Third Party Cybersecurity Compliance Certificate Program

The CCC Program was established to ensure all Saudi Aramco third parties are in compliance with the cybersecurity requirements in the Third Party Cybersecurity Standard (SACS-002).


How to get certified

Chapter 1

How to get certified

Perform the following steps to obtain Saudi Aramco Cybersecurity Compliance Certificate (CCC):

1. Certification Requirements Preparation

1.1. For companies that aims to conduct business and register with Saudi Aramco: The company must comply with all controls under “A. General Requirements” section in Third Party Cybersecurity Standard (SACS-002).
1.2. For companies that have an active procurement agreement with Saudi Aramco:
         1.2.1. Initiate a request to all proponent organizations within Saudi Aramco that your company has ongoing business with to fill the Third Party Classification Template.
         1.2.2. Fill the Third Party Classification Confirmation Letter.
         1.2.3. If the company fall under more than one classification, then all the cybersecurity controls under the determined classifications are required.
1.3. Identify applicable certificate type and assessment requirements:

Company Classification Certificate Type Assessment Approach
  • General Requirements
  • Outsourced Infrastructure
  • Customized Software

Cybersecurity Compliance Certificate- CCC

A self-compliance assessment against SACS-002, completed by the company, and verified remotely by the Authorized Audit Firm.

  • Network Connectivity
  • Critical Data Processor

Cybersecurity Compliance Certificate Plus- CCC+

An on-site compliance assessment against SACS-002, conducted by the Authorized Audit Firm.


1.4. If CCC & CCC+ are both applicable based on your company classification, then only CCC+ will be accepted.
1.5. Implement all applicable cybersecurity controls specified in SACS-002.

2. Conduct Self-Compliance Assessment

2.1. For CCC+ certification, please skip this step and move to step # 3 (This section is applicable for CCC only)
2.2. Fill all of the fields in the Third Party Cybersecurity Compliance Report.
2.3. Ensure the answers are comprehensive, clearly described, and attach supporting documents.
2.4. Ensure evidences
         - Are clear, readable, and time stamped
         - Shows proof of its relation to the Third Party
         - Are clearly pointed out/highlighted in the screenshots

3. Select an Authorized Audit Firm

3.1. Select an Audit Firm from the Authorized Audit Firms list.
3.2. Establish a contract with the Authorized Audit Firm prior to assessment verification.

4. Compliance Verification & Issuance

4.1. CCC
         4.1.1. Submit the filled Third Party Cybersecurity Compliance Report, Third Party Classification Template, and Third Party Classification Confirmation Letter to the                    Authorized Audit Firm, prior to the assessment verification.
         4.1.2. The Authorized Audit Firm will verify the submitted documents and generate the Third Party Cybersecurity Compliance Report.
4.2. CCC+
         4.2.1. Submit the Third Party Classification Template and Third Party Classification Confirmation Letter to the Authorized Audit Firm, prior to the assessment verification.
         4.2.2. Arrange with an Authorized Audit Firm to conduct the compliance on-site-assessment.
         4.2.3. The Authorized Audit Firm will conduct the on-site assessment and generate the Cybersecurity Compliance Report.
4.3. If the company is 100% compliant against all applicable SACS-002 requirements, the Authorized Audit firm will issue the Third Party Cybersecurity Compliance Certificate.
4.4. In case your company didn’t obtain 100% compliance, the Authorized Audit Firm will share Non-Compliance Controls that you need to implement, to obtain the 100% compliance assessment result.
4.5. Implement the findings and submit the updated Third Party Cybersecurity Compliance Report to the Authorized Audit Firm, to verify the assessment.

5. Submit issued CCC

5.1. Submit the issued Third Party Cybersecurity Compliance Certificate and the Cybersecurity Compliance Report by the Authorized Audit Firm to Saudi Aramco, through the e-marketplace system.

6. CCC Validity & Renewal

6.1. CCC is valid for two years from the issuance date.
6.2. If your company is awarded a new contract that involves a cybersecurity classification type not covered in the current valid certificate, then a new certificate needs to be obtained and submitted.
6.3. Prior to the end of the two years, your company needs to submit a new CCC.
6.4. It is important to note that there will be frequent updates between Saudi Aramco and the Authorized Audit Firms on CCC.

Authorized audit firms

Chapter 2

Authorized audit firms

The authorized audit firms have been selected by Saudi Aramco ISD to conduct the assessments and issue Cybersecurity Compliance Certificate (CCC) against the SACS-002 Third Party Cybersecurity Standard.

  • Baker Tilly
  • BDO/Dr. Mohamed Al-Amri & Co.
  • Crowe
  • Deloitte & Touche Middle East Limited
  • Grant Thornton
  • KPMG
  • RSM Saudi Arabia
  • STC Solutions
  • Managed Services

Cybersecurity Compliance Certificate (CCC) Audit Firms List (PDF, 362KB)

Downloads

Chapter 3

FAQ

Chapter 4

    FAQ
What is objective of the CCC program?
The cybersecurity compliance certification (CCC) program has been introduced to ensure that all third parties obtain a cybersecurity compliance certificate from the authorized audit firm, to confirm their adherence to the cybersecurity requirements, as mandated in the Third Party Cybersecurity Standard (SACS-002), to conduct business with Saudi Aramco.
What is the difference between the CCC and the CCC+?
The CCC requires the third party to conduct a compliance self-assessment against the scoped controls as detailed in SACS-002, and have the compliance assessment package validated remotely by one of the authorized audit firms. The CCC+ will require one of the authorized firms to conduct onsite assessment of the third party against the scope controls, as detailed in SACS-002. The CCC+ will be required for third parties classified as Network Connectivity or Critical Data Processor, whereas the CCC will be required for the remaining third parties that do not fall under the aforementioned classifications.
Which certificate type is applicable to my company?
This depends on the classification that will be done by your proponent from Saudi Aramco, contract owner, in accordance to the Third Party Cybersecurity Standard (SACS-002). The classification will identify the certificate type that is required for your company.
The cybersecurity compliance certificate will be valid for how long?
It will be valid for two years from the issuance date, provided that the classification of the third party has not changed during the two-year period.
Do I need to obtain a new CCC each time I bid for a new contract
That will depend on the nature of your engagement. If you fall under the same classification, then you do not need to apply for a new certificate. Otherwise, you will need to approach the audit firm to conduct a cybersecurity compliance assessment against the controls related to the updated classification that will cover the original category, in addition to the new one.
Which Audit Firm should we choose?
Saudi Aramco does not have any preference when it comes to choosing the audit firm, as long as you are going to work with one of the authorized audit firms listed in this website.
How do I submit the certificate once obtained from the audit firm?
You need to submit the Third Party Compliance Cybersecurity Certificate and the Compliance Cybersecurity Certificate Report to Saudi Aramco through the e-marketplace System.