Last updated: July 2026

Aramco CCC / SACS-002

Need Aramco CCC Certification to Keep Your Contract? Get Certified Without the Fire Drill.

We get Saudi Aramco suppliers ready to pass CCC and CCC+ certification against the SACS-002 standard - anywhere in the world. We run the gap assessment in about two weeks, implement the controls with your team, and prepare a clean, validation-ready self-assessment package, so the certification does not become the thing that stalls your deal.

Every engagement is led personally by a former Microsoft Security Consulting team member. Fixed price. You review the readiness report before you pay. The final validation and certificate are issued by an Aramco Authorized Audit Firm - we get you ready to pass it.

Gap assessment in about two weeks Fixed-price proposal within 48 hours Pay after you review the report 234 assessments, 14 countries
Aramco CCC certification consultant preparing a Saudi Aramco supplier for SACS-002 compliance

What Is Aramco CCC Certification?

Aramco CCC certification is the Cybersecurity Compliance Certificate issued under Saudi Aramco's CCC Program. The program ensures that all Aramco third parties comply with Aramco's Third Party Cybersecurity Standard, SACS-002. To obtain it, you complete a compliance self-assessment against the scoped SACS-002 controls and have that assessment package validated by one of Aramco's Authorized Audit Firms - remotely for CCC, on-site for CCC+.

The certificate is valid for two years, provided your classification does not change. Atlant Security is a readiness and preparation consultant: we get you ready to pass, implement the SACS-002 controls with your team, and prepare a clean self-assessment package. The final validation and certificate are issued by an Aramco Authorized Audit Firm, which is a separate body. Our job is to make that validation a formality rather than a scramble.

Mandatory for Aramco Suppliers Worldwide

The CCC Program is mandatory for all Saudi Aramco vendors and suppliers - worldwide, not only those based in Saudi Arabia. If your company sells to or serves Aramco, or you are a subcontractor inside an Aramco supply chain, you will be required to hold a Cybersecurity Compliance Certificate. That is why suppliers across many countries come to us: the requirement follows the contract, wherever your business is based.

What Is SACS-002?

SACS-002 is Saudi Aramco's Third Party Cybersecurity Standard. It defines the cybersecurity controls Aramco requires its third parties to have in place, covering areas such as access control, logging and monitoring, encryption, change management, asset and vendor management, and incident response.

The CCC Program is the mechanism that ensures every Aramco third party complies with SACS-002. Which controls apply to you depends on how Aramco classifies your relationship, and those scoped controls are exactly what your self-assessment and the audit firm's validation are measured against. Scoping tightly to the controls that actually apply to you is the first thing we do, because it saves you from spending effort on controls outside your scope.

CCC vs CCC+ - Which Tier Applies to You?

Both tiers certify compliance with SACS-002. The difference is how your assessment is validated and which third parties each one applies to. Your Aramco classification determines your tier.

CCC (Remote Validation)CCC+ (On-Site Audit)
Validation methodRemote validation by an Aramco Authorized Audit FirmOn-site audit by an Aramco Authorized Audit Firm
Who it applies toGeneral vendors, outsourced infrastructure, and customised software providersThird parties classified as Network Connectivity or Critical Data Processor
Basis of assessmentSelf-assessment against the scoped SACS-002 controlsSelf-assessment against the scoped SACS-002 controls, verified on-site
Evidence depthDocumentation and remote evidence reviewDocumentation plus on-site inspection of controls in operation
Certificate validityTwo years, if your classification does not changeTwo years, if your classification does not change
Best described asThe standard tier for most Aramco suppliersThe elevated tier for higher-risk third parties

Our Aramco CCC Readiness Process

Five stages from first call to audit firm handoff. The difference from most consultants is stage three: we implement the SACS-002 controls with you, not just tell you what is missing.

1

Scope and confirm your classification

We confirm whether you fall under CCC (remote validation) or CCC+ (on-site audit) based on your Aramco classification, then define exactly which SACS-002 controls are in scope for your engagement. Getting this right first prevents wasted effort on controls that do not apply to you.

2

Gap assessment

We test your current environment against every scoped SACS-002 control and hand you a prioritized gap report with a clear remediation roadmap. This typically takes about two weeks and shows you precisely what stands between you and a passing validation.

3

Implement the SACS-002 controls

This is where most consultants stop and we do not. We implement the missing controls with your team: access control, logging and monitoring, encryption, change management, vendor and asset management, incident response, and the rest of the SACS-002 control set that applies to your scope.

4

Prepare the self-assessment package

We complete the SACS-002 compliance self-assessment with you and assemble a clean, validation-ready package - the documentation and evidence the Aramco Authorized Audit Firm will validate remotely for CCC or on-site for CCC+.

5

Audit firm handoff and re-validation support

We hand the package to your Aramco Authorized Audit Firm and support you through validation. If the audit firm flags a gap we missed on our roadmap, we fix it and support the re-validation at no extra charge.

Aramco CCC Readiness Timeline

A realistic timeline from scoping to audit firm handoff. The final validation is then scheduled with your Aramco Authorized Audit Firm - remotely for CCC or on-site for CCC+.

PhaseTimingOutcome
Scoping and classification reviewWeek 1Confirmed whether you fall under CCC or CCC+ and the SACS-002 controls in scope
Gap assessmentWeeks 1-2Prioritized report of every control gap against the scoped SACS-002 controls
Control implementationWeeks 2-8The missing SACS-002 controls implemented with your team
Policy and evidence developmentWeeks 2-8 (parallel)The policies and evidence the controls require, written and adopted
Self-assessment package preparationWeeks 6-9A clean, validation-ready self-assessment package assembled for the audit firm
Audit firm handoffWeeks 9 onwardPackage handed to your Aramco Authorized Audit Firm for remote or on-site validation

How Much Does Aramco CCC Readiness Cost?

We start with a fixed-price gap assessment, then quote full readiness and implementation as a fixed price based on your classification and environment. Fixed-price proposals within 48 hours of your readiness call. No hourly billing, no surprises.

Start Here

SACS-002 Gap Assessment

Gap analysis against the scoped SACS-002 controls and a prioritized roadmap to a passing validation.

From $3,000per engagement
  • Classification and scoping review (CCC or CCC+)
  • Gap analysis against the scoped SACS-002 controls
  • Prioritized remediation roadmap
  • Evidence and self-assessment requirements guide
Book Free Readiness Call

Zero-risk: you review the report before you pay.

Full readiness and control implementation is quoted as a fixed price within 48 hours, based on your classification, the size of your environment, and whether you need CCC or CCC+ preparation. The validation itself is performed by an Aramco Authorized Audit Firm, which is a separate engagement.

Who Needs Aramco CCC Certification?

The CCC Program is mandatory for Aramco third parties worldwide. If any of these describe you, a readiness consultant is your fastest path to a clean validation.

A Saudi Aramco supplier or vendor anywhere in the world, since the CCC Program is mandatory for all Aramco third parties, not only those inside Saudi Arabia
A supplier told to obtain a Cybersecurity Compliance Certificate before a contract can be signed or renewed
A provider of outsourced infrastructure or customised software to Aramco that needs CCC remote validation
A third party classified as Network Connectivity or Critical Data Processor that must pass a CCC+ on-site audit
A subcontractor in an Aramco supply chain being asked to prove SACS-002 compliance
A supplier whose CCC certificate is nearing the end of its two-year validity and needs to re-certify

Why Choose Atlant for Aramco CCC Readiness

Most consultants hand you a checklist and leave you to complete the self-assessment alone. Here is how we are different.

Atlant SecurityTypical Consultant
Who does the workA former Microsoft security consultant, personallyJunior or offshore staff you never meet
Control implementationHands-on - we implement the SACS-002 controls with youA checklist and advice, then you are on your own
Self-assessment packageWe assemble the validation-ready package for the audit firmYou fill in the self-assessment alone
PricingFixed price - you review the readiness report before you payOpen-ended hourly billing
SpeedGap assessment in about two weeksMonths of back-and-forth
Vendor neutrality100% independent - zero software commissionsOften resells the tool they recommend
Re-validation supportIf the audit firm flags a gap we missed, we fix it and support the re-validationNo follow-through after handoff
Every engagement is led personally by a former Microsoft Security Consulting team member - never delegated to junior staff
234 security assessments delivered across 14 countries since 2013
Gap assessment in about two weeks, with controls implemented and a validation-ready package prepared in weeks
Fixed-price proposals within 48 hours - you review the readiness report before you pay
If the Aramco Authorized Audit Firm flags a gap we missed on our roadmap, we fix it and support the re-validation
100% vendor-neutral - we take zero commissions from any software vendor
Hands-on SACS-002 control implementation, not a checklist handed back to you
We support both CCC remote validation and CCC+ on-site audit preparation
Alexander Sverdlov - Founder of Atlant Security and lead Aramco CCC readiness consultant

Every Aramco CCC Engagement Is Led by Alexander Sverdlov

Former Microsoft Security Consulting team member. CISSP certified. Alexander has personally led 234 security assessments across 14 countries since 2013. At Atlant Security, the senior consultant who scopes your CCC readiness is the same person who implements the SACS-002 controls and prepares your self-assessment package - never handed to junior staff.

Connect on LinkedIn

What Happens If You Miss the CCC Requirement

Because the CCC Program is mandatory for Aramco third parties, the certificate is not optional paperwork - it is tied to your ability to keep and win Aramco business. When the requirement lands, suppliers who treat it as a fire drill run into the same problems.

The Fire-Drill Path

  • Scrambling to interpret SACS-002 with no clear scope
  • Discovering control gaps only when the audit firm is already engaged
  • A self-assessment package assembled in a rush and sent back for rework
  • A contract or renewal held up while certification catches up

The Prepared Path

  • Scope and classification confirmed up front
  • A gap assessment in about two weeks, before the audit firm is involved
  • Controls implemented with your team, not just recommended
  • A clean, validation-ready self-assessment package handed over with confidence

The point: The validation is issued by an Aramco Authorized Audit Firm either way. Preparation is what decides whether you pass it cleanly the first time or watch a contract wait on rework.

Keep Your Aramco Contract. Get CCC-Ready.

Book a free 30-minute readiness call with Alexander. We will discuss your Aramco classification, whether you need CCC or CCC+, and exactly what it takes to pass validation. Fixed-price proposal within 48 hours.

Zero-risk: you review the report before you pay.

Schedule Your Free Aramco CCC Readiness Call

Building a Broader Security Program?

Many of the controls behind a strong SACS-002 self-assessment also underpin ISO 27001. If you want a recognized information security management system alongside your Aramco CCC work, we can align both so your effort counts twice.

Learn about ISO 27001 Readiness

For small projects and ad-hoc work outside our pre-agreed packages or retainers, our standard hourly rate is $460.

Aramco CCC Certification FAQ

What is Aramco CCC certification?
Aramco CCC certification is the Cybersecurity Compliance Certificate issued under Saudi Aramco’s CCC Program. The program ensures that all Aramco third parties comply with Aramco’s Third Party Cybersecurity Standard, SACS-002. To obtain it, the third party completes a compliance self-assessment against the scoped SACS-002 controls and has the assessment package validated by one of Aramco’s Authorized Audit Firms. The certificate is valid for two years, provided the third party’s classification does not change. Atlant Security gets you ready to pass and prepares the self-assessment package; the certificate itself is issued by an Aramco Authorized Audit Firm.
What is SACS-002?
SACS-002 is Saudi Aramco’s Third Party Cybersecurity Standard. It sets out the cybersecurity controls that Aramco requires its third parties - vendors, suppliers, and service providers - to have in place. The CCC Program exists to ensure that all Aramco third parties comply with SACS-002. Which controls apply to you depends on how Aramco classifies your relationship, and the scoped controls are what your self-assessment and validation are measured against.
What is the difference between CCC and CCC+?
Both certify compliance with SACS-002, but they differ in how the assessment is validated. CCC uses remote validation by an Aramco Authorized Audit Firm and applies to general vendors, outsourced infrastructure, and customised software providers. CCC+ requires an on-site audit by an Aramco Authorized Audit Firm and is required for third parties classified as Network Connectivity or Critical Data Processor. In both cases you complete a self-assessment against the scoped SACS-002 controls; CCC+ adds on-site verification because those third parties present higher risk.
Who needs Aramco CCC certification?
The CCC Program is mandatory for all Saudi Aramco third parties - every vendor, supplier, and service provider - worldwide, not only those based in Saudi Arabia. If you sell to or serve Aramco, or you are a subcontractor within an Aramco supply chain, you will be required to hold a Cybersecurity Compliance Certificate. General vendors, outsourced infrastructure providers, and customised software providers typically fall under CCC, while third parties classified as Network Connectivity or Critical Data Processor require CCC+.
How long is the Aramco CCC certificate valid?
The Aramco Cybersecurity Compliance Certificate is valid for two years, provided the third party’s classification does not change. If your classification changes - for example, if your scope of work with Aramco changes the way you are categorized - your certification requirements can change as well, which may trigger a new assessment before the two years are up.
How much does Aramco CCC certification cost?
Atlant Security’s readiness work starts at $3,000 for a standalone gap assessment against the scoped SACS-002 controls. Full readiness and control implementation is quoted as a fixed price based on your classification, the size of your environment, and whether you need CCC or CCC+ preparation - we send that proposal within 48 hours of your readiness call, and you review the readiness report before you pay. The validation itself is performed by an Aramco Authorized Audit Firm, which is a separate engagement.
How long does it take to get CCC certified?
The readiness work moves quickly: we deliver the gap assessment in about two weeks, then implement the scoped SACS-002 controls and prepare a validation-ready self-assessment package over the following weeks. The exact timeline depends on your starting maturity, whether you need CCC or CCC+, and how quickly your team implements the controls. The final validation is then scheduled with your Aramco Authorized Audit Firm - remotely for CCC or on-site for CCC+.
Does Atlant issue the CCC certificate?
No. Atlant Security does not issue the CCC certificate. The certificate is validated and issued by an Aramco Authorized Audit Firm, which is a separate, independent body. What Atlant does is the readiness and preparation work: we get you ready to pass, implement the SACS-002 controls with your team, and assemble a clean, validation-ready self-assessment package for the audit firm to validate - remotely for CCC or on-site for CCC+. This mirrors the way a readiness consultant prepares you and an independent auditor issues the report.

Related: IT Security Audit - ISO 27001 Readiness - All Services - Contact