Skip to content
aramco logo
hand, computer mouse

Third Party Cybersecurity Compliance Certificate

The CCC Program is to ensure third party compliance with cybersecurity requirements.

The CCC Program was established to ensure all Saudi Aramco third parties are in compliance with the cybersecurity requirements as outlined in Saudi Aramco’s Third Party Cybersecurity Standard (SACS-002).


How to get certified

Perform the following steps to obtain Saudi Aramco Cybersecurity Compliance Certificate (CCC):

1. Certification Requirements Preparation

1.1. For companies that aims to conduct business and register with Saudi Aramco: The company must comply with all controls under “A. General Requirements” section in Third Party Cybersecurity Standard (SACS-002).
1.2. For companies that have an active procurement agreement with Saudi Aramco:
         1.2.1. Initiate a request to all proponent organizations within Saudi Aramco that your company has ongoing business with to fill the Third Party Classification Template.
         1.2.2. Fill the Third Party Classification Confirmation Letter.
         1.2.3. If the company fall under more than one classification, then all the cybersecurity controls under the determined classifications are required.
1.3. Identify applicable certificate type and assessment requirements:

Company Classification Certificate Type Assessment Approach
  • General Requirements
  • Outsourced Infrastructure
  • Customized Software
  • Cloud Computing

Cybersecurity Compliance Certificate- CCC

A self-compliance assessment against SACS-002, completed by the company, and verified remotely by the Authorized Audit Firm.

  • Network Connectivity
  • Critical Data Processor

Cybersecurity Compliance Certificate Plus- CCC+

An on-site compliance assessment against SACS-002, conducted by the Authorized Audit Firm.

1.4. If CCC & CCC+ are both applicable based on your company classification, then only CCC+ will be accepted.
1.5. Implement all applicable cybersecurity controls specified in SACS-002.

2. Conduct Self-Compliance Assessment

2.1. For CCC+ certification, please skip this step and move to step # 3 (This section is applicable for CCC only)
2.2. Fill all of the fields in the Third Party Cybersecurity Compliance Report.
2.3. Ensure the answers are comprehensive, clearly described, and attach supporting documents.
2.4. Ensure evidences
         - Are clear, readable, and time stamped
         - Shows proof of its relation to the Third Party
         - Are clearly pointed out/highlighted in the screenshots

3. Select an Authorized Audit Firm

3.1. Select an Audit Firm from the Authorized Audit Firms list.
3.2. Establish a contract with the Authorized Audit Firm prior to assessment verification.

4. Compliance Verification & Issuance

4.1. CCC
         4.1.1. Submit the filled Third Party Cybersecurity Compliance Report, Third Party Classification Template, and Third Party Classification Confirmation Letter to the                    Authorized Audit Firm, prior to the assessment verification.
         4.1.2. The Authorized Audit Firm will verify the submitted documents and generate the Third Party Cybersecurity Compliance Report.
4.2. CCC+
         4.2.1. Submit the Third Party Classification Template and Third Party Classification Confirmation Letter to the Authorized Audit Firm, prior to the assessment verification.
         4.2.2. Arrange with an Authorized Audit Firm to conduct the compliance on-site-assessment.
         4.2.3. The Authorized Audit Firm will conduct the on-site assessment and generate the Cybersecurity Compliance Report.
4.3. If the company is 100% compliant against all applicable SACS-002 requirements, the Authorized Audit firm will issue the Third Party Cybersecurity Compliance Certificate.
4.4. In case your company didn’t obtain 100% compliance, the Authorized Audit Firm will share Non-Compliance Controls that you need to implement, to obtain the 100% compliance assessment result.
4.5. Implement the findings and submit the updated Third Party Cybersecurity Compliance Report to the Authorized Audit Firm, to verify the assessment.

5. Submit issued CCC

5.1. Submit the issued Third Party Cybersecurity Compliance Certificate and the Cybersecurity Compliance Report by the Authorized Audit Firm to Saudi Aramco, through the e-marketplace system.

6. CCC Validity & Renewal

6.1. CCC is valid for two years from the issuance date.
6.2. If your company is awarded a new contract that involves a cybersecurity classification type not covered in the current valid certificate, then a new certificate needs to be obtained and submitted.
6.3. Prior to the end of the two years, your company needs to submit a new CCC.
6.4. It is important to note that there will be frequent updates between Saudi Aramco and the Authorized Audit Firms on CCC.

Authorized audit firms

The authorized audit firms have been selected by Saudi Aramco ISD to conduct the assessments and issue Cybersecurity Compliance Certificate (CCC) against the SACS-002 Third Party Cybersecurity Standard

  • Baker Tilly
  • BDO/Dr. Mohamed Al-Amri & Co.
  • Crowe
  • Cyberani Solutions
  • Deloitte & Touche Middle East Limited
  • Defense Cybersecurity Company
  • Grant Thornton
  • KPMG
  • Managed Services
  • RSM Saudi Arabia
  • sirar by stc
  • Trusted Partners
  • Seven Technologies
  • Cipher

Cybersecurity Compliance Certificate (CCC) Audit Firms List (PDF, 362KB)

Downloads

Cybersecurity Compliance Certificate (CCC) Audit Firms List

.pdf

557.4KB

SACS-002 Third Party Cybersecurity Standard

.pdf

486.3KB

Third Party Classification Confirmation Letter

.docx

194.5KB

Third Party Classification Template

.xlsx

14.3KB

Third Party Cybersecurity Compliance Report Template

.docx

385.5KB

Third Party Cybersecurity Controls Guideline (PDF 353KB)

.pdf

352.2KB

Third Party Manual

.pdf

206.3KB

Frequently asked questions

FAQ