# Aramco TPCS 2026: Is Your Organization Ready for Third-Party Cybersecurity Compliance?

If your company provides services to Saudi Aramco—or aims to—cybersecurity compliance isn't optional. It's a contractual requirement.



The Aramco Third-Party Cybersecurity Standard (TPCS) 2026 sets clear expectations for how vendors protect sensitive data, manage access, and respond to incidents. But with 33+ controls spanning governance, identity management, encryption, and monitoring, knowing where to start can feel overwhelming.



That's why NHR Alemtithal developed a free, confidential TPCS Gap Assessment Questionnaire—designed specifically for Saudi-based third parties preparing for Cybersecurity Compliance Certificate (CCC) validation.




Complete in under 10 minutes



Receive instant, actionable remediation guidance



Zero commitment. Zero data sharing with Aramco.




Take the Free TPCS Assessment Now →



Why TPCS Compliance Matters for Saudi Third Parties



Saudi Aramco's supply chain is a high-value target. A single vulnerability in a vendor's environment can cascade into operational disruption, data exposure, or regulatory penalties.



The TPCS framework exists to:




Protect critical infrastructure from evolving cyber threats



Standardize security expectations across all third-party engagements



Enable trust through verifiable compliance evidence




For your business, alignment with TPCS isn't just about audit readiness—it's about: 




Winning contracts: Many Aramco procurements now require CCC validation



Reducing risk: Proactive gap identification prevents costly breaches



Building credibility: Demonstrating security maturity strengthens partner relationships




What the TPCS Assessment Covers



Our questionnaire mirrors the General Requirements (TPC1.1 – TPC1.33) of the Aramco Third-Party Cybersecurity Standard. Each question includes:



ComponentPurposeYes / No responseQuick self-evaluation of control implementationRisk statementUnderstand the business impact of non-complianceRemediation guidancePractical, Saudi-context steps to close gaps



Core Domains Evaluated:



Governance & Policy Framework




Regulatory alignment with KSA cybersecurity laws (NCA, SDAIA)



Documented policies for acceptable use, incident response, and data handling



Formal employee onboarding/offboarding with access controls




Identity & Access Management




Centralized IAM with least-privilege authorization



MFA enforcement for remote access and privileged accounts



Annual access reviews and prompt revocation workflows




Data Protection & Device Security




Encryption aligned with KSA NCS-1:2020 cryptographic standards



Secure asset disposal and certified data erasure practices



Endpoint protection, firewall enforcement, and patch management




Email & Web Application Security




SPF/DKIM/DMARC implementation to prevent domain spoofing



Anti-spam, attachment scanning, and macro-blocking controls



Web Application Firewall (WAF) for internet-facing services




Logging, Monitoring & Incident Response




Audit logging for critical security events



Centralized log protection and retention



24-hour incident notification process to Aramco SOC





Note: This tool supports preliminary self-evaluation only. Official CCC certification requires assessment by an authorized audit firm per TPCS Section 6.




How the Assessment Works (3 Simple Steps)




Answer 33 targeted questionsRespond to Yes/No prompts covering TPCS General Requirements. Each includes contextual risk and remediation notes.



Receive your confidential gap reportWithin minutes, get a prioritized breakdown of compliance strengths and improvement areas—tailored to your responses.



Plan your remediation pathUse the actionable guidance to strengthen controls, prepare evidence, and schedule your official CCC audit with confidence.




Your data stays private: Submissions are processed solely to generate your report. Results are never shared with Saudi Aramco, auditors, or third parties.



Frequently Asked Questions (FAQ)



Q1: Is this assessment officially endorsed by Saudi Aramco?A: No. This is an independent self-evaluation tool developed by NHR Alemtithal to help third parties prepare for TPCS compliance. Official certification requires engagement with an Aramco-authorized audit firm.



Q2: How long does the questionnaire take to complete?A: Most IT managers or compliance leads complete the 33-question assessment in 5–10 minutes. No technical documentation upload is required at this stage.



Q3: Will my results affect my eligibility to work with Aramco?Absolutely not. This tool is confidential and for internal planning only. Aramco does not receive, access, or review your self-assessment responses.



Q4: What if I answer "No" to several questions?That's expected—and valuable. The assessment highlights gaps before your formal audit, giving you time to implement remediation steps. Each "No" includes practical guidance to move toward compliance.



Q5: Do you offer support after I receive my report?Yes. As a Saudi-based cybersecurity compliance partner, NHR Alemtithal offers Aramco Cybersecurity Compliance Kit and Aramco Cybersecurity Compliance Certificate Implementation Services.



Ready to Benchmark Your TPCS Readiness?



Don't wait for an audit request to discover compliance gaps. Take control of your cybersecurity posture with a clear, actionable baseline.



Start Your Free Aramco TPCS 2026 AssessmentConfidential • No signup required • Saudi-focused guidance