2026 Update · 33 General Controls · NIST-Aligned · Replaces SACS-002 · NCA ECC Aligned
SACS-210 is Saudi Aramco’s updated Third-Party Cybersecurity Standard, replacing SACS-002. Published as the February 2026 standard, it restructures requirements into 33 general controls (TPC1.1-TPC1.33) with stronger alignment to the NIST Cybersecurity Framework and Saudi Arabia’s NCA Essential Cybersecurity Controls. Aramco has opened a six-month transition window ending 26 August 2026. GHS runs SACS-210 gap assessments and full readiness programs for Aramco vendors — from documentation through penetration testing to certification audit support.
📜 What Is Aramco SACS-210?
SACS-210 is Saudi Aramco’s updated Third-Party Cybersecurity Standard, succeeding the long-standing SACS-002. It reflects a stronger alignment with the NIST Cybersecurity Framework and related NIST 800-series guidance, the National Cybersecurity Authority (NCA) regulations in Saudi Arabia, and broader governance expectations used across critical infrastructure industries in the Kingdom.
At the core of SACS-210 sit 33 general controls (TPC1.1 through TPC1.33) that apply to every third party connecting to, or handling data for, Saudi Aramco — regardless of CCC or CCC+ classification. Existing certifications issued under SACS-002 remain valid until their normal renewal date, but every renewal and new audit after the transition window will be assessed against the SACS-210 General Requirements.
Transition deadline: 26 August 2026
Aramco has opened a six-month transition window for SACS-210. Internal approvals, evidence gathering, remediation, and audit scheduling all take time — vendors who start the readiness process now avoid the bottleneck (and contract risk) coming as the deadline approaches.
💡 SACS-210 and ISO 27001: The 33 SACS-210 general controls map closely to ISO 27001 Annex A. Vendors who already hold ISO 27001 certification typically start their SACS-210 gap assessment at a significantly higher maturity level — reducing both remediation effort and audit preparation time.
🔄 SACS-002 vs SACS-210: What Changed
SACS-210 is not a minor update — it’s a structural rebuild of how Aramco assesses third-party cybersecurity maturity. Here’s how the two standards compare:
| Area | SACS-002 (Previous) | SACS-210 (New, Feb 2026) |
|---|---|---|
| Framework alignment | Aramco-specific control set | Aligned with NIST CSF & NIST 800 guidance |
| National regulation mapping | Limited NCA cross-reference | Tighter alignment with NCA ECC-2:2024 |
| Control structure | 80+ scattered technical controls | 33 structured general controls (TPC1.1-TPC1.33) |
| Governance expectations | Baseline policy requirements | Stronger governance, ownership & evidence trails |
| Vulnerability management | General requirement | Explicit cadence & VAPT evidence expectations |
| Transition arrangement | — | 6-month grace period, ends 26 Aug 2026 |
🏛️ The 33 SACS-210 General Controls: Key Themes
While Aramco has not published the full SACS-210 control text publicly, the 33 general controls (TPC1.1-TPC1.33) are organized around the same four pillars used across NIST-aligned and ISO-aligned frameworks. Based on the SACS-002 baseline and confirmed NIST/NCA alignment, vendors should expect controls clustered around:
Policy & Risk Management
Information security policy, roles & responsibilities, risk assessment, third-party/supplier security, and incident response governance.
Access & Network Security
Identity management, MFA, privileged access, network segmentation, encryption, and secure configuration baselines.
Vulnerability & Monitoring
Vulnerability management cadence, logging & monitoring, penetration testing, and continuous security validation.
Awareness & Resilience
Security awareness training, asset inventory, business continuity planning, and incident response procedures.
✅ Key insight: Penetration testing sits squarely inside the vulnerability management expectations of SACS-210, just as it does as an explicit Annex A control in ISO 27001:2022. GHS provides both the penetration testing and the broader compliance documentation as part of one coordinated SACS-210 readiness engagement.
👥 Who Needs to Comply With SACS-210?
If your organization fits any of the categories below, SACS-210 compliance is a condition of doing business with Aramco — not an optional best practice:
Network Connectivity
Any company with VPN, leased line, or site-to-site connections into Aramco’s corporate network.
Data Processors
Vendors who process, store, or transmit Aramco data on their own infrastructure.
CCC / CCC+ Suppliers
Any business currently holding — or applying for — a Cybersecurity Compliance Certificate.
IT & OT Service Providers
Managed service providers, contractors, and integrators supporting Aramco operations or systems.
🗺️ The SACS-210 Readiness Process: Step by Step
A SACS-210 transition is a structured project, not a single audit event. Here’s how GHS takes Aramco vendors from current state to certification-ready, with typical timelines.
Gap Assessment Against SACS-210
We map your current CCC certificate, policies, and technical controls against the 33 new general controls (TPC1.1-TPC1.33), highlighting what’s met, partially met, or missing.
⏱ 1-2 weeksPrioritized Remediation Roadmap
Findings are ranked by audit risk and business impact — typically starting with access control, vulnerability management, incident response, and asset inventory.
⏱ 1 weekPolicy & Documentation Updates
Our GRC team updates or rewrites the policies, registers, and evidence trails that SACS-210’s stronger governance expectations require.
⏱ 3-6 weeksTechnical Remediation & VAPT
OSCP-certified testers close technical gaps and deliver the penetration testing evidence referenced under SACS-210 vulnerability management controls.
⏱ 2-4 weeksAudit Preparation & Evidence Pack
We organize your evidence portfolio and prep your team for the authorized audit firm — covering interviews, documentation walkthroughs, and technical demonstrations.
⏱ 1-2 weeksCertification Audit & CCC Renewal
The authorized audit firm conducts the SACS-210 assessment. We remain available for clarifications and support remediation verification of any findings.
⏱ Audit-firm scheduledOngoing Compliance Maintenance
SACS-210 is a continuous obligation. GHS provides periodic reviews, updated VAPT cycles, and policy maintenance to keep you ready for the next renewal.
⏱ OngoingDon’t Wait Until the SACS-210 Deadline
Get a free SACS-210 readiness review from GHS. We’ll assess your current CCC status, identify gaps against the 33 new controls, and build your transition roadmap before 26 August 2026.
🇸🇦 SACS-210 & Saudi Regulatory Frameworks
SACS-210 doesn’t sit in isolation — it overlaps heavily with the other compliance obligations Saudi organizations are already managing. Building toward SACS-210 alongside these frameworks is the most efficient path forward:
| Framework | How It Relates to SACS-210 | Overlap |
|---|---|---|
| NCA ECC-2:2024 National Cybersecurity Authority |
SACS-210’s 33 general controls are explicitly described as more closely aligned with NCA ECC. An NCA ECC-compliant organization starts SACS-210 readiness with most governance and technical controls already in place. | Very High |
| ISO/IEC 27001:2022 Information Security Management |
The 93 Annex A controls map closely to the SACS-210 control themes — access control, encryption, vulnerability management, and supplier security. ISO 27001-certified vendors typically need fewer technical changes. | High |
| SACS-002 Previous Aramco Standard |
SACS-002 is the direct predecessor. Vendors with an existing CCC have a head start, but documentation and evidence will need restructuring around the new 33-control format. | High |
| PDPL Personal Data Protection Law |
SACS-210’s access control, encryption, and incident response expectations directly support PDPL’s technical and organizational measures requirements for personal data. | Medium-High |
“A six-month grace period sounds generous until you factor in internal approvals, remediation work, evidence gathering, and audit prep. Vendors who start the SACS-210 readiness process now will avoid the bottleneck — and the contract risk — that’s coming as the deadline approaches.”
🛡️ GHS SACS-210 Readiness Services
GHS’s Aramco CCC packages are built specifically for the SACS-210 transition. Our CISSP, CISM, and OSCP-certified team combines GRC expertise with hands-on technical testing — so your readiness program covers documentation and infrastructure in one engagement.
- SACS-210 Gap Assessment: A full mapping of your current CCC posture against the 33 new general controls, with a prioritized findings report.
- Policy & GRC Documentation: Updated information security policy, risk register, incident response plan, supplier security policy, and evidence registers aligned to TPC1.1-TPC1.33.
- Penetration Testing & Vulnerability Management: VAPT across web, mobile, network, and source code — delivered with SACS-210-aligned evidence packages.
- Audit Support & CCC Renewal: Evidence organization, mock audits, and direct support during the authorized audit firm’s assessment.
- Multi-Framework Alignment: If you’re also pursuing ISO 27001 or NCA ECC compliance, we map all three into a single roadmap to avoid duplicated work.
With 5+ years securing Saudi businesses, 150+ GRC and compliance projects, and 200+ penetration tests delivered across regulated industries, GHS is positioned to take your organization from “uncertain” to “audit-ready” well ahead of the 26 August 2026 deadline.
📚 Related Compliance Guides
❓ Frequently Asked Questions
What is Aramco SACS-210?
SACS-210 is Saudi Aramco’s updated Third-Party Cybersecurity Standard, replacing SACS-002. Published as the February 2026 standard, it introduces 33 general controls (TPC1.1-TPC1.33) aligned more closely with the NIST Cybersecurity Framework, NIST 800 guidance, and Saudi Arabia’s National Cybersecurity Authority (NCA) regulations.
When is the SACS-210 transition deadline?
Aramco has set a six-month transition window ending 26 August 2026. Existing Cybersecurity Compliance Certificates (CCC) issued under SACS-002 remain valid until their normal renewal date, but vendors should begin gap assessments now to avoid last-minute audit delays.
Is SACS-210 mandatory for Aramco vendors?
Yes. Any third-party vendor that connects to Saudi Aramco’s corporate network, or that processes, stores, or transmits Aramco data, must hold a valid Cybersecurity Compliance Certificate (CCC) under SACS-210. This applies across CCC and CCC+ classifications and is a condition of maintaining Aramco contracts.
How is SACS-210 different from SACS-002?
SACS-210 restructures the control set around 33 general controls with stronger NIST CSF alignment, tighter mapping to NCA Essential Cybersecurity Controls (ECC), and more advanced expectations around governance, vulnerability management, access control, and incident response compared to SACS-002.
How long does SACS-210 readiness take?
For most Saudi vendors, a SACS-210 readiness project takes 6-12 weeks: 1-2 weeks for the gap assessment, 3-6 weeks for policy and documentation updates, 2-4 weeks for technical remediation including penetration testing, and 1-2 weeks to organize evidence ahead of the audit. Organizations already SACS-002 or ISO 27001 certified move faster.
How does ISO 27001 relate to SACS-210?
ISO 27001 Annex A controls map closely to the SACS-210 general controls (TPC1.1-TPC1.33). Vendors with an ISO 27001-certified ISMS typically start their SACS-210 gap assessment at a significantly higher maturity level, reducing remediation effort and audit preparation time.
How can GHS help with SACS-210 compliance?
GHS provides a full SACS-210 readiness service for Aramco vendors: a current-state gap assessment against the new 33 controls, policy and documentation development, technical remediation including penetration testing and vulnerability management, and audit support to help you obtain or renew your CCC before the 26 August 2026 deadline.
SACS-210 is the most significant update to Aramco’s third-party cybersecurity requirements in years. Vendors who treat the six-month transition window as a planning opportunity — rather than a deadline to react to — will move through their next CCC renewal with confidence. GHS supports Aramco vendors end-to-end: from the first gap assessment to the certification audit and the compliance maintenance that follows.
Start Your SACS-210 Transition
GHS runs SACS-210 gap assessments and full readiness programs for Aramco vendors — documentation, technical remediation, and audit support. Begin with a free scoping call.
