Aramco-CCC

What is Aramco-CCC certificate?

Aramco-CCC is a necessary requirement for initiating contractual agreements with Saudi Aramco. If you intend to conduct business as a third party, you should first obtain this certificate.

Why Saudi Aramco requires this particular certificate?

Aramco-CCC strives to ensure that third-party organizations and partners that conduct business with Aramco adhere to the strongest cybersecurity standards in order to secure sensitive data, infrastructure, and systems from possible cyber-attacks.

All what you and your firm need to do to collaborate with Aramco is commit to meeting the requirements of the Aramco cybersecurity standard for external partners, SACS-002.

To whom Aramco-CCC applies to?

Applies to the following kinds of categories:

•Network connectivity: Third-party computing infrastructure has network connectivity to Saudi Aramco Corporate Network, allowing them to access intranet services and complete tasks. Connectivity options include leased lines, SSL VPN over private links, and site-to-site VPN via the Internet.
1• Outsourced Infrastructure: A third party manages, maintains, and supports a computing infrastructure for Saudi Aramco also can get Aramco-CCC.

2• A third party is responsible for developing, obtaining, and processing Saudi Aramco’s critical data.

3• Saudi Aramco gets customized software, applications, websites, or solutions from a third-party developer or host.

4• Saudi Aramco uses a third-party public cloud computing service for data hosting, storage, and processing. This encompasses all cloud computing service models, such as SaaS, PaaS, and IaaS.

Aramco-CCC Certification Requirements Preparation :
1. Companies wishing to conduct business and register with Saudi Aramco must comply with all controls listed in the “A. General Requirements” section of the Third Party Cybersecurity Standard (SACS-002).
2. For businesses that have active procurement agreements with Saudi Aramco you should fulfill the following before requesting Aramco-CCC:
Request that all proponent groups inside Saudi Aramco with which your company has continuing business fill out the Third Party Classification Template.
-Fill out the third-party classification confirmation letter.
-If the company falls under more than one classification, it must implement all of the cybersecurity controls associated with those classifications.

3. Conduct Self-Compliance Assessment before requesting Aramco-CCC.

4. Choosing one of the authorized audit firms.

Saudi Aramco ISD has selected authorized audit companies to conduct assessments and deliver Aramco-CCC Cybersecurity Compliance Certificates (CCCs) in accordance with the SACS-002 Third Party Cybersecurity Standard.

Authorized audit firms :

• Baker Tilly
• BDO/Dr. Mohamed Al-Amri & Co.
• Crowe
• Cyberani Solutions
• Deloitte & Touche Middle East Limited
• Defense Cybersecurity Company
• Grant Thornton
• KPMG
• Managed Services
• RSM Saudi Arabia
• sirar by stc
• Trusted Partners
• Seven Technologies
• Cipher