What services does SKYLINE provide?

We provide specialized divisions including: Data Centre Design & Build (Tier III/IV), Cybersecurity SOC/NOC Operations, SCADA & Automation, Fire Safety, Construction, HVAC, AI Solutions, Server Infrastructure with HPE & Dell, and Software Development.

Does SKYLINE design and build data centres?

Yes, we specialize in Tier III and Tier IV data centre design and construction including electrical infrastructure, precision cooling, raised flooring, fire suppression, and Schneider Electric UPS systems. All our projects are SACS-002 compliant and trusted by major clients like Saudi Aramco and SABIC.

Where is SKYLINE located?

Our headquarters is in Dammam, Eastern Province, Saudi Arabia. We serve all regions of Saudi Arabia and GCC countries including Riyadh, Jeddah, Khobar, Dhahran, and Jubail.

What compliance certifications does SKYLINE hold?

We comply with NCA-ECC (Essential Cybersecurity Controls), SACS-002 (Saudi Communications Standards for Data Centres), ISO 27001 (Information Security Management), and SAMA Cybersecurity Framework.

What experience does SKYLINE have in the Saudi market?

SKYLINE was founded in 2019 with 6+ years of experience, has completed 15+ mega projects including the FIFA Club World Cup, and serves 200+ clients including Saudi Aramco, SABIC, Maaden, and STC.

SKYLINE Industrial & IT Solutions

A practitioner-grade walk-through of SACS-210 Gap Analysis — 5-Day Self-Assessment Workbook. Scope, controls, implementation phases and audit-ready evidence — with sample policies and configs you can adapt for SACS-210 Aramco.

SKYLINE Engineering @skyline

Published: Dec 13, 2025
Last updated: May 28, 2026
Reading time: 4 min

Compliance Ksa Oil Gas Assessment Sacs 210 Gap Analysis

Overview

A SACS-210 gap analysis is the workbook you complete before the formal independent assessment, to find and close gaps on your own terms. Suppliers who run a structured 5-day internal exercise typically pass independent assessment first-time; those who skip it land 30-40% partial findings. This guide is the workbook: day-by-day breakdown, evidence collection schedule, scoring rubric, and the remediation playbook.

Who this applies to

Suppliers being onboarded or re-assessed against SACS-210.
Internal Audit teams running pre-assessment dry-runs.
MSPs and integrators offering SACS-210 readiness as a service.

Day 1 — Scope and team

Goal: agree the scope and assemble the assessment team.

Identify the SACS-210 segment (A/B/C/D) you expect.
Build the assessment team:
- Lead assessor (independent of operations, often Internal Audit or external advisor).
- Control owners (per family).
- Evidence librarian.
- Project manager.
Confirm the scoring rubric: Met / Partially Met / Not Met / Not Applicable.
Allocate scoring colour codes for the workbook: green / amber / red / grey.

SACS-210 GAP — Day 1 Output
================================
Segment claim       : B (Substantial)
Assessment team     : 5 named
Scoring rubric      : 4-level (M / PM / NM / N/A)
Workbook template   : v2.3
Evidence library    : /share/sacs210-2026/
Kick-off attended by: CTO, CISO, Procurement Lead

Day 2 — Governance + IAM

Goal: assess the first 2 of the 8 control families.

For each control:

Read the requirement aloud.
Pull the policy or document evidence.
Pull operational evidence (logs, reports).
Score.
If less than Met, log the gap and assign a remediation owner with a target date.

Control: 1-3 Cyber security awareness training
Evidence pulled:
  - awareness_training_plan_2026.pdf
  - LMS completion report Q1 2026
Score: Met (95% completion)
Gap : 5% non-completers — flagged to HR for follow-up

Day 3 — Asset, Operations, Network

Goal: assess control families 3-5.

Common gap patterns at this stage:

Asset inventory exists but stale > 60 days — Partially Met.
Patching SLA defined but no monthly dashboard — Partially Met.
Network diagram exists but no segmentation visible — Not Met.
Remote access via VPN but no MFA — Not Met (critical).

Day 4 — Application Security, Incident Management, BCM

Goal: assess control families 6-8.

Control: 6-2 Secure software development
Evidence pulled:
  - SDLC policy v2.1
  - SAST tool scan reports for last 3 releases
  - Pen test report 2026-02
Score: Partially Met
Gap : Threat modelling step skipped on last 2 releases — owner: VP Eng, by 2026-06-15

Day 5 — Remediation planning + management report

Goal: write the remediation plan and brief executive sponsor.

Aggregate all gaps into a remediation register.
Sort by severity (Not Met critical first).
Assign:
- Owner.
- Target date.
- Effort (S/M/L).
- Dependency.
Estimate total remediation effort in person-weeks and external spend.
Brief the CEO / executive sponsor with: number of controls Met / PM / NM / N/A, remediation cost, expected timeline, risk if Aramco engages assessor on Day 90.

SACS-210 GAP REPORT — Final Day 5
================================
Met            : 47
Partially Met  : 21
Not Met        : 9
Not Applicable : 12
-----------------
Total assessed : 89

Critical gaps  : 4 (must close before independent assessor)
High           : 7
Medium         : 12
Low            : 7

Remediation effort: ~14 person-weeks + SAR 280k external
Earliest re-readiness: Day 60

Scoring rubric details

Met (M) — Control is fully documented, operating consistently, and evidence is available.
Partially Met (PM) — Documented or operating but not both, or operating with gaps.
Not Met (NM) — Neither documented nor operating, or fundamentally broken.
Not Applicable (N/A) — Demonstrated as out of scope; assessor must sign off this designation.

Remediation playbook

For each gap, follow the Plan-Implement-Evidence-Test cycle:

Plan — define what success looks like and who owns it.
Implement — make the change.
Evidence — produce the artefact the assessor will see.
Test — run a sample of the control in operation to prove it sticks.

A Not Met gap closing in two weeks but with no Test step will still fail in the independent assessment.

Common gotchas

Scoring everything Met to avoid embarrassment — exposed instantly during independent assessment.
Remediation that adds policy but no operational change — auditors see through this.
Critical Not Met items not closed before the assessor visits — leads to a fail.
One person owning all 89 controls — burnout and inconsistency.

Verification — readiness checklist

All Met controls have current evidence in the library.
All PM/NM controls have an owner and a target date.
Critical Not Met items closed and re-tested.
Independent advisor reviewed the workbook before assessor's visit.
Executive sponsor signed off on the remediation plan.

Conclusion

A 5-day gap exercise is the cheapest insurance you can buy against a failed SACS-210 assessment. Follow the workbook, score honestly, remediate quickly, and you turn the assessor visit into a formality.

Related guides

SKYLINE Engineering

@skyline

The engineering team at SKYLINE Industrial Solutions. We publish field-tested guides drawn from real KSA and GCC deployments.

See author profile

SKYLINE engineering services

Need this implemented for you?

Reading is free — building it right takes a team. SKYLINE engineers ship SACS-210 Aramco for Aramco vendors, banks, hospitals and government agencies across Saudi Arabia. Talk to us before you start.

SACS-210 Aramco Compliance Third-party readiness, audit prep, ICV+CCC

Talk to a SKYLINE engineer WhatsApp · +966 50 993 9334 Call +966 50 993 9334

Aramco Approved Contractor ISO 9001 · ISO 27001 SAMA CSF aligned NCA ECC ready 247+ KSA clients

Comments

0 total · 0 threads

Be the first to leave a comment.