The CCC Program was established to ensure all Saudi Aramco third parties are in compliance with the cybersecurity requirements as outlined in Saudi Aramco’s Third Party Cybersecurity Standard (SACS-002). All vendors are required to obtain the Cybersecurity Compliance Certification.
How to get certified
Complete the following steps in order to obtain your Saudi Aramco Cybersecurity Compliance Certificate (CCC):
STEP 1: Certification Requirements Preparation
- 1.1. For the registration phase all vendors are required to obtain cybersecurity compliance certification CCC — General Requirements.
- 1.2. Initiate a request with the department/proponent in Saudi Aramco that your company has ongoing business with, to complete the Third-Party Classification Template
- 1.3. Fill out the Third-Party Classification Confirmation Letter
- 1.3.1. If CCC & CCC+ are both applicable based on your company classification, then only the CCC+ application will be required/accepted
- 1.3.1.1. Implement all applicable cybersecurity controls specified in Third Party Cybersecurity Standard
- 1.3.2. If the company falls under more than one classification, then all the cybersecurity controls under the relevant/applicable classifications are required
Identify the applicable certificate type and assessment requirements:
| Company Classification | Certificate Type | Assessment Approach |
|
Cybersecurity Compliance Certificate — CCC |
A self-compliance assessment against Third Party Cybersecurity Standard, completed first by the company, and verified remotely by the Authorized Audit Firm. |
|
Cybersecurity Compliance Certificate Plus — CCC+ |
An on-site compliance assessment against Third Party Cybersecurity Standard, conducted by the Authorized Audit Firm. |
STEP 2: Select an Authorized Audit Firm
- 2.1 Go to the CCC portal where you can select an Audit Firm. Please refer to the CCC Portal user guide for further instructions and guidance
- 2.2 Establish a contract with the Authorized Audit Firm (see list below) prior to assessment verification
STEP 3: Compliance Verification & Issuance
- 3.1 CCC
- 3.1.1. Conduct CCC Compliance Assessment
- Fill out all of the fields in the Third-Party Cybersecurity Compliance Report
- Ensure the answers are comprehensive, clearly described, and attach all the required supporting documents
- Ensure that all the evidence provided is readable and time stamped, and that proof of its relation to the Third Party is clearly pointed out/highlighted in the screenshots
- 3.1.2 The Authorized Audit Firm will verify the documents and generate the Third-Party Cybersecurity Compliance Report
- 3.2 CCC+
- 3.2.1 Submit the completed documents
- Third Party Classification Template
- Third-Party Classification Confirmation Letter to the Authorized Audit Firm, prior to the assessment verification
- 3.2.2 Arrange with an Authorized Audit Firm to conduct the compliance on-site assessment
- 3.2.3 The Authorized Audit Firm will conduct the on-site assessment and generate the Cybersecurity Compliance Report and issue the Certificate
STEP 4: Submit issued CCC
- 4.1. Submit the issued Certificate and Report from the Authorized Audit Firm to Saudi Aramco, through the e-marketplace system
STEP 5: CCC Validity & Renewal
- 5.1 CCC is valid for two years from the issuance date
- 5.1.1. If the company is awarded a new contract that involves a cybersecurity classification type not covered in the current valid certificate, then a new certificate needs to be obtained and submitted
- 5.1.2. Prior to the end of the two years, your company needs to submit a new CCC
Authorized audit firms
Downloads
SACS-002 Third Party Cybersecurity Standard
486.3KB
Third Party Classification Confirmation Letter
.docx
194.5KB
Third Party Classification Template
.xlsx
14.3KB
Third Party Manual
206.3KB