What services does SKYLINE provide?

We provide specialized divisions including: Data Centre Design & Build (Tier III/IV), Cybersecurity SOC/NOC Operations, SCADA & Automation, Fire Safety, Construction, HVAC, AI Solutions, Server Infrastructure with HPE & Dell, and Software Development.

Does SKYLINE design and build data centres?

Yes, we specialize in Tier III and Tier IV data centre design and construction including electrical infrastructure, precision cooling, raised flooring, fire suppression, and Schneider Electric UPS systems. All our projects are SACS-002 compliant and trusted by major clients like Saudi Aramco and SABIC.

Where is SKYLINE located?

Our headquarters is in Dammam, Eastern Province, Saudi Arabia. We serve all regions of Saudi Arabia and GCC countries including Riyadh, Jeddah, Khobar, Dhahran, and Jubail.

What compliance certifications does SKYLINE hold?

We comply with NCA-ECC (Essential Cybersecurity Controls), SACS-002 (Saudi Communications Standards for Data Centres), ISO 27001 (Information Security Management), and SAMA Cybersecurity Framework.

What experience does SKYLINE have in the Saudi market?

SKYLINE was founded in 2019 with 6+ years of experience, has completed 15+ mega projects including the FIFA Club World Cup, and serves 200+ clients including Saudi Aramco, SABIC, Maaden, and STC.

SKYLINE Industrial & IT Solutions

A practitioner-grade walk-through of SACS-210 — Third-Party Cybersecurity Standard Explained. Scope, controls, implementation phases and audit-ready evidence — with sample policies and configs you can adapt for SACS-210 Aramco.

SKYLINE Engineering @skyline

Published: Dec 17, 2025
Last updated: May 28, 2026
Reading time: 4 min

Compliance Cybersecurity Ksa Oil Gas Sacs 210 Third Party

Overview

SACS-210 is the Third-Party Cybersecurity Standard published by Saudi Aramco that defines the minimum cybersecurity posture every supplier providing IT or OT goods and services must achieve before being allowed to connect to, supply, or service Saudi Aramco systems. The standard is a regulatory contract attachment — non-compliance is a commercial showstopper. It applies to both new vendor onboarding and ongoing periodic assessment.

Who this applies to

Any third party (IT, OT, professional services, hardware vendor, software provider, MSP, MSSP) supplying systems or services to Saudi Aramco that touch Aramco data, networks or industrial equipment.
Sub-contractors of in-scope suppliers — flow-down is mandatory.

The four scope segments

SACS-210 segments suppliers by the type of work they perform; the controls applicable scale with the segment:

| Segment | Description | Examples | |---|---|---| | Segment A — Critical | Direct OT/ICS supplier or critical software with deep system access | DCS/SCADA OEM, safety system vendor, EPC integrator | | Segment B — Substantial | IT supplier or non-critical OT supplier handling Aramco confidential data | Custom software, cloud SaaS hosting Aramco data, ERP integrator | | Segment C — Limited | IT supplier with limited data exposure | General office IT, training, professional services with no live systems | | Segment D — Minimal | Supplier with no IT/OT footprint at Aramco | Catering, facilities |

Certification timeline

Once a supplier is identified as in-scope:

Month 0   : Scope determined by Aramco; SACS-210 onboarding pack issued
Month 1   : Supplier self-assessment workbook returned
Month 2-3 : Independent assessment by an Aramco-approved assessor (Segment A/B)
Month 4   : Remediation of findings
Month 5-6 : Re-assessment
Month 6+  : Approved supplier; renewal every 2 years or upon material change

Control families

SACS-210 organises requirements into eight families (numbers approximate; consult the latest revision):

Cybersecurity Governance — policy, leadership, training, supply-chain cyber risk.
Identity and Access Management — MFA, joiner-mover-leaver discipline, privileged access.
Information Asset Management — inventory, classification.
Operations Security — patching, change control, malware protection.
Network Security — segmentation, firewall, remote access.
Application Security — secure SDLC, vulnerability testing.
Incident Management — detection, response, notification.
Business Continuity — backups, recovery testing.

Segment A adds OT-specific requirements rooted in IEC 62443.

Step 1: Determine your segment honestly

Suppliers that minimise their segment often discover later that an Aramco audit re-segments them upward — and the work doubles. Map your actual touch points: do you connect to OT? do you hold confidential data? do you have remote-access credentials?

Step 2: Build the cyber programme to Segment B as a baseline

If you supply more than one customer in the KSA energy sector, build a programme that satisfies the toughest expected segment (B or A) from the start. The same evidence will serve multiple customers.

Step 3: Common evidence requirements

Cybersecurity policy approved by company leadership, version-controlled.
Annual security awareness training records.
Vulnerability management programme with patching SLA.
Independent penetration test within last 12 months.
Incident response plan with named roles and tabletop evidence.
Background-check policy for personnel with privileged access.
Hardened-build standards for laptops/workstations of personnel working on Aramco data.

Step 4: Sub-contractor flow-down

If you sub-contract, your sub-contractor inherits the same SACS-210 obligation. Maintain:

Contractual flow-down clause.
Sub-contractor cyber risk register.
Sub-contractor due-diligence pack.
Aramco-facing report listing sub-contractors and their status.

Step 5: Remote access discipline

Vendors with remote access to operator networks must:

Use jumphost / bastion provided by Aramco.
MFA on every session, no shared accounts.
Per-session approval (just-in-time access).
Session recording.
Vendor laptop hygiene verified by Aramco-side health-check.

Step 6: Incident notification

Suppliers must notify Aramco within hours of a security incident — including incidents at the supplier's own infrastructure if Aramco data or systems may be affected. The contact channel and time targets are specified in the contract.

Step 7: Ongoing surveillance

Even after certification:

Annual self-attestation.
Biennial independent re-assessment.
Material-change notifications (M&A, key staff loss, breach).

Common gotchas

Treating SACS-210 as a one-off audit rather than a continuous compliance programme.
Self-segmenting "C" when Aramco re-segments "B".
Sub-contractor flow-down clause exists but is never operationalised.
Vendor laptops used for both Aramco and other customer work without segmentation.

Verification

SACS-210 assessment report current within 24 months.
Approved-supplier status letter from Aramco procurement.
Penetration-test report within 12 months.
Sub-contractor register with cyber status per entry.
Annual self-attestation submitted on time.

Conclusion

SACS-210 is the price of entry to large energy contracts in KSA. Build the programme once to the highest probable segment, treat it as a continuous discipline, and you turn a procurement obstacle into a competitive moat.

Related guides

SKYLINE Engineering

@skyline

The engineering team at SKYLINE Industrial Solutions. We publish field-tested guides drawn from real KSA and GCC deployments.

See author profile

SKYLINE engineering services

Need this implemented for you?

Reading is free — building it right takes a team. SKYLINE engineers ship SACS-210 Aramco for Aramco vendors, banks, hospitals and government agencies across Saudi Arabia. Talk to us before you start.

SACS-210 Aramco Compliance Third-party readiness, audit prep, ICV+CCC

Talk to a SKYLINE engineer WhatsApp · +966 50 993 9334 Call +966 50 993 9334

Aramco Approved Contractor ISO 9001 · ISO 27001 SAMA CSF aligned NCA ECC ready 247+ KSA clients

Comments

0 total · 0 threads

Be the first to leave a comment.