If your company provides services to Saudi Aramco—or aims to—cybersecurity compliance isn’t optional. It’s a contractual requirement.
The Aramco Third-Party Cybersecurity Standard (TPCS) 2026 sets clear expectations for how vendors protect sensitive data, manage access, and respond to incidents. But with 33+ controls spanning governance, identity management, encryption, and monitoring, knowing where to start can feel overwhelming.
That’s why NHR Alemtithal developed a free, confidential TPCS Gap Assessment Questionnaire—designed specifically for Saudi-based third parties preparing for Cybersecurity Compliance Certificate (CCC) validation.
- Complete in under 10 minutes
- Receive instant, actionable remediation guidance
- Zero commitment. Zero data sharing with Aramco.
Take the Free TPCS Assessment Now →
Why TPCS Compliance Matters for Saudi Third Parties
Saudi Aramco’s supply chain is a high-value target. A single vulnerability in a vendor’s environment can cascade into operational disruption, data exposure, or regulatory penalties.
The TPCS framework exists to:
- Protect critical infrastructure from evolving cyber threats
- Standardize security expectations across all third-party engagements
- Enable trust through verifiable compliance evidence
For your business, alignment with TPCS isn’t just about audit readiness—it’s about:
- Winning contracts: Many Aramco procurements now require CCC validation
- Reducing risk: Proactive gap identification prevents costly breaches
- Building credibility: Demonstrating security maturity strengthens partner relationships
What the TPCS Assessment Covers
Our questionnaire mirrors the General Requirements (TPC1.1 – TPC1.33) of the Aramco Third-Party Cybersecurity Standard. Each question includes:
| Component | Purpose |
|---|---|
| Yes / No response | Quick self-evaluation of control implementation |
| Risk statement | Understand the business impact of non-compliance |
| Remediation guidance | Practical, Saudi-context steps to close gaps |
Core Domains Evaluated:
Governance & Policy Framework
- Regulatory alignment with KSA cybersecurity laws (NCA, SDAIA)
- Documented policies for acceptable use, incident response, and data handling
- Formal employee onboarding/offboarding with access controls
Identity & Access Management
- Centralized IAM with least-privilege authorization
- MFA enforcement for remote access and privileged accounts
- Annual access reviews and prompt revocation workflows
Data Protection & Device Security
- Encryption aligned with KSA NCS-1:2020 cryptographic standards
- Secure asset disposal and certified data erasure practices
- Endpoint protection, firewall enforcement, and patch management
Email & Web Application Security
- SPF/DKIM/DMARC implementation to prevent domain spoofing
- Anti-spam, attachment scanning, and macro-blocking controls
- Web Application Firewall (WAF) for internet-facing services
Logging, Monitoring & Incident Response
- Audit logging for critical security events
- Centralized log protection and retention
- 24-hour incident notification process to Aramco SOC
Note: This tool supports preliminary self-evaluation only. Official CCC certification requires assessment by an authorized audit firm per TPCS Section 6.
How the Assessment Works (3 Simple Steps)
- Answer 33 targeted questions
Respond to Yes/No prompts covering TPCS General Requirements. Each includes contextual risk and remediation notes. - Receive your confidential gap report
Within minutes, get a prioritized breakdown of compliance strengths and improvement areas—tailored to your responses. - Plan your remediation path
Use the actionable guidance to strengthen controls, prepare evidence, and schedule your official CCC audit with confidence.
Your data stays private: Submissions are processed solely to generate your report. Results are never shared with Saudi Aramco, auditors, or third parties.
Frequently Asked Questions (FAQ)
Q1: Is this assessment officially endorsed by Saudi Aramco?
A: No. This is an independent self-evaluation tool developed by NHR Alemtithal to help third parties prepare for TPCS compliance. Official certification requires engagement with an Aramco-authorized audit firm.
Q2: How long does the questionnaire take to complete?
A: Most IT managers or compliance leads complete the 33-question assessment in 5–10 minutes. No technical documentation upload is required at this stage.
Q3: Will my results affect my eligibility to work with Aramco?
Absolutely not. This tool is confidential and for internal planning only. Aramco does not receive, access, or review your self-assessment responses.
Q4: What if I answer “No” to several questions?
That’s expected—and valuable. The assessment highlights gaps before your formal audit, giving you time to implement remediation steps. Each “No” includes practical guidance to move toward compliance.
Q5: Do you offer support after I receive my report?
Yes. As a Saudi-based cybersecurity compliance partner, NHR Alemtithal offers Aramco Cybersecurity Compliance Kit and Aramco Cybersecurity Compliance Certificate Implementation Services.
Ready to Benchmark Your TPCS Readiness?
Don’t wait for an audit request to discover compliance gaps. Take control of your cybersecurity posture with a clear, actionable baseline.
Start Your Free Aramco TPCS 2026 Assessment
Confidential • No signup required • Saudi-focused guidance
