Aramco CCC & CCC+ Certification: The Complete SACS-002 Guide for Saudi Vendors
The Aramco CCC (Cybersecurity Compliance Certificate) is mandatory for all Saudi Aramco vendors, based on the SACS-002 Third Party Cybersecurity Standard. There are two tiers: CCC (remote validation, for general vendors, outsourced infrastructure & customized software) and CCC+ (on-site audit, for network connectivity & critical data processors). Both are valid for two years. Audits are conducted exclusively by Aramco-authorized audit firms.
If your company wants to work with Saudi Aramco โ the world’s largest integrated oil and gas company โ the Aramco Cybersecurity Compliance Certificate (CCC) is a hard requirement with no exceptions. Without it, your company cannot be registered as an Aramco supplier. Vendors whose certificate lapses risk immediate contract suspension. There is no grace period.
This guide explains everything your organization needs to know: what the CCC and CCC+ are, how the five SACS-002 vendor classifications determine which certificate you need, what the standard actually requires, the step-by-step certification process โ and how GHS prepares Saudi vendors to walk into their authorized audit firm assessment fully compliant and ready to pass.
CCC & CCC+
all vendors
controls (max)
validity
What Is the Aramco CCC Program?
The Aramco CCC Program was established to ensure all third-party vendors and supply chain partners comply with the cybersecurity requirements in SACS-002 โ Aramco’s Third Party Cybersecurity Standard, maintained by Aramco’s Information Security Department. Its purpose is to protect Aramco’s critical information, systems, and operational assets from supply-chain-originated cyber threats.
SACS-002 is grounded in the NIST Cybersecurity Framework (NIST CSF) and is reviewed and updated annually. The certificates themselves are issued exclusively by Aramco-authorized audit firms โ a specific list published on Aramco’s website. Aramco states it has no preference among its authorized firms; vendors freely choose which authorized firm to engage.
CCC vs CCC+: What Is the Difference?
There are two certification tiers. Which one applies to your organization depends entirely on your SACS-002 vendor classification. If both tiers apply to your company, only CCC+ is required and accepted โ it supersedes the standard CCC.
- Applies to: General Requirements, Outsourced Infrastructure, Customized Software
- Vendor conducts a self-compliance assessment against SACS-002
- Assessment package validated remotely by an Aramco-authorized audit firm
- 24 General + applicable Specific controls โ all at 100% compliance
- Valid for two years from issue date
- Applies to: Network Connectivity, Critical Data Processor
- Authorized audit firm conducts a full on-site assessment
- Significantly more demanding โ live infrastructure inspection
- All General + all classification-specific controls at 100% compliance
- If CCC and CCC+ both apply, only CCC+ is accepted
The 5 SACS-002 Vendor Classifications
Your classification under SACS-002 determines which controls you must implement and which certificate tier you need. Identifying it correctly is the most important first step โ misclassification is the most common cause of compliance project failures, as vendors underscope and then fail their assessment.
A vendor can fall into multiple classifications simultaneously. When this happens, all controls from every applicable classification must be implemented, and the higher-tier certificate (CCC+) takes precedence.
| Classification | Who It Applies To | Cert Required |
|---|---|---|
| General Requirements | Every Aramco vendor, regardless of service type. Covers all trading and supply companies as a universal baseline. 24 controls covering access, devices, email, anti-virus, firewalls, and incident response. | CCC |
| Network Connectivity | Vendors with direct network links to Aramco’s corporate network โ via leased lines, SSL VPN over private links, or site-to-site VPN over the internet. High-risk due to direct infrastructure access. | CCC+ |
| Outsourced Infrastructure | Vendors managing, maintaining, or supporting computing infrastructure on behalf of Aramco โ IT infrastructure management, data center services, business process outsourcing such as HR systems. | CCC |
| Critical Data Processor | Vendors developing, accessing, or processing Aramco’s sensitive or critical data โ including accounting firms, analytics providers, and companies handling Aramco customer or operational data. | CCC+ |
| Customized Software | Vendors developing, building, or maintaining custom software or applications for Aramco โ ERP implementations, website development, bespoke applications, and system integrations. | CCC |
What SACS-002 Actually Requires
SACS-002 is split into two sections: General Requirements (24 controls, mandatory for all vendors) and Specific Requirements (up to 62 additional controls, by classification). 100% compliance with every applicable control is required โ there is no partial pass or conditional certification.
General Requirements โ All Vendors (24 Controls)
These 24 baseline controls apply to every Aramco vendor without exception:
- ๐Access & Authentication: Password protection on all devices and systems, formal employee off-boarding procedures including immediate revocation of all system access.
- ๐Email Security: A private business email domain is mandatory โ Gmail, Hotmail, Yahoo, and similar generic domains are explicitly non-compliant. SPF records must be correctly published in your DNS.
- ๐ก๏ธEndpoint Protection: Anti-virus software on all devices with daily definition updates and a full system scan every two weeks. Firewalls configured and enabled on all endpoint devices.
- ๐Cybersecurity Policy: A documented cybersecurity policy, a designated cybersecurity-responsible person, and a formal acceptable use policy (AUP) governing all technology assets.
- ๐Awareness Training: Cybersecurity training for all staff covering acceptable use and good computing practices โ with documented completion records ready for the audit.
- ๐จIncident Response: If a cybersecurity incident occurs, Aramco must be notified within 24 hours. A formal incident response procedure aligned to Aramco’s instructions must be in place and documented.
- ๐Certificate Renewal: Renewing the CCC every two years is a SACS-002 control in its own right (TPC-22) โ not just an administrative reminder.
Specific Requirements โ By Classification (Up to 62 Additional Controls)
Vendors in higher-risk classifications must implement additional controls on top of the 24 general ones. Key examples include:
- ๐Network Connectivity: Dedicated access-restricted working areas for personnel with Aramco network access; encrypted data in transit (SSH, FTPS, HTTPS, TLS, IPSec); DDoS protection; servers accessible from the internet must be placed in a DMZ; centralized logging with defined retention periods.
- ๐ฅ๏ธOutsourced Infrastructure: Logical and/or physical segregation of Aramco data from other client data; server and workstation subnet segmentation with restricted, monitored access; backup and disaster recovery with documented recovery objectives.
- ๐พCritical Data Processor: Encryption of all Aramco critical data documents at rest; remote wipe capability on all mobile devices used to receive or store Aramco data; strict least-privilege access enforcement; data classification policies.
- ๐ปCustomized Software: Input validation on all application fields; error messages must not expose technical information; no plain-text passwords anywhere in the application; secure coding standards throughout the development lifecycle.
Not Sure Which Classification Applies to You?
GHS runs a rapid SACS-002 classification assessment and gap analysis for Aramco vendors โ identifying exactly which controls apply, what’s already in place, and what needs to be built before the authorized audit firm conducts its assessment.
Get a Free Aramco CCC Readiness Assessment โThe Certification Process: Step by Step
All CCC activity flows through the Aramco CCC Portal โ the only official channel for certificate requests, audit firm communication, and document submission.
Start With General Requirements (All Vendors)
Every new vendor begins by obtaining the CCC for General Requirements โ the 24 baseline controls. This is the entry credential for Aramco supplier registration and must be in place before any classification-specific certification.
Complete the Classification Template
Initiate a request with the Aramco department you work with to fill the Third Party Classification Template and Classification Confirmation Letter. This formally establishes your classification(s) and the exact SACS-002 controls that apply to your organization. If you fall into multiple classifications, all applicable controls must be implemented.
Implement Every Required Control
Deploy all technical and procedural controls that SACS-002 requires for your classification. This is where the real compliance work happens โ policies, staff training, email security infrastructure, endpoint protection, network controls, encryption, access management, logging, and all classification-specific requirements. All evidence must be timestamped, readable, and clearly attributable to your organization.
Choose an Aramco-Authorized Audit Firm
Select an audit firm from Aramco’s published authorized list. Aramco states it has no preference among firms โ you are free to choose any authorized firm. Sign a formal contract with the firm before any assessment begins. Authorized firms include organizations such as KPMG, Deloitte & Touche Middle East, Crowe LLP, and BDO.
Undergo the Assessment
For CCC: Complete the self-compliance report against all scoped SACS-002 controls and submit it to the authorized audit firm. The firm validates remotely and generates the Audit Summary Report. For CCC+: The authorized audit firm conducts a full on-site inspection โ verifying live system configurations, testing access controls in real time, and confirming that documented evidence matches the actual deployed infrastructure.
Achieve 100% Compliance
If any controls are non-compliant, the authorized audit firm issues a non-compliance report listing what must be fixed. You remediate and submit updated evidence for re-validation. There is no conditional pass โ 100% compliance is required before the certificate is issued.
Upload Certificate to Aramco
Once the authorized audit firm issues your certificate, upload both the certificate and the audit report to Aramco’s e-marketplace system. Your two-year validity begins from the issue date. Plan your renewal in advance โ do not wait until the certificate has already expired.
Key Rules Every Vendor Must Know
- โ 100% compliance is non-negotiable. There is no partial pass and no conditional certification. Every applicable control must be fully implemented with timestamped evidence before the certificate is issued.
- ๐ Renew before the two-year mark. A lapsed certificate means immediate loss of Aramco supplier eligibility. Start the renewal process months in advance โ the recertification process takes time.
- ๐Same classification = no new certificate needed. If a new Aramco contract falls within your existing certified classification, your current certificate remains valid for that contract.
- โ ๏ธNew classification = new certificate required. If a new contract introduces a classification not in your current certificate, you must obtain the relevant certification before starting that work.
- ๐CCC+ supersedes CCC. If both apply to your company, submit only the CCC+ application. It covers all general requirements plus the additional classification-specific controls.
- ๐งNo generic email domains allowed. SACS-002 explicitly prohibits Gmail, Hotmail, Yahoo, and similar public domains. Your company must operate from a private business domain with correctly configured SPF records in DNS.
- ๐Notify Aramco within 24 hours of any incident. This is a mandatory SACS-002 control โ not just a best practice โ and auditors will look for a documented incident response procedure that makes this timeline achievable.
How GHS Prepares You for CCC & CCC+ Certification
Our CISSP, CISM, and OSCP-certified team has prepared Saudi Aramco vendors for CCC and CCC+ assessments across all five classifications. Here is what we do:
Classification Scoping & SACS-002 Gap Assessment
We review your Aramco contracts and operational profile to determine your exact classification(s) and every applicable SACS-002 control. We then benchmark your current cybersecurity posture against those controls. You receive a precise gap report โ which controls are compliant, partially in place, or missing โ prioritized by risk and by what auditors examine first.
Technical Controls Implementation
We deploy every technical control your organization is missing: private business email domain with SPF/DKIM/DMARC configuration, firewall setup and ruleset documentation, endpoint anti-virus with scheduled scanning, multi-factor authentication, network segmentation, data encryption at rest and in transit, VPN configuration, centralized logging, and vulnerability management. We implement โ not just recommend.
Policy & Documentation Development
We develop all mandatory SACS-002 documentation: cybersecurity policy, acceptable use policy, password policy, asset management procedures, incident response plan with the 24-hour Aramco notification requirement, employee off-boarding procedures, data classification policy, and media sanitization procedures. All documents use SACS-002 control language and are structured to satisfy the authorized audit firm’s evidence review.
Cybersecurity Awareness Training
SACS-002 requires documented awareness training for all staff. GHS delivers targeted sessions covering acceptable use, phishing, password hygiene, device security, data handling, and Aramco-specific cybersecurity requirements โ with signed completion records ready for your audit evidence package.
Pre-Audit Readiness Review & Evidence Packaging
Before the authorized audit firm conducts its assessment, GHS runs a full internal readiness review against all scoped SACS-002 controls. We verify every piece of evidence is timestamped, readable, and clearly linked to your organization. For CCC+ on-site assessments, we specifically prepare your team for live inspection โ ensuring system configurations match documentation and no discrepancies exist between evidence and actual infrastructure.
Ongoing Compliance & Renewal Management
CCC compliance must be maintained continuously, and the certificate renewed every two years. GHS provides ongoing monitoring, periodic compliance health checks, and advance renewal planning โ so your Aramco supplier status is never interrupted by a lapsed certificate or an unexpected audit finding.
Frequently Asked Questions
Aramco CCC and CCC+ certification is a non-negotiable condition of doing business with Saudi Aramco. SACS-002 is rigorous โ 100% compliance across all applicable controls, verified by an Aramco-authorized audit firm, with no partial passes and no grace periods. Organizations that invest in thorough compliance preparation don’t just satisfy Aramco’s requirements: they build the security foundation that protects their operations, earns sustained access to Aramco’s supply chain, and signals cybersecurity maturity to the broader Saudi market.
Ready to Prepare for Aramco CCC or CCC+?
GHS gets Saudi Aramco vendors audit-ready โ from classification scoping and SACS-002 gap analysis through technical implementation, documentation, and pre-audit evidence review. Contact us for a free initial readiness assessment.
Talk to a GHS Expert โReferences: Saudi Aramco CCC Program (aramco.com) ยท SACS-002 Standard PDF ยท CCC Third Party Manual PDF