Gray Hat Security (GHS) logo

Aramco Vendors · Third-Party Cybersecurity · SACS-210

Aramco CCC Certification: The Complete SACS-210 Compliance Guide (2026)

July 7, 2026 · 9 min read · GHS Security Team Aramco CCC SACS-210 Third-Party Risk

Quick Answer

The Aramco Cybersecurity Compliance Certificate (CCC) confirms that a Saudi Aramco vendor, supplier, or third-party partner meets the cybersecurity requirements defined in Aramco's Third Party Cybersecurity Standard — originally issued as SACS-002 in May 2020, and since consolidated into the newer SACS-210 Unified Standard. Controls split into General Requirements (3 clauses, 7 sub-clauses, 24 controls) applying to all third parties, and Specific Requirements (4 clauses, 13 sub-clauses, 62 controls) applying to ICT-service third parties.

Certification runs through a self-assessment, validated by one of Aramco's Authorized Audit Firms, and the resulting certificate is valid for two years provided your classification doesn't change. Vendors with network connectivity into Aramco or handling critical data sit under the higher-assurance CCC+ tier, covered in our companion guide.