Skip to content
Aramco
Badge

Third Party Cybersecurity Compliance Certificate

The CCC Program is to ensure third party compliance with cybersecurity requirements.

The CCC Program was established to ensure all Aramco third parties are in compliance with the cybersecurity requirements as outlined in Aramco’s Third Party Cybersecurity Standard (SACS-002). All vendors are required to obtain the Cybersecurity Compliance Certification.

How to get certified

Complete the following steps in order to obtain your Aramco Cybersecurity Compliance Certificate (CCC):

STEP 1: Certification Requirements Preparation

  • 1.1. For the registration phase all vendors are required to obtain cybersecurity compliance certification CCC — General Requirements

  • 1.2. Initiate a request with the department/proponent in Aramco that your company has ongoing business with, to complete the Third Party Classification Template

  • 1.3. Fill out the Third Party Classification Confirmation Letter
    • 1.3.1. If CCC & CCC+ are both applicable based on your company classification, then only the CCC+ application will be required/accepted
    • 1.3.1.1. Implement all applicable cybersecurity controls specified in Third Party Cybersecurity Standard
    • 1.3.2. If the company falls under more than one classification, then all the cybersecurity controls under the relevant/applicable classifications are required

Identify the applicable certificate type and assessment requirements:

Company Classification Certificate Type Assessment Approach
  • General Requirements
  • Outsourced Infrastructure
  • Customized Software
  • Cloud Computing

Cybersecurity Compliance Certificate — CCC

A self-compliance assessment against Third Party Cybersecurity Standard, completed first by the company, and verified remotely by the Authorized Audit Firm.
  • Network Connectivity
  • Critical Data Processor

Cybersecurity Compliance Certificate Plus — CCC+

An on-site compliance assessment against Third Party Cybersecurity Standard, conducted by the Authorized Audit Firm.

STEP 2: Select an Authorized Audit Firm

  • 2.1 Go to the CCC portal where you can select an Audit Firm.

  • 2.2 Establish a contract with the Authorized Audit Firm (see list below) prior to assessment verification

STEP 3: Compliance Verification & Issuance

  • 3.1 CCC
  • 3.1.1. Conduct CCC Compliance Assessment
    • Fill out all of the fields in the Third Party Cybersecurity Compliance Report 
    • Ensure the answers are comprehensive, clearly described, and attach all the required supporting documents 
    • Ensure that all the evidence provided is readable and time stamped, and that proof of its relation to the Third Party is clearly pointed out/highlighted in the screenshots
  • 3.1.2 The Authorized Audit Firm will verify the documents and generate the Third Party Cybersecurity Compliance Report
  • 3.2 CCC+
  • 3.2.1 Submit the completed documents
    • Third Party Classification Template
    • Third-Party Classification Confirmation Letter to the Authorized Audit Firm, prior to the assessment verification
  • 3.2.2 Arrange with an Authorized Audit Firm to conduct the compliance on-site assessment
  • 3.2.3 The Authorized Audit Firm will conduct the on-site assessment and generate the Cybersecurity Compliance Report and issue the Certificate

STEP 4: Submit Issued CCC

  • 4.1. Submit the issued Certificate and Report from the Authorized Audit Firm to Aramco, through the e-Marketplace system

STEP 5: CCC Validity & Renewal

  • 5.1 CCC is valid for two years from the issuance date
  • 5.1.1. If the company is awarded a new contract that involves a cybersecurity classification type not covered in the current valid certificate, then a new certificate needs to be obtained and submitted
  • 5.1.2. Prior to the end of the two years, your company needs to submit a new CCC

Authorized audit firms

The authorized audit firms have been selected by Aramco to conduct the assessments and issue Cybersecurity Compliance Certificate (CCC) against the SACS-002 Third Party Cybersecurity Standard.  

  Company name Email Website

Moore

 Moore JFC Technologies W.L.L ccc@moorejfcgroup.com / ojanahi@moorejfcgroup.com / aisa@moorejfcgroup.com www.moorejfcgroup.com

Site

 Saudi Information Technology Company (Site) falbedah@site.sa www.site.sa/en

Baker Tilly 01 logo

 Baker Tilly infosec@bakertilly.sa www.bakertillyjfc.com
BDO 01 logo BDO/Dr. Mohamed Al-Amri & Co. cybersecurity@bdoalamri.com www.bdoalamri.com
Crowe 01 logo Crowe a.mosleh@crowe.sa / a.malazem@crowe.sa www.crowe.com
Cyberani 01 logo Cyberani Solutions cs@cyberanisolutions.com https://cyberani.sa
Deloitte 01 logo Deloitte & Touche Middle East Limited rfarooq@deloitte.com / othaglag@deloitte.com www.deloitte.com
defense 01 logo Defense Cybersecurity Company ccc@dcybersecurity.sa https://dcybersecurity.sa
GT 02 logo Grant Thornton umairtariq@ksa.gt.com /mazenmatar@ksa.gt.com www.grantthornton.sa
KPMG 01 logo KPMG safmcybersecurity@kpmg.com / fmcybersecurity@kpmg.com https://kpmg.com
RSM 01 logo RSM Saudi Arabia ssaleem@rsmsaudi.com / fali@rsmsaudi.com / ealzidan@rsmsaudi.com www.rsm.global
sirar 01 logo Sirar by STC AramcoTPA@sirar.com.sa www.sirar.com.sa
footer 01 logo Managed Services ccc@managed.sa www.managed.sa
Trusted 01 logo Trusted Partners ccc@trusted.sa https://trusted.sa
seven 01 logo Seven Technologies Fahad.m@sevtechs.com www.sevtechs.com
Cipher 01 logo Cipher ccc@cipher.com.sa
 https://cipher.com.sa

 

Downloads

SACS-002 Third Party Cybersecurity Standard

.pdf

486.3KB

Third Party Classification Confirmation Letter

.docx

194.5KB

Third Party Classification Template

.xlsx

14.3KB

Third Party Cybersecurity Compliance Report Template

.docx

385.5KB

Third Party Cybersecurity Controls Guideline (PDF 353KB)

.pdf

352.2KB

Third Party Manual

.pdf

206.3KB

Frequently asked questions

FAQ

Contact us

For Inquiries:

For Cybersecurity Incident Notifications:

  • Global Security Operations Center (Aramco): +966 13 880 0000

© 2026 Saudi Arabian Oil Co.

Aramco