Critical Vendors · On-Site Audit · SACS-210
Quick Answer
CCC+ is the higher-assurance tier of Aramco's Cybersecurity Compliance Certificate program, required for third parties classified as Network Connectivity (a direct network link into Aramco systems) or Critical Data Processor (handling Aramco's most sensitive data). It is assessed against the same SACS-210 control baseline as standard CCC.
The difference is verification: standard CCC uses remote validation of a self-assessment; CCC+ requires a full on-site audit by an Authorized Audit Firm, with deeper evidence sampling and technical validation. Both tiers carry the same two-year validity period.
Not every Aramco vendor faces the same certification bar. A stationery supplier and a vendor with a live network connection into Aramco's systems present very different risk profiles — and Aramco's Cybersecurity Compliance Certificate program reflects that directly. For the highest-risk vendor classifications, standard CCC isn't sufficient. Those vendors are certified under CCC+, a tier built around a full on-site audit rather than remote validation.
This guide covers what distinguishes CCC+ from standard CCC, exactly which classifications trigger it, what an on-site audit actually involves, and how to prepare.
CCC+ is the higher-assurance tier of Aramco's Cybersecurity Compliance Certificate program. It applies to third parties whose relationship with Aramco carries elevated risk: a security incident at one of these vendors has the potential for direct operational, financial, or reputational exposure to Aramco itself — not just to the vendor. Because of that exposure, Aramco raises the assurance bar for how compliance is verified.
The logic behind CCC+ is straightforward once you separate "vendor risk" from "Aramco risk." Most third parties present risk that is largely contained to their own operations — a compromise affects the vendor, and at most, the specific deliverable or service they provide. Network Connectivity and Critical Data Processor vendors are structurally different: because they hold either a live pathway into Aramco's environment or a direct copy of Aramco's most sensitive data, a compromise at these vendors can propagate consequences directly to Aramco, independent of anything Aramco itself does. Remote validation of a self-assessment is proportionate assurance for contained risk; it is not proportionate assurance for a vendor that could become a pivot point into Aramco's own systems. The on-site audit exists to close that assurance gap with direct observation rather than self-reported evidence.
The control baseline does not change between tiers. CCC+ vendors are assessed against the same SACS-210 General Requirements and Specific Requirements as any other third party in their service category. What changes is how that compliance is verified:
In short: same controls, higher rigor. A vendor doesn't get an easier or harder control set under CCC+ — they get a more thorough, in-person verification of the same requirements. This distinction matters when planning internal resourcing: teams sometimes assume CCC+ means additional controls to implement, when in reality the engineering and policy work is the same. What differs is the amount of preparation needed to demonstrate that work convincingly to an auditor standing in your facility rather than reading a submitted document.
Two classifications trigger the CCC+ requirement:
If your organization falls into either category — even if you'd otherwise qualify for standard CCC based on the services you provide — the classification determines the tier, not the service category alone.
Classification isn't necessarily fixed at first assessment. If your relationship with Aramco changes — you're granted a new network connection to support a project, or your scope of work expands to include processing of more sensitive data categories — your classification should be reassessed, even mid-cycle on an existing certificate. Vendors sometimes assume classification is set once and forgotten; in practice it tracks the current scope of what you actually do for Aramco, and it's worth reviewing at each contract renewal or scope change rather than only at CCC expiry.
Auditors review documented evidence for each in-scope control on-site, rather than relying solely on submitted documentation, and probe for gaps between policy and practice.
Configurations, network diagrams, and technical safeguards are validated directly against systems rather than taken at face value from a self-assessment — including firewall rules, segmentation boundaries, and encryption implementation.
Control owners are interviewed directly to confirm that operational practice matches documented policy — a check that remote validation alone cannot replicate.
For Network Connectivity and Critical Data Processor vendors specifically, auditors review both physical facility access and logical access controls relevant to how the vendor connects to or handles Aramco's systems and data.
| Dimension | CCC | CCC+ |
|---|---|---|
| Classification trigger | General or ICT-service third party | Network Connectivity or Critical Data Processor |
| Audit method | Remote validation of self-assessment | Full on-site audit |
| Evidence depth | Document-based review | Document review + technical validation + interviews |
| Typical timeline | Shorter — scheduling-dependent, no site visit | Longer — site visit coordination adds lead time |
| Typical vendor type | General suppliers, outsourced non-connected services | Network-linked vendors, sensitive-data processors |
One nuance worth flagging: if your organization qualifies under multiple classifications — say, one line of business would only require standard CCC while another triggers Network Connectivity — the CCC+ requirement takes precedence. A single CCC+ certificate covers both.
Preparing for CCC+ is preparing for scrutiny that goes beyond paperwork:
GHS Perspective
The vendors who struggle with CCC+ on-site audits almost never fail on the controls themselves — they fail on the gap between what's documented and what the auditor observes in person. ComplyOS keeps control ownership, evidence freshness, and audit history in one place so your team can answer on-site questions with confidence rather than scrambling through shared drives.
Once the on-site portion concludes, the Authorized Audit Firm compiles its findings against each in-scope control and issues a report indicating whether the vendor meets the required SACS-210 controls at the depth expected for its classification. If findings identify gaps, vendors are typically given a defined remediation window to close them and provide follow-up evidence before certification is finalized — rather than restarting the full on-site process from scratch. This is why treating pre-audit preparation seriously matters: closing gaps before the audit firm arrives is faster and less disruptive than closing them under a remediation deadline afterward, particularly for technical findings that require configuration changes across production systems.
Like standard CCC, a CCC+ certificate is valid for two years from issuance, provided your classification does not change during that period. Given the added lead time an on-site audit requires, it's worth starting renewal planning well ahead of expiry rather than waiting until the certificate is close to lapsing — scheduling an Authorized Audit Firm for a site visit takes longer to arrange than a remote validation slot, and coordinating facility access, staff availability, and evidence refresh adds further lead time that a remote CCC renewal doesn't require.
CCC+ sits under the same SACS-210 Unified Standard as standard CCC — the underlying control families are identical. Because SACS-210's control philosophy overlaps significantly with the National Cybersecurity Authority's Essential Cybersecurity Controls (NCA ECC), vendors with mature NCA ECC programs typically enter CCC+ preparation with much of their control evidence already in place. What CCC+ adds is the requirement to demonstrate that evidence stands up to in-person, on-site scrutiny — a materially higher bar than having the paperwork exist. GHS's compliance advisory services help Network Connectivity and Critical Data Processor vendors close that gap before the audit firm arrives, including a full pre-audit simulation of the on-site experience itself.
GHS runs a full pre-audit dry run against SACS-210 controls — evidence review, technical validation, and interview preparation — before your Authorized Audit Firm arrives on-site.