SACS-002 Cybersecurity Standard
The official standard for Saudi Aramco CCC certification.
Standard Overview
Our download provides the complete and official SACS-002 Third Party Cybersecurity Standard. This document outlines the minimum cybersecurity controls required by Saudi Aramco for all contractors and suppliers.
- The Complete SACS-002 Standard: The full 26-page document outlining all cybersecurity requirements.
- General & Specific Controls: Details on the mandatory General Requirements and additional controls for different vendor types.
- Incident Response Instructions: The official appendix detailing Aramco's mandatory incident reporting protocol.
- Auditing Event Requirements: The official appendix listing all system events that must be logged for compliance.
Official Aramco Standard
The essential administrative framework provided securely for corporate IT evaluation.
Key Sections in the Standard
General Requirements (Section A)
The 23 mandatory controls for all third parties, covering Governance, Access Control, Data Security, and more.
Specific Requirements (Section B)
Additional controls for vendors with network connectivity, those processing critical data, or providing cloud services.
Appendix A - Incident Response
Detailed, step-by-step Cybersecurity Incident Response Instructions that must be followed.
Appendix C - Audit Events
A complete list of all system and security events that must be capable of being audited.
Frequently Asked Questions
Is this the most recently published version of SACS-002?
Yes. This document represents the current, actively-enforced iteration of the Saudi Aramco Cybersecurity Standard utilized by all active TPC auditors to evaluate third-party contractor compliance.
Who in my organization must read this entire document?
While the Executive Board should review the overarching Governance requirements (Section A), your Chief Information Security Officer (CISO) and lead technical engineers must thoroughly dissect every technical control listed across all appendices to configure your network correctly.
Do the "General Requirements" apply to all suppliers regardless of size?
Absolutely. The 23 General Requirements outlined in Section A are strictly mandatory for every single registered vendor in the Saudi Aramco supply chain. There are zero exceptions granted for smaller businesses regarding these baseline parameters.
What is the most critical element of the technical appendices?
Appendix A (Incident Response) and Appendix C (Audit Events) are consistently the most challenging for vendors. You must maintain 1-year telemetry retention logs and guarantee a 24-hour notification window directly to Saudi Aramco during any suspected data breach.
Can we use this document as proof of implementation during an audit?
No. Downloading and reviewing the standard is the first objective. During an official audit, you must present tangible technical configurations (e.g., active firewall policies, MFA configuration portals) directly answering the mandates dictated inside this actual PDF.