All Posts
Aramco Cybersecurity Compliance 24 Views 4 min read

SACS-002 Third-Party Cybersecurity Assessment Questionnaire

Last Updated March 7, 2026
SACS-002 Third-Party Cybersecurity Assessment Questionnaire

In today’s interconnected business landscape, third-party vendors play a pivotal role in supporting large enterprises like Saudi Aramco. However, this collaboration also introduces cybersecurity risks that demand rigorous oversight. To address this, Saudi Aramco’s SACS-002 Third Party Cybersecurity Standard sets stringent requirements for vendors, ensuring the protection of sensitive data and systems. To simplify compliance, NHR Alemitthal for IT offers a complimentary self-assessment tool: the SACS-002 Assessment Questionnaire.

In this blog post, we’ll explore the structure, purpose, and key components of this questionnaire, empowering third-party organizations to proactively align with SACS-002 requirements.

Why Cybersecurity Compliance Matters for Third Parties?

Saudi Aramco, like many global enterprises, relies on third parties for critical services. A single vulnerability in a vendor’s cybersecurity posture could lead to data breaches, operational disruptions, or reputational damage. The SACS-002 standard mitigates these risks by mandating robust controls across 23 key areas (TPC-1 to TPC-23). Compliance isn’t just a contractual obligation—it’s a competitive advantage that builds trust and ensures long-term partnerships.

What is the SACS-002 Assessment Questionnaire?

This automated tool provides third parties with an initial gap analysis against SACS-002 requirements. By answering “Yes” or “No” to structured questions, organizations can identify weaknesses and receive tailored remediation steps. Key features include:

  • Scope: Covers policies, technical controls, training, and incident management.
  • Efficiency: Delivers a rapid overview of compliance gaps without formal audits.
  • Actionable Insights: Generates a report with prioritized remediation actions.

However, the tool is not a substitute for official certification (e.g., the Cybersecurity Compliance Certificate, or CCC). Instead, it serves as a starting point for organizations to prepare for deeper audits.

Key Areas of Focus in the Questionnaire

The questionnaire’s 23 sections address critical cybersecurity domains. Here are highlights:

1. Policy and Governance (TPC-1, TPC-7, TPC-9)

  • Acceptable Use Policies (AUP): Requires documented policies governing technology use, regular updates, and employee training.
  • Annual Cybersecurity Training: Mandates yearly training on phishing, password security, and data protection, with records maintained.
  • Data Disclosure Prohibitions: Explicitly bans sharing Saudi Aramco data via unauthorized channels.

2. Technical Controls (TPC-2, TPC-4, TPC-5, TPC-12)

  • Password Management: Enforces complex passwords (8+ characters with special symbols), 90-day rotation, and account lockouts after 10 failed attempts.
  • Multi-Factor Authentication (MFA): Mandates MFA for remote access and cloud services (e.g., Microsoft 365, AWS).
  • Anti-Virus Protections: Requires daily updates and biweekly full scans across all endpoints.

3. Email and Domain Security (TPC-13, TPC-14, TPC-17)

  • SPF Records: Ensures email domains use Sender Policy Framework (SPF) to combat spoofing.
  • Private Email Domains: Prohibits generic domains (e.g., Gmail) for official communications.

4. Incident and Access Management (TPC-6, TPC-18, TPC-23)

  • Access Revocation: Requires notifying Saudi Aramco within 24 hours when employees with Aramco credentials leave.
  • Off-boarding Procedures: Formal processes for asset return and access removal.
  • Incident Response: Mandates a 24-hour notification window to Saudi Aramco for cybersecurity incidents.

How to Use the Questionnaire Effectively

  1. Gather Stakeholders: Involve IT, HR, and compliance teams to answer accurately.
  2. Be Honest: “No” answers highlight gaps—use them to prioritize improvements.
  3. Leverage the Report: NHR Alemitthal provides remediation steps tailored to your gaps.
  4. Plan Next Steps: Consider engaging with NHR Alemtithal to remediate all the identified gaps.

Limitations and Considerations

  • Self-Reported Data: Results depend on truthful responses; technical validation may still be needed.
  • Complementary Tool: The questionnaire is a preliminary step, not a formal audit.
  • Data Privacy: NHR Alemitthal processes responses solely for generating reports, as their disclaimer.

Conclusion: Proactive Compliance Pays Off

The SACS-002 Assessment Questionnaire is more than a checklist—it’s a roadmap to stronger cybersecurity practices. By addressing gaps early, third parties can avoid costly breaches, streamline certification processes, and demonstrate their commitment to safeguarding Saudi Aramco’s assets.

Ready to start?

Complete the questionnaire here and take the first step toward SACS-002 alignment. For further assistance, explore NHR Alemitthal’s cybersecurity services to bridge gaps and secure your partnership with Saudi Aramco.

Share this article:
Fast-Track Your Compliance

Need help with Aramco CCC Certification?

Get a Free Expert Consultation.

Aramco Kit
Ali Aljubaily

Ali Aljubaily

Cybersecurity Consultant

I am Ali Yousef, a certified engineer from Microsoft, holding the Microsoft Certified System Associate certification as well as the CompTIA Network+ certification. I work as the Group IT Manager.

Latest

Explore Our Blog Posts

Discover insightful articles on cybersecurity and more.

Aramco CCC secure corporate contract and business ROI
Aramco Cybersecurity Compliance 35 Views 8 min read

Beyond Compliance: Long-Term ROI and Security Benefits of the Aramco CCC All-In-One Kit

Discover how the Aramco CCC All-In-One Kit protects your revenue and secures your vendor status. 100% Audit Pass Guarantee*. Secure...
Read more
Aramco CCC Certification Guide for Saudi SMEs 2026
Aramco Cybersecurity Compliance 29 Views 7 min read

Aramco CCC Certification Guide for Saudi SMEs 2026

Complete guide for Saudi SME General Managers to obtain Aramco CCC certification. Learn SACS-002 requirements, costs, timeline & how to...
Read more
NHR Alemtithal Announces Official Registration with the National Cybersecurity Authority (NCA)
Uncategorized 28 Views 2 min read

NHR Announces Official Registration with the National Cybersecurity Authority (NCA)

NHR announces its official registration with the NCA. Learn how this milestone aligns with our commitment to compliance and IT...
Read more

Our Certified Expertise and Technology Partnerships

We are certified partners with the world's leading cybersecurity vendors to deliver best-in-class solutions.

Microsoft
Microsoft
Certified Partner
Bitdefender
Bitdefender
Gold Partner
Fortinet
Fortinet
Authorized Partner
Acronis
Acronis
Certified Partner

Ready to Secure Your Business?

Our cybersecurity experts are here to help you achieve compliance and protect your digital assets. Contact us for a free, no-obligation assessment of your cybersecurity needs. We are committed to a 2-hour response time for all inquiries during business hours.

Get In Touch Call +966 55 653 8840
2-hour response time
Free consultation
Certified experts