across the Eastern Province. We will tell you honestly which controls you already meet. And we will say it again, because it matters: only an Authorized Audit Firm can issue your certificate. Our job is to make sure that when they look, they find nothing to write up.
Sources
- Aramco — Third Party Cybersecurity Compliance Certificate (CCC) programme (classifications, CCC vs CCC+, process steps, audit-firm list, FAQ)
- Aramco — SACS-002 Third Party Cybersecurity Standard (PDF; issue date February 2022 — all control numbers, scope classes and timeframes in this article are taken from this document, cross-checked against the superseded May 2020 issue)
- Aramco — CCC Third Party Manual (PDF; certification steps, the 100%-compliance rule, evidence expectations, validity and renewal)
- NIST — Cybersecurity Framework (the sole reference cited by SACS-002) and SP 800-88 Guidelines for Media Sanitization (referenced by the sanitisation controls)
Last verified against Aramco's published materials in July 2026. Standards change; the download on aramco.com is always the authority, not this page.

Comments
0 total · 0 threads