Managed.sa
All resources
SABIC CyberTrustFebruary 20267 min read

SABIC CyberTrust Supplier Classifications Guide

Understanding SABIC's 7 supplier classification categories under the CyberTrust Standard v1.0, including control requirements, scope, and assessment process for each category.

Overview

The SABIC CyberTrust Standard v1.0 classifies suppliers into 7 categories based on the nature of their services. Each classification determines which cybersecurity controls apply to the supplier's assessment. All suppliers must meet the 16 general controls, while category-specific suppliers must also meet additional controls relevant to their service type.

The 7 Supplier Classifications

1. General Classification

Applies to all SABIC suppliers. Assessment covers 16 general cybersecurity controls including information security management, access control, physical security, personnel security, cybersecurity awareness, email protection, patching, anti-malware, network controls, audit logging, and incident response. This is the baseline certification for any company doing business with SABIC.

2. Network Connectivity (NC)

For suppliers requiring network connectivity to SABIC, including telecom-based services. Additional controls cover network security architecture, data-in-transit encryption, tunnel management, endpoint security, and network monitoring.

3. Cloud Computing Services (CCS)

For cloud service providers (IaaS, PaaS, SaaS, FaaS) serving SABIC. Additional controls cover cloud security architecture, tenant isolation, data residency, session management, identity federation, and NCA compliance alignment.

4. Outsourcing & Managed Services (OMS)

For outsourcing and managed service providers including data centers, co-location centers, and offline backup centers. Additional controls cover service management, disaster recovery, backup procedures, physical security, and high availability.

5. Software Management (SM)

For suppliers providing custom software development, maintenance, or packaged solutions. Additional controls cover secure SDLC, source code management, build integrity, patch management, and software security analysis.

6. Consultancy Services (CS)

For consultancy providers with access to SABIC's classified data including financial, strategic projects, confidential and strictly confidential data. Additional controls cover classified data handling, access management, and enhanced incident response.

7. OT/ICS Products & Services (OT)

For suppliers providing operational technology and industrial control system products and services. Additional controls cover secure-by-design principles, OT/ICS cybersecurity training, industrial control system security, and product security architecture.

Assessment Process

  1. Step 1: Classification — Determine your supplier classification based on the services you provide to SABIC.
  2. Step 2: Scoping — Identify applicable controls (16 general + category-specific controls).
  3. Step 3: Evidence Collection — Gather and submit evidence for each applicable control within the submission window.
  4. Step 4: Assessment — Authorized auditor reviews evidence and assesses compliance.
  5. Step 5: Report & Certificate — Compliance report issued with findings. Certificate issued upon successful assessment.

The 16 General Controls

All SABIC suppliers must demonstrate compliance with these baseline controls:

Information Security Management System
Information Security Policies
Organizational Roles & Responsibilities
Asset Management
Access Control
Physical Security
Personnel Security
Cybersecurity Awareness Training
Email Protection
Patch Management
Anti-Malware
Network Security Controls
Audit Logging
Incident Response
Business Continuity
Compliance Management
Next step

Need a CCC compliance audit?

Get certified by our authorized audit team. Start your compliance journey today.

Browse services