Business & Tech Essentials

SACS-210: What’s New for Aramco CCC Compliance
The old SACS-002 standard has been replaced by SACS-210 (published Feb 2026). This updated Third-Party Cybersecurity Standard introduces a broader, stricter set of requirements for all Saudi Aramco vendors.
Key changes include a larger baseline control set, stronger alignment to international frameworks, and new technical focus areas (like OT security and ransomware resilience). Every third-party supplier that connects to Aramco’s network or handles Aramco data must now comply with the SACS-210 controls and obtain a Cybersecurity Compliance Certificate (CCC) under this new standard.
Moving from SACS-002 to SACS-210 can be complex. Our Aramco CCC Consultancy help organizations perform SACS-210 gap analyses, update policies, and prepare audit-ready evidence. This proactive support keeps your compliance project on track and minimizes delays in obtaining the new CCC.
Why SACS-210 Matters
SACS-210 applies globally to any vendor with Aramco exposure. Aramco has opened a 6-month transition window ending 26 August 2026. Existing SACS-002 certificates remain valid until their normal expiry, but any new contract or renewal after August 2026 requires the updated SACS-210–based CCC. In practice, this means vendors must actively transition: if you don’t meet the new standard by renewal time, you risk losing your Aramco certification.
Key Changes in SACS-210
SACS-210 is essentially a restructuring and strengthening of the previous framework. At its core are 33 mandatory controls (TPC1.1–TPC1.33) that apply to all Aramco third parties. These controls cover governance, access management, data protection, and incident response. Compared to SACS-002, SACS-210 places much stronger emphasis on modern security best practices. Highlights include:
- Expanded Control Set: All vendors must implement 33 general controls. By contrast, SACS-002 had a smaller baseline. The new controls are aligned to the NIST Cybersecurity Framework, NIST 800 guidelines, and Saudi Arabia’s NCA Essential Cybersecurity Controls. If your organization already follows ISO 27001 or NCA ECC 2:2024, you’ll find these SACS-210 controls closely overlap your existing controls.
- Governance & Policy: More rigorous requirements for policies and documentation. You must maintain up-to-date cybersecurity policies, asset inventories, risk assessments, and compliance registers. For example, SACS-210 explicitly requires an IT asset inventory (TPC1.8) to track all hardware, software, and data repositories.
- Identity & Access: Tighter identity controls. Multi-Factor Authentication (MFA) is now mandatory for all Aramco-related remote access and privileged accounts. This includes VPN/Internet access, cloud services, email logins, and any user accounts with special privileges. Additionally, role-based access and periodic access reviews are enforced more strictly.
- Endpoint Security: Vendors must deploy modern endpoint protection. Full-disk encryption (AES-256 or higher) and next-generation antivirus/EDR solutions are required on all endpoints and servers. Patch management must be regular and documented.
- Network & Email Security: Network controls have explicit specifications. Firewalls, intrusion detection/prevention, and network segmentation are mandated, with detailed configuration guidelines. Email security is also tightened: Aramco forbids generic email domains (no Gmail/Hotmail). Instead, suppliers must use their business email with proper SPF/DKIM/DMARC authentication.
- Data Protection & Backups: There are new data resilience rules. Sensitive data at rest and in transit must use Saudi National Cryptographic Standards (NCS-1:2020) encryption. Regular offline, air-gapped backups are required to protect against ransomware. Additionally, when disposing of storage media, vendors must follow NIST SP 800-88 media sanitization procedures (ensuring secure data wiping).
- Logging & Monitoring: Continuous monitoring is emphasized. Organizations must enable and protect audit logging (see SACS-210 Appendix C for specifics). Log integrity and long-term storage are expected.
- Incident Response: Faster reporting. Any cybersecurity incident must be reported to Aramco within 24 hours of discovery. After the initial report, interim status updates are required every 24 hours until the incident is closed.
- Operational Technology (OT): SACS-210 explicitly includes an OT section. If your services involve industrial control systems or OT environments, you must implement OT-specific controls (e.g. safety interlocks, network isolation, OT asset management) in addition to the general controls.
- Cloud & Critical Data: Vendors offering cloud services or handling Aramco-designated critical data must meet additional addendum controls. SACS-210 has sections for Cloud Computing and Critical Data Processors which impose stricter technical requirements. (All third parties should review these addenda to see if they apply.)
In summary, SACS-210 restructures Aramco’s control framework with stronger NIST/NCA alignment and higher technical expectations. You can think of it as an upgrade from a checklist to a fully harmonized security program.
SACS-002 vs SACS-210 at a Glance
|
Area |
SACS-002 |
SACS-210 |
|
Framework |
Previous supplier standard |
Updated cybersecurity standard |
|
Security Controls |
Existing baseline controls |
Expanded and more structured baseline |
|
Identity Security |
Standard authentication |
Stronger MFA and identity controls |
|
Monitoring |
Basic monitoring expectations |
Greater focus on continuous monitoring |
|
Operational Technology |
Limited focus |
Dedicated OT security requirements |
|
Audit Readiness |
Documentation focused |
Documentation plus stronger technical evidence |
|
Long-Term Approach |
Compliance driven |
Continuous cybersecurity maturity |
Transition Timeline & Next Steps
To comply with SACS-210, follow these steps:
1. Assess Your Classification
Determine your Aramco Classification (General, Network Connectivity, Cloud, Critical Data, OT, etc.). This tells you whether you need a standard CCC (remote audit) or a CCC+ (on-site audit). If both CCC and CCC+ could apply, Aramco requires the CCC+ path.
2. Gap Analysis
Compare your current security controls and documentation against the 33 SACS-210 controls. Identify missing policies, outdated processes, or technical gaps (MFA, encryption, backups, monitoring, etc.).
3. Update Documentation
Revise your cybersecurity policy, incident response plan, network diagrams, and other documentation to cover SACS-210 requirements. Ensure approval signatures and dates are current.
4. Implement Controls
Deploy any needed technical changes. For example, enforce MFA on all endpoints, configure email authentication, enable full encryption, implement automated backup routines, and tighten network defenses per the new specifications.
5. Gather Evidence
Collect proof for auditors. This includes screenshots of configurations (with timestamps), system logs, vulnerability scan reports, asset registers, and any other records showing compliance. All evidence should be recent and clearly attributed to your organization.
6. Perform Audit
Engage an Aramco Authorized Audit Firm to conduct your CCC or CCC+ assessment under SACS-210. Submit the completed Third-Party Classification Template and Confirmation Letter before the audit, as these define your scope. The auditor will review your self-assessment report and evidence, then issue the CCC if you meet all controls.
7. Submit & Renew
After the audit, upload the issued Cybersecurity Compliance Certificate and audit report to Aramco’s e-Marketplace. Remember, the CCC is valid for two years, so track your renewal date and ensure SACS-210 compliance for any new contract classification or renewal request.
Starting early is crucial. The transition deadline (26 Aug 2026) may sound far off, but preparing policies, implementing new controls, and gathering evidence can take months. Vendors who act now will avoid last-minute bottlenecks and be ready well before the deadline.
Final Thoughts
SACS-210 is a real jump from SACS-002, and the deadline isn't as far off as it looks once you factor in gap analysis, documentation updates, and audit prep. Vendors who start now will have time to fix problems before they become renewal issues.
If you need help figuring out where your organization stands against the 33 controls, our CCC consultants can walk you through the assessment and get you audit-ready. Book a Consultation!
Disclaimer: All logos, trademarks, and brand names used in this document are the property of their respective owners. Their use here is for identification purposes only and does not imply endorsement.
Recent News
Saudi PDPL Enforcement Updates & Data Privacy Guidelines
28-06-2026
Cybersecurity Compliance Roadmap CCC: Aramco SACS 002 Submission & Certification in Depth
23-06-2026
How to Access and Navigate SharePoint Sites for Beginners
22-06-2026
Cybersecurity Compliance Roadmap CCC: Aramco SACS 002 Testing and Validation in Depth
15-06-2026
Cybersecurity Compliance Roadmap CCC: Aramco SACS 002 Documentation in Depth
14-06-2026
How to Upload Files and Folders in SharePoint Online
08-06-2026
How to Add Vendor Name in Vendor Ledger Entries in Business Central
02-06-2026
Cybersecurity Compliance Roadmap CCC: Aramco SACS 002 Security Gaps in Depth
01-06-2026
Add Location on Cost Centre Dimension
11-05-2026
Cybersecurity Compliance Roadmap (CCC) - Aramco SACS 002 Assessment in Depth
11-05-2026







