If your company supplies products, services, or technology to Saudi Aramco, you have heard of the CCC. The Cybersecurity Compliance Certificate is not optional — it is a contractual gate. No CCC, no business with Aramco. Here is what the program actually requires, what the difference between CCC and CCC+ is, and how to get certified without derailing your operations.

What is the Aramco CCC?

The CCC (Cybersecurity Compliance Certificate) is part of Saudi Aramco’s Third Party Cybersecurity Standard, formally known as SACS-002. It requires every third-party vendor, supplier, and contractor that connects to or handles Aramco systems, data, or networks to meet a defined set of cybersecurity controls and prove compliance through an independent assessment.

The program is administered through Aramco’s e-Marketplace system. Third parties must submit their CCC through the platform, and the certificate must be renewed every two years.

CCC vs. CCC+ — which one do you need?

There are two tiers:

  • CCC (baseline) — required for all third-party suppliers. Covers fundamental cybersecurity hygiene: asset management, access control, network security, endpoint protection, incident response, and business continuity. If you supply goods or non-critical services to Aramco, CCC is what you need.
  • CCC+ (enhanced) — required for suppliers who handle more sensitive Aramco systems, data, or operational technology. CCC+ adds additional controls around data classification, advanced network segmentation, privileged access management, security monitoring, and stricter incident response timelines. If your contract scope involves access to Aramco production networks, SCADA systems, or confidential data, you will be directed to CCC+.

Your Aramco contract or procurement contact will tell you which tier applies. When in doubt, ask — the tier determines the scope (and cost) of the assessment.

What does the CCC control framework cover?

The SACS-002 control framework covers the following domains:

  1. Governance and risk management — cybersecurity policies, roles, risk register, and board-level accountability.
  2. Asset management — inventory of hardware, software, and data assets, with classification and ownership.
  3. Access control — identity management, multi-factor authentication, least-privilege enforcement, and regular access reviews.
  4. Network security — firewalls, segmentation, intrusion detection/prevention, VPN, and wireless security.
  5. Endpoint protection — antivirus/EDR, patching, hardening baselines, and removable media policies.
  6. Data protection — encryption at rest and in transit, backup and recovery, and data loss prevention.
  7. Incident management — detection, triage, containment, notification (to Aramco), and post-incident review.
  8. Business continuity — disaster recovery plan, tested annually, with defined recovery time and recovery point objectives.
  9. Third-party management — if you subcontract, your subcontractors must also meet the standard.
  10. Physical security — for facilities that store or process Aramco data or connect to Aramco networks.

CCC+ extends several of these domains with more prescriptive requirements — for example, requiring a 24/7 security operations center (SOC) capability instead of just an incident response plan.

The certification process, step by step

  1. Gap assessment (2–3 weeks) — a qualified assessor evaluates your current cybersecurity posture against the SACS-002 controls and documents which ones you meet, which ones you partially meet, and which ones have gaps.
  2. Remediation plan (1 week) — the assessor prioritizes the gaps by risk and effort, and produces a remediation roadmap your team can execute.
  3. Remediation (4–8 weeks) — your team (with the assessor’s support) implements the missing controls: deploying tools, writing policies, configuring systems, and training staff.
  4. Evidence preparation (2–3 weeks) — the assessor collects screenshots, configuration exports, policy documents, test results, and logs that prove each control is in place and operating effectively.
  5. Submission (1 week) — the evidence pack is uploaded to the Saudi Aramco e-Marketplace. Aramco reviews the submission and either approves the CCC or requests additional evidence.
  6. Renewal (every 2 years) — the CCC is valid for two years. Renewal requires a fresh assessment cycle. Organizations that maintain their controls continuously find renewal straightforward; those that let things drift face a heavier remediation effort.

How long does it take, and what does it cost?

A typical CCC engagement runs 8 to 14 weeks end-to-end. The timeline depends on your starting posture:

  • Already ISO 27001 or NCA ECC certified? Many controls overlap. Expect 8–10 weeks with mostly documentation and evidence work, not heavy remediation.
  • Starting from scratch? Expect 12–14 weeks. The bulk of the time goes into deploying endpoint protection, tightening access controls, building incident response playbooks, and writing policies that did not exist before.

Cost depends on company size, number of sites, complexity of the IT environment, and whether you need CCC or CCC+. We share an itemized quote after the gap assessment — no surprises.

Common mistakes that delay certification

  • Starting too late. If your Aramco contract has a CCC deadline and you start the process 4 weeks before, you will not make it. Start at least 12 weeks out.
  • Treating it as a checkbox exercise. Aramco reviews evidence carefully. Policies that exist on paper but are not enforced will be flagged. Controls need to be demonstrated as operational, not just documented.
  • Ignoring subcontractors. If you use subcontractors who touch Aramco systems, they need to be compliant too. This is a common gap that surfaces late in the process.
  • Not assigning an internal owner. The assessor drives the process, but someone inside your organization needs to own the remediation actions, collect evidence from internal teams, and make decisions when trade-offs arise.

How Distance Vector Solutions can help

We are a Dammam-based cybersecurity and IT services company with hands-on experience in the Aramco CCC and CCC+ certification process. Our team runs the full lifecycle:

  • Gap assessment against SACS-002 controls, delivered as a prioritized findings report.
  • Remediation support — we implement the controls, not just advise. Endpoint protection, network segmentation, policy authoring, MFA rollout, backup testing, and incident response playbook development.
  • Evidence preparation — we build the evidence pack in the format Aramco expects and handle the e-Marketplace submission.
  • Renewal management — we track the two-year cycle and re-assess before the deadline so your CCC never lapses.

If you are an Aramco supplier facing a CCC deadline, reach out via the contact form or call us at +966 54 330 4816. We will scope the engagement on a free discovery call and give you an honest timeline.

For more on our full cybersecurity practice, visit our Cybersecurity Services page.