Saudi Arabia’s KPMG Professional Services has signed an agreement with Aramco, one of the world’s largest energy and chemicals companies, to examine and strengthen the cybersecurity compliance checks across Aramco’s third parties and suppliers.

The Third-Party Cybersecurity Compliance Certificate (CCC) Program implemented by Aramco is a strategic initiative to certify existing and new third parties and suppliers before conducting business. Hossain Alshedoki signed an MoU (memorandum of understanding), Manager of Cybersecurity Advisory and ENR Cybersecurity Sector Lead at KPMG Professional Services, in the presence of  Abdulaziz Alnaim, KPMG Office Managing Partner in the Eastern Province of Saudi Arabia.

“Based on our analysis of minute-by-minute technological disruptions and ever-changing cybersecurity needs, we believe that vital national assets such as Aramco need to be fully protected with state-of-the-art and seamless cybersecurity systems,” said Alnaim during the ceremony. “We are grateful for the trust that Aramco has bestowed upon us, which will go a long way in the continuity of supplying vital resources to the world.”

The deal between the two stipulates that KPMG will assess Aramco’s third parties and suppliers based on the CCC framework. KPMG will also issue certificates that would verify their full adherence to the Saudi Aramco Third-Party Cybersecurity Standard (SACS-002).

General vendors, outsourced infrastructure, network connectivity, customized software, and critical data processors are amongst the suppliers who need to obtain the certificate. Successful suppliers need to submit the CCC and a detailed report from KPMG to Aramco’s e-marketplace system.

“Third-party risk is a key risk in the area of cybersecurity, managing this risk will improve the cyber posture of organisations who heavily depend on external parties or suppliers. More organisations should follow the direction which Aramco has taken,” said Ton Diemont, Head of Cybersecurity for KPMG Saudi Arabia, Jordan, Iraq, and Lebanon.

The certification issued by Aramco will be valid for two years. Suppose a supplier is awarded a new contract that involves a cybersecurity classification type but is not mentioned in the specifications of the valid certificate; a new certificate will need to be obtained and submitted.

The details for the new contract with Aramco will depend on a bidder’s cybersecurity classification category. And if the bidder fits under the standard cybersecurity classification, then there is no need to apply for a new certificate.

In case the bidder does not belong to any of these categories, it needs to communicate to KPMG asking to conduct a cybersecurity compliance assessment based on the upgraded categories covering the original and new types.