Becoming SACS-002 Compliant is Straight Forward with 4S
At 4S, We partner with our clients to help navigate the SACS-002 audit processes and ensure certification readiness. Let us help you avoid the pitfalls when trying to satisfy the many Aramco requirements.
We will help you coordinate with Aramco for a smooth Acquisition of your Certification.
WHAT IS THE SACS-002 TPCS?
Third Party Cybersecurity Standard (TPCS) sets forth the minimum Cybersecurity requirements for Saudi Aramco Third Parties to protect Saudi Aramco from possible cyber threats and strengthen Third Parties’ security posture.
SACS-002 & OTHER STANDARDS
SACS is a combination of aspects from different cybersecurity standards, as shown below. In order to simplify third party efforts for implementing cybersecurity, SACS defines Third Party Controls (TPC) to ensure the major categories of NIST 800-53 are unified into a set of 24 General Requirements or set of 87 Specific Requirements TPC’s that third parties must comply. As per NIST Cybersecurity Framework (CSF) the three cybersecurity categories included in SACS-002 are Identify, Protect and Respond.
- SACS-002 Third Party Cybersecurity Standard (TPCS) sets forth the minimum Cybersecurity requirements for Saudi Aramco Third Parties to protect Saudi Aramco from possible cyber threats and strengthen Third Parties’ security posture.
- NIST 800-53 (National Institute of Standards and Technology) is a non-regulatory agency that promotes and maintains standards of measurement to enhance economic security and business performance. The Framework Core consists of five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover.
- ISO/IEC 27001 is the international Standard for best-practice information security management systems (ISMS). It is a rigorous and comprehensive specification for protecting and preserving your information under the principles of confidentiality, integrity, and availability.
THE CCC OBJECTIVE
The Cybersecurity Compliance Certification (CCC) program has been introduced to ensure that all third parties obtain a cybersecurity compliance certificate from the authorized audit firm, to confirm their adherence to the cybersecurity requirements, as mandated in the Third Party Cybersecurity Standard (SACS-002), to conduct business with Saudi Aramco.
WHAT IS REQUIRED TO GAIN SACS-002 CERTIFICATION
What your company requires to achieve certification will depend on many varying factors. Your Security status will need to be ascertained before we can advise on how specifically to reach the level required to become certified under SACS-002. An overview of the requirements are provided below:
I. 23 General Requirements
II. 23 + 69 Specific Requirements
Additional specific Cyber Security requirements are defined for a Third Party whom below classes might describe:
- Network Connectivity: Third Party is provided with network connectivity to Saudi Aramco Corporate Network to access Saudi Aramco intranet services and perform required work. This connectivity is provided through leased lines or through certain VPN solutions such as SSL VPN over private links or site-to-site VPN over the Internet.
- Outsourced Infrastructure: Third Party is managing, maintaining and/or supporting an infrastructure on behalf of Saudi Aramco.
- Critical Data Processor: Third Party is developing, accessing and/or processing Saudi Aramco Critical Data.
- Customized Software: Third Party is developing and/or hosting a customized software, application, website or solution for Saudi Aramco.
You can find the full list for the Updated 2022 SACS-002 Cyber Security Standard Here (sacs-002-third-party-cybersecurity-standard.pdf) [Updated February 2022]
HOW WE HELP OUR CLIENTS
We deliver to our Clients’ an actionable cyber security intelligence relative to their business, showing threats and threat actors interested in harming their business & their clients.
we can support you to take the right precautions to avoid such crises.
-
We Partner with our Clients' Business Beyond SACS-002 Certification
We work with our clients to analyse, Identify & apply all the required controls for their company to reach the SACS-002 standard. We can help you coordinate with Aramco until compliance is achieved. -
Qualify for Cybersecurity Compliance Certification
We work with many suppliers, assisting them in applying for and reaching Aramco’s CCC. Our experts will help you identify and enact everything you need to do to receive your Aramco Cyber Security Certificate.
OUR SCOPE OF WORK
Phase 1:
- Compliance Report (Gap Analysis) – Identify the gaps need to be closed in order to meet SACS-002 Standard compliance.
Phase 2:
- Work on closing the identified gaps, provide any required policies and procedures, centralized policy administration solution, implement training programs and work on all the requirement to be compliance with SACS-002.
Phase 3:
- Administer and coordinate evidence collection for auditor, Screenshots, videos, emails, etc. Liaise with auditor and build evidence submission report.
4S PARTNERS WITH YOUR BUSINESS BEYOND CERTIFICATION
Get in touch now to find out how our experts can help your business become certified. You can Rely on 4S.
Enter your details into the form and we will contact you to discuss how we can help you achieve the security standards required to become SACS-002 Certified;
