Managed.sa
All resources
CCC ProgramJanuary 20268 min read

Authorized Audit Firm Qualifications

Requirements, qualifications, and expectations for Audit Firms to become authorized to issue a Cybersecurity Compliance Certificate (CCC) under Saudi Aramco's SACS-002 program.

Objective

The objective of this document is to outline the expectations, qualifications, and requirements of Audit Firms to become authorized to issue a Cybersecurity Compliance Certificate (CCC).

Audit Firm Requirements

  1. 1. In order for an external auditor to be classified as an Authorized Audit Firm, the external auditor must follow the general principles of integrity, objectivity, professional competence and due care, confidentiality, professional behavior, and technical standards as outlined in the Institute of Internal Auditors (IIA) Code of Ethics or a similar standard.
  2. 2. Audit Firm must have at least 5 years of experience in providing Cybersecurity Consultancy and conducting Cybersecurity Assessment services.
  3. 3. Audit Firm must meet at all times all requirements defined in the "Critical Data Processor" classification in the Third Party Cybersecurity Standard to be recognized as an Authorized Audit Firm.
  4. 4. Prior to onboarding, the Audit Firm will be certified by the CCC Program owner as a prerequisite to be recognized as an Authorized Audit Firm.
  5. 5. The Authorized Audit Firms must dedicate appropriate experienced resources to satisfy the demand for the Program and complete the assessment and validation. Details on the types of CCC certificates and assessment duration will be shared in the Audit Firm Manual.

Assessment Team Requirements

Audit firms' assessment team must be formulated to have a primary assessor and reviewer at minimum, fulfilling the following cybersecurity certification requirements:

Primary Assessor

Bachelor's degree in cybersecurity or relevant IT degree, minimum 3 years experience

Must hold at least one of the following certifications:

  • ISO 27001 Lead Auditor
  • ISO 27001 Lead Implementer
  • Certified Data Privacy Solution Eng. (CDPSE) - ISACA
  • Certified Internal Auditor - IIA
  • Certified Information Systems Security Professional (CISSP)
  • Certified Information Systems Auditor (CISA)
  • Certified in Risk and Information Systems Control (CRISC)
  • GIAC Critical Controls Certification (GCCC)
  • GIAC Strategic Planning, Policy, and Leadership (GSTRT)

Reviewer

Bachelor's degree in cybersecurity or relevant IT degree, minimum 5 years experience

Must hold at least two of the following certifications:

  • ISO 27001 Lead Auditor
  • ISO 27001 Lead Implementer
  • Certified Data Privacy Solution Eng. (CDPSE) - ISACA
  • Certified Internal Auditor - IIA
  • Certified Information Systems Security Professional (CISSP)
  • Certified Information Security Manager (CISM)
  • Certified Information Systems Auditor (CISA)
  • Certified in Risk and Information Systems Control (CRISC)
  • GIAC Strategic Planning, Policy, and Leadership (GSTRT)

Quality Assurance & Governance

  1. 7. CCC Program owner will conduct quality assurance activities on Authorized Audit Firms at least once every two years to oversee program quality and ensure alignment with the CCC program requirements.
  2. 8. CCC for Authorized Audit Firm will be issued and renewed by CCC Program owner.
  3. 9. In the event that the Authorized Audit Firm deviates from the CCC program requirements and/or remains inactive in issuing CCC certificates on third party companies for a continuous period of twelve (12) months, the CCC Program owner may terminate the engagement with concerned Audit Firm, upon providing written notice.

Authorized Audit Firm Obligations

Authorized Audit Firms shall:

  1. 10.1. Report the firm's engagement progress on a weekly basis, using the standard format provided by CCC Program owner as referenced in the Audit Firm Manual.
  2. 10.2. Have the proper procedure to maintain and track CCC third parties' assessments and relevant evidences and documents.
  3. 10.3. Import Authorized Audit Firm's full certificate inventory in the CCC portal to ensure proper CCC certificates oversight.
  4. 10.4. Keep all relevant documents including evidences for a minimum period of two years and in alignment with laws, regulations and third party's contractual agreement with the Authorized Audit Firm.
  5. 10.5. Implement the required cybersecurity controls to ensure data confidentiality, integrity and availability of third parties' assessment data.
  6. 10.6. Implement cryptographic mechanisms to protect the confidentiality of assessment documents and evidences.
  7. 10.7. Implement data sanitization after retention period expiry in alignment with industry best practice.
  8. 10.8. Issue cybersecurity certificate based on third party's full adherence to Third-Party Cybersecurity standards.
  9. 10.9. Follow Audit Firm Manual throughout the duration of the engagement.
  10. 10.10. Must not assume the roles of both assessor and implementer of the cybersecurity requirements to the same third party company. The third-party company must seek implementation support from a different entity other than the Authorized Audit Firm who is providing their CCC.
  11. 10.11. Not issue a CCC to its own company or its affiliates; Any Affiliate entity of the Authorized Audit Firm should obtain the CCC from another Authorized Audit Firms in alignment with conflict-of-interest principle.

Terms and Definitions

CCC ProgramCybersecurity Compliance Certification - A program designed to ensure third-party vendors meet defined cybersecurity requirements before engaging in business with CCC participating entities.
Authorized Audit FirmA qualified and approved external organization recognized under the Cybersecurity Compliance Certification (CCC) Program, responsible for performing cybersecurity assessments and issuing CCC certifications.
Next step

Need a CCC compliance audit?

Get certified by our authorized audit team. Start your compliance journey today.

Browse services