
The CCC Program was established to ensure all Aramco third parties are in compliance with the cybersecurity requirements as outlined in Aramco’s Third Party Cybersecurity Standard (SACS-002). All vendors are required to obtain the Cybersecurity Compliance Certification.
How to get certified
Complete the following steps in order to obtain your Aramco Cybersecurity Compliance Certificate (CCC):
STEP 1: Certification Requirements Preparation
- 1.1. For the registration phase all vendors are required to obtain cybersecurity compliance certification CCC — General Requirements
- 1.2. Initiate a request with the department/proponent in Aramco that your company has ongoing business with, to complete the Third Party Classification Template
- 1.3. Fill out the Third Party Classification Confirmation Letter
- 1.3.1. If CCC & CCC+ are both applicable based on your company classification, then only the CCC+ application will be required/accepted
- 1.3.1.1. Implement all applicable cybersecurity controls specified in Third Party Cybersecurity Standard
- 1.3.2. If the company falls under more than one classification, then all the cybersecurity controls under the relevant/applicable classifications are required
Identify the applicable certificate type and assessment requirements:
Company Classification | Certificate Type | Assessment Approach |
|
Cybersecurity Compliance Certificate — CCC |
A self-compliance assessment against Third Party Cybersecurity Standard, completed first by the company, and verified remotely by the Authorized Audit Firm. |
|
Cybersecurity Compliance Certificate Plus — CCC+ |
An on-site compliance assessment against Third Party Cybersecurity Standard, conducted by the Authorized Audit Firm. |
STEP 2: Select an Authorized Audit Firm
- 2.1 Go to the CCC portal where you can select an Audit Firm.
- 2.2 Establish a contract with the Authorized Audit Firm (see list below) prior to assessment verification
STEP 3: Compliance Verification & Issuance
- 3.1 CCC
- 3.1.1. Conduct CCC Compliance Assessment
- Fill out all of the fields in the Third Party Cybersecurity Compliance Report
- Ensure the answers are comprehensive, clearly described, and attach all the required supporting documents
- Ensure that all the evidence provided is readable and time stamped, and that proof of its relation to the Third Party is clearly pointed out/highlighted in the screenshots
- 3.1.2 The Authorized Audit Firm will verify the documents and generate the Third Party Cybersecurity Compliance Report
- 3.2 CCC+
- 3.2.1 Submit the completed documents
- Third Party Classification Template
- Third-Party Classification Confirmation Letter to the Authorized Audit Firm, prior to the assessment verification
- 3.2.2 Arrange with an Authorized Audit Firm to conduct the compliance on-site assessment
- 3.2.3 The Authorized Audit Firm will conduct the on-site assessment and generate the Cybersecurity Compliance Report and issue the Certificate
STEP 4: Submit Issued CCC
- 4.1. Submit the issued Certificate and Report from the Authorized Audit Firm to Aramco, through the e-marketplace system
STEP 5: CCC Validity & Renewal
- 5.1 CCC is valid for two years from the issuance date
- 5.1.1. If the company is awarded a new contract that involves a cybersecurity classification type not covered in the current valid certificate, then a new certificate needs to be obtained and submitted
- 5.1.2. Prior to the end of the two years, your company needs to submit a new CCC
Authorized audit firms
The authorized audit firms have been selected by Aramco to conduct the assessments and issue Cybersecurity Compliance Certificate (CCC) against the SACS-002 Third Party Cybersecurity Standard.
To find the detailed list of the authorized firms, please click here.
Company name | Website | ||
|
Baker Tilly | ccc@bakertillyjfc.com | www.bakertillyjfc.com |
![]() |
BDO/Dr. Mohamed Al-Amri & Co. | cybersecurity@bdoalamri.com | www.bdoalamri.com |
![]() |
Crowe | a.mosleh@crowe.sa / a.malazem@crowe.sa | www.crowe.com |
![]() |
Cyberani Solutions | cs@cyberanisolutions.com | https://cyberani.sa |
![]() |
Deloitte & Touche Middle East Limited | rfarooq@deloitte.com / othaglag@deloitte.com | www.deloitte.com |
![]() |
Defense Cybersecurity Company | ccc@dcybersecurity.sa | https://dcybersecurity.sa |
![]() |
Grant Thornton | umairtariq@ksa.gt.com /mazenmatar@ksa.gt.com | www.grantthornton.sa |
![]() |
KPMG | safmcybersecurity@kpmg.com / fmcybersecurity@kpmg.com | https://kpmg.com |
![]() |
RSM Saudi Arabia | ssaleem@rsmsaudi.com / fali@rsmsaudi.com / ealzidan@rsmsaudi.com | www.rsm.global |
![]() |
Sirar by STC | AramcoTPA@sirar.com.sa | www.sirar.com.sa |
![]() |
Managed Services | ccc@managed.sa | www.managed.sa |
![]() |
Trusted Partners | ccc@trusted.sa | https://trusted.sa |
![]() |
Seven Technologies | Fahad.m@sevtechs.com | www.sevtechs.com |
![]() |
Cipher | ccc@cipher.com.sa |
https://cipher.com.sa |
Downloads
SACS-002 Third Party Cybersecurity Standard
486.3KB
Third Party Classification Confirmation Letter
.docx
194.5KB
Third Party Classification Template
.xlsx
14.3KB
Third Party Manual
206.3KB