Managed.sa
All resources
CCC ProgramJanuary 202610 min read

SACS-002 Third Party Cybersecurity Controls Overview

A comprehensive overview of the 200 cybersecurity controls in Saudi Aramco's SACS-002 standard, organized by general and specific requirements across all security domains.

What is SACS-002?

SACS-002 (Saudi Aramco Cybersecurity Standard — Third Party Cybersecurity) is the definitive standard governing cybersecurity requirements for third-party vendors, contractors, and partners doing business with Saudi Aramco. It defines 200 controls organized into general and specific categories.

Control Structure

The 200 controls are divided into two main categories:

General Requirements (49 Controls)

Applicable to all third-party vendors regardless of classification.

  • Information Security Governance
  • Risk Management
  • Access Control & Identity Management
  • Human Resources Security
  • Asset Management
  • Physical & Environmental Security

Specific Requirements (151 Controls)

Additional controls based on vendor classification and data handling.

  • Network Security & Segmentation
  • Data Protection & Encryption
  • Incident Management & Response
  • Business Continuity & Disaster Recovery
  • Vulnerability Management
  • Security Monitoring & Logging

Key Security Domains

  1. Information Security Governance — Policies, procedures, organizational structure, roles and responsibilities, and management commitment to cybersecurity.
  2. Access Control — User access management, authentication mechanisms, privileged access controls, and access review processes.
  3. Network Security — Network architecture, segmentation, firewall management, intrusion detection/prevention, and secure remote access.
  4. Data Protection — Data classification, encryption at rest and in transit, data loss prevention, and secure data disposal.
  5. Incident Management — Incident response planning, detection capabilities, escalation procedures, and post-incident review.
  6. Business Continuity — Business impact analysis, continuity planning, disaster recovery procedures, and regular testing.

CCC vs. CCC+ Assessment

CCC (Self-Assessment, Verified Remotely)

  • For General Requirements, Outsourced Infrastructure, Customized Software
  • Company completes self-compliance assessment
  • Authorized Audit Firm verifies remotely
  • 100% compliance required
  • Certificate valid for 2 years

CCC+ (On-site Assessment by Audit Firm)

  • For Network Connectivity & Critical Data Processor
  • Authorized Audit Firm conducts on-site assessment
  • Physical security & infrastructure verification
  • If both CCC & CCC+ apply, only CCC+ accepted
  • 100% compliance required
  • Certificate valid for 2 years
Next step

Need a CCC compliance audit?

Get certified by our authorized audit team. Start your compliance journey today.

Browse services
    SACS-002 Third Party Cybersecurity Controls Overview | Resources — Managed.sa