Issued by Saudi Aramco in May 2020, the SACS-002 Third Party Cybersecurity Standard (CCC) aims to establish the minimum Cybersecurity requirements for Saudi Aramco Third Parties to protect Saudi Aramco from possible cyber threats and strengthen Third Parties’ security posture.

Who does it apply to?

This SACS-002 Standard (CCC) applies to all Third Parties engaging with Saudi Aramco through contractual agreements. The standard defines general requirements that apply to all Third Parties and more specific requirements for those Third Parties engaging in more ICT oriented services such as network connectivity, outsourced infrastructure, critical data processing, or software customization.

What does it consist of?

The SACS-002 (CCC) is split into two main sections, the General Requirements and the Specific Requirements.

The General Requirements apply to ALL Third Parties working with Saudi Aramco. It consists of 3 main clauses, 7 sub-clauses, and 24 controls.

The Specific Requirements apply to the Third Parties that are providing ICT oriented services as defined by Saudi Aramco. These requirements consist of 4 main clauses, 13 sub-clauses, and 62 controls. These will have to be met in addition to the 24 controls specified under the General Requirements.

The SACS-002 Third Party Cybersecurity Standard (CCC) is derived mainly from the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). Therefore, if you are already implementing NIST CSF in your organization, you are more than likely to be meeting most of the SACS-002 (CCC) requirements.

How long does it take to implement the CRF in an organization?

It depends on the size of the organization, the field in which it operates, the number of employees, the state of the current policies implemented, and the number and type of ICT components within its infrastructure. Some organizations can roll out the SACS-002 Standard (CCC) in a few weeks, others may require months or years. If you are interested in implementing the SACS-002 Standard (CCC) in your organization, contact us to schedule a gap analysis audit and get a better assessment of the lead time and the costs.

Clients and Partners