Aramco Vendors · Third-Party Cybersecurity · SACS-210
Quick Answer
The Aramco Cybersecurity Compliance Certificate (CCC) confirms that a Saudi Aramco vendor, supplier, or third-party partner meets the cybersecurity requirements defined in Aramco's Third Party Cybersecurity Standard — originally issued as SACS-002 in May 2020, and since consolidated into the newer SACS-210 Unified Standard. Controls split into General Requirements (3 clauses, 7 sub-clauses, 24 controls) applying to all third parties, and Specific Requirements (4 clauses, 13 sub-clauses, 62 controls) applying to ICT-service third parties.
Certification runs through a self-assessment, validated by one of Aramco's Authorized Audit Firms, and the resulting certificate is valid for two years provided your classification doesn't change. Vendors with network connectivity into Aramco or handling critical data sit under the higher-assurance CCC+ tier, covered in our companion guide.
If your organization supplies goods, services, or technology to Saudi Aramco — or connects in any way to Aramco's network or data — cybersecurity compliance is not optional paperwork. It is a condition of doing business. The Cybersecurity Compliance Certificate (CCC) program exists to give Aramco assurance that every third party in its supply chain meets a defined security baseline, and for most vendors, holding a current CCC is now a gating requirement for contract award and renewal.
This guide walks through what CCC actually certifies, how the SACS-210 Unified Standard relates to the original SACS-002, the two-tier control structure vendors are assessed against, the certification process end to end, and practical steps to prepare.
The CCC is Aramco's mechanism for verifying that third parties — vendors, suppliers, contractors, and outsourced service providers — comply with the cybersecurity requirements defined in Aramco's Third Party Cybersecurity Standard. It applies broadly: any organization that stores, processes, or transmits Aramco data, or connects to Aramco's network in any capacity, falls within scope.
The certificate is not a formality. It reflects an independent validation, carried out by an Authorized Audit Firm, that your organization has implemented the required controls and can produce evidence for them. Aramco procurement and vendor-management teams increasingly treat a current, valid CCC as a precondition for onboarding and contract renewal — not a nice-to-have.
SACS-002 was Aramco's original Third Party Cybersecurity Standard, issued in May 2020. It established the baseline control set that CCC certification has been assessed against since the program began.
SACS-210 is the Unified Standard Aramco has since introduced to consolidate and strengthen those requirements. Rather than tearing up the underlying control philosophy, SACS-210 tightens and aligns cybersecurity expectations across vendors, suppliers, and third-party partners — reflecting how cloud adoption, remote connectivity, and supply-chain risk have evolved since 2020. For most vendors, the practical effect is the same control families assessed with sharper definitions and stronger evidentiary expectations. If your program already maps to SACS-002, treat SACS-210 as the standard to reconcile against going forward, not as an unrelated new requirement layered on top.
Any third party in Aramco's supply chain that touches Aramco data or systems needs to hold a valid certificate at the tier appropriate to its classification:
Your classification is determined by the nature of the products or services you provide to Aramco, and it directly drives both the scope of controls you are assessed against and the depth of audit you will undergo.
SACS-210 structures its control baseline into two tiers. Knowing which one — or both — applies to you is the first step in scoping a certification effort correctly.
| Dimension | General Requirements | Specific Requirements |
|---|---|---|
| Applies to | All third parties, without exception | Third parties providing ICT-oriented services |
| Main clauses | 3 | 4 |
| Sub-clauses | 7 | 13 |
| Individual controls | 24 | 62 |
ICT-service vendors are assessed against both tiers combined — the General Requirements plus the Specific Requirements — which is why ICT-oriented certification scopes are materially larger than a standard general-vendor assessment.
The third party assesses its own environment against the controls scoped to its classification — General Requirements alone, or General plus Specific Requirements for ICT-service providers — and assembles supporting evidence for each control.
The completed self-assessment package is validated by one of Aramco's Authorized Audit Firms. For standard CCC, this validation is performed remotely. For the CCC+ tier — required for Network Connectivity and Critical Data Processor classifications — validation requires an on-site audit instead.
Once the audit firm confirms compliance, the CCC is issued. The certificate is valid for two years from issuance, subject to the vendor's classification remaining unchanged throughout that period.
An Aramco CCC certificate is valid for two years from the date of issuance — provided the third party's classification does not change during that window. If your classification changes mid-cycle (for example, you begin providing ICT services where you previously did not, or you're granted network connectivity into Aramco systems), recertification against the new scope is required regardless of how much validity remains on your existing certificate. Treat classification changes as a trigger event, not just the two-year expiry date.
Aramco's SACS-210 control requirements and the National Cybersecurity Authority's Essential Cybersecurity Controls (NCA ECC) share substantial overlap, because both are grounded in the same Saudi cybersecurity best-practice principles: identity and access management, network security, asset management, and data protection. Organizations that have already built an NCA ECC compliance program typically find a significant portion of their existing evidence and controls transfers directly into a CCC assessment, reducing duplicate effort considerably.
That overlap is not automatic, though — it requires a deliberate mapping exercise. NCA ECC is organized around domains like governance, defense, resilience, and third-party cybersecurity, while SACS-210 organizes controls around General and Specific Requirements scoped to your third-party classification. The control intent is often the same (for example, both require MFA on privileged accounts and logging of security events), but the evidence format, naming conventions, and audit expectations differ enough that vendors who simply hand over their NCA ECC evidence package unmodified often find gaps during CCC validation. Treat the overlap as a head start, not a shortcut.
GHS Perspective
We consistently see vendors treat CCC as a one-off audit event rather than an ongoing control program — and that's where certificates lapse or renewals stall. The vendors who stay ahead of Aramco's requirements build continuous evidence collection into their operations from day one. ComplyOS helps vendors track control ownership and evidence freshness across SACS-210, NCA ECC, and other overlapping frameworks in a single place, so renewal is a formality rather than a scramble.
A lapsed or failed CCC changes your standing as an eligible Aramco vendor — it is a procurement and eligibility outcome, not a legal proceeding. In practice this means exclusion from new contract awards, risk to existing contract renewals, and removal from approved-vendor lists until certification is restored. For vendors whose revenue depends meaningfully on Aramco work, that eligibility risk is a serious commercial concern in its own right, since re-entering an approved-vendor list can take considerably longer than the original certification cycle if the underlying control gaps aren't addressed quickly.
Across engagements, a handful of recurring issues account for most delayed or unsuccessful CCC certification attempts:
The vendors who move through certification fastest share a few common habits:
GHS's compliance advisory services support vendors through gap assessment, remediation planning, and audit-readiness ahead of Authorized Audit Firm engagement, for both the standard CCC and higher-assurance CCC+ tiers.
GHS maps your current controls against SACS-210 General and Specific Requirements, identifies gaps before your Authorized Audit Firm does, and builds a certification roadmap aligned to your classification.