The Aramco CCC audit is fundamentally an evidence exercise. Whether you are pursuing a CCC (remote self-assessment) or a CCC+ (on-site audit by an authorized firm), the assessor's job is to verify that every applicable SACS-002 control is implemented and functioning. They do this by reviewing documented evidence: timestamped screenshots, configuration exports, policy documents, log samples, and test reports. The quality and completeness of this evidence determines whether your assessment proceeds smoothly or stalls on back-and-forth clarification requests.
This guide walks you through exactly what auditors expect for each infrastructure-related control area, the specific evidence formats that satisfy assessment criteria, and how to organize your evidence package for a successful CCC certification.
Understanding the Evidence Standard
Before diving into specific control areas, it is important to understand what makes evidence acceptable to a CCC auditor. Every piece of evidence must meet four criteria:
- Timestamped: Screenshots and exports must include visible dates and times that demonstrate the configuration was in place at the time of assessment. Undated screenshots will be rejected.
- Attributable: Evidence must clearly show which system, server, or service it relates to. A firewall rule screenshot without the hostname or IP address visible does not prove the rule applies to your Aramco-facing systems.
- Current: Evidence must be recent, typically within 30 days of the assessment date. Configurations documented six months ago do not prove current compliance.
- Complete: Partial evidence creates audit findings. If the control requires MFA on all administrative accounts, evidence showing MFA enabled on three of five admin accounts is a failure, not partial credit.
Auditor Tip: Organize your evidence in a folder structure that mirrors the SACS-002 control numbering (TPC-2, TPC-3, TPC-6, etc.). This makes the assessor's job easier and demonstrates organizational maturity, which positively influences the overall assessment.
Email Controls: TPC-8, TPC-9, TPC-10
Email security is one of the most frequently assessed control areas because email is the primary vector for phishing attacks targeting vendor credentials. Auditors will examine your email infrastructure configuration to verify that anti-spoofing, authentication, and encryption controls are properly implemented.
SPF Record Evidence (TPC-8)
You need to provide a DNS lookup showing your domain's SPF record. The evidence should include:
- A screenshot of the SPF TXT record from your DNS management panel, showing the full record value and the domain it applies to
- A validation result from an SPF checking tool confirming the record syntax is correct and the policy is set to
-all(hard fail) or~all(soft fail) - Documentation of all authorized sending sources listed in the SPF record, confirming each is a legitimate email sender for your organization
DKIM Evidence (TPC-9)
DKIM signing proves that emails sent from your domain have not been tampered with in transit. Required evidence includes:
- Screenshot of DKIM DNS TXT records showing the public key entries for each selector used by your mail servers
- Email header analysis from a test message showing the
DKIM-Signatureheader with a valid signature - DKIM verification result confirming the signature validates against the published public key
DMARC Policy Evidence (TPC-10)
DMARC ties SPF and DKIM together with a policy that tells receiving servers what to do with emails that fail authentication. Evidence must show:
- The DMARC DNS record at
_dmarc.yourdomain.comwith a policy ofp=quarantineorp=reject - DMARC aggregate report samples showing alignment results over a recent period
- Email server configuration confirming DMARC enforcement is active
For a comprehensive understanding of how email encryption fits within the broader SACS-002 encryption requirements, see our guide on data encryption compliance for CCC certification.
Access Controls: TPC-2, TPC-3
Access control evidence is among the most scrutinized because unauthorized access is the root cause of most security incidents. Auditors will verify that your authentication mechanisms, password policies, and account management procedures meet SACS-002 standards. For detailed implementation guidance, refer to our access control and MFA compliance guide.
Password Policy Evidence (TPC-3)
Provide evidence that your password policy meets or exceeds SACS-002 requirements:
- Screenshot of the password policy configuration in your identity management system (Active Directory, LDAP, or equivalent) showing minimum length (12+ characters), complexity requirements, and expiration settings
- Account lockout configuration showing lockout after 5 failed attempts, with lockout duration and reset procedures
- Password history enforcement preventing reuse of the last 12 passwords
- Written password policy document that employees have acknowledged
MFA Enrollment Evidence (TPC-2)
Multi-factor authentication evidence must demonstrate universal enforcement, not just availability:
- MFA provider dashboard showing total enrolled users versus total active accounts (should be 100% for all accounts with access to Aramco-related systems)
- MFA policy configuration showing enforcement mode (not optional/advisory) for all protected applications
- Sample login flow screenshot showing the MFA prompt as a mandatory step
- MFA method configuration showing approved second factors (authenticator apps, hardware tokens) and any excluded methods
Endpoint Protection: TPC-6
Endpoint protection evidence proves that all devices with access to Aramco data are protected against malware and that protection is actively maintained.
Antivirus Configuration Evidence
- Central management console screenshot showing all enrolled endpoints with their protection status, last scan date, and definition version
- Update policy configuration showing automatic definition updates enabled with the update frequency (at minimum daily)
- Scheduled scan configuration showing full system scans running at defined intervals (weekly minimum)
- Recent scan results from a representative sample of endpoints, showing scan completion and any findings with remediation actions
- Real-time protection configuration confirming on-access scanning is enabled for all file types
Endpoint Compliance Reports
Many auditors request a compliance summary report from your endpoint protection platform that shows:
- Percentage of endpoints with current definitions (must be 100% or documented exceptions)
- Percentage of endpoints with recent full scans completed
- Any endpoints with disabled or degraded protection, with documented justification and remediation timeline
Encryption: TPC-52
Encryption evidence covers data in transit and data at rest across all systems handling Aramco data. Our encryption compliance guide provides detailed implementation steps, while the evidence requirements are outlined below.
VPN Tunnel Configuration
- VPN gateway configuration export showing IPSec settings: encryption algorithm (AES-256), integrity algorithm (SHA-256+), DH group (14 or higher), and IKE version (v2)
- Active tunnel status screenshot showing established connections with encryption parameters
- VPN access policy showing which user groups have VPN access and to which network segments
For complete VPN and remote access requirements, see our secure remote access compliance guide.
TLS Certificate Evidence
- SSL/TLS certificate details for all web-facing services showing certificate validity dates, issuing CA, key size (2048-bit RSA minimum or 256-bit ECC), and protocol versions enabled (TLS 1.2 minimum)
- SSL configuration test results from a tool like SSL Labs showing the grade and any weak cipher suites or protocol versions
- Certificate inventory listing all certificates in use, their expiration dates, and the renewal process
SFTP and File Transfer Evidence
- SFTP server configuration showing SSH protocol version, key exchange algorithms, and cipher suites
- File transfer policy document specifying that unencrypted protocols (FTP, HTTP) are prohibited for Aramco data transfers
- Firewall rules confirming that FTP (port 21) is blocked on Aramco-facing network segments
Audit Logging
Audit logging evidence demonstrates that your infrastructure records security-relevant events and retains those records for the required period.
Log Retention and Protection
- Log retention policy document specifying retention periods for each log type (security events, access logs, system logs)
- Log storage configuration showing centralized log collection (syslog server, SIEM, or equivalent)
- Sample log exports from multiple systems showing consistent timestamp formats, event categorization, and user attribution
- Log integrity controls: evidence that logs are protected against modification or deletion (write-once storage, digital signatures, or access controls on log files)
- SIEM dashboard screenshots showing real-time monitoring and alerting on security events (if applicable to your classification)
Log Content Requirements
Auditors will verify that your logs capture specific event types:
- Authentication events (successful and failed login attempts)
- Authorization changes (permission grants, role modifications)
- System administration events (configuration changes, service restarts)
- File access events on systems containing Aramco-classified data
- Network security events (firewall rule triggers, IDS/IPS alerts)
Penetration Testing
SACS-002 requires annual penetration testing of systems in scope for CCC certification. The penetration test evidence must include:
- Pen test report from a qualified testing firm, dated within the last 12 months, covering all in-scope systems and networks
- Scope documentation confirming the test covered all Aramco-facing systems, not just a subset
- Findings summary with severity ratings (Critical, High, Medium, Low) for each identified vulnerability
- Remediation evidence for all Critical and High findings, showing the vulnerability was fixed and retested
- Remediation timeline for any Medium or Low findings still open, with documented risk acceptance if applicable
Important: The penetration test must be performed by an independent qualified firm, not by internal staff. Aramco's authorized assessment firms may require the pen test to follow specific methodologies such as OWASP or PTES.
Comprehensive Audit Evidence Checklist
The following table provides a complete reference of evidence requirements organized by control area, including the evidence format and whether MassiveGRID's CCC-compliant infrastructure package generates the evidence automatically:
| Control Area | Evidence Required | Format | MassiveGRID Auto-Generated? |
|---|---|---|---|
| SPF (TPC-8) | SPF DNS record + validation result | Screenshot + DNS export | Yes |
| DKIM (TPC-9) | DKIM keys + signed email headers | DNS screenshot + email header | Yes |
| DMARC (TPC-10) | DMARC record + aggregate reports | DNS screenshot + XML/report | Yes |
| Password Policy (TPC-3) | Policy config + lockout settings | Screenshot + policy document | Yes |
| MFA (TPC-2) | Enrollment stats + enforcement config | Dashboard screenshot | Yes |
| Account Lockout (TPC-3) | Lockout threshold + duration config | Screenshot | Yes |
| Antivirus Definitions (TPC-6) | Definition version + update schedule | Console screenshot | Yes |
| AV Scan Schedule (TPC-6) | Scan policy + recent scan results | Console screenshot + report | Yes |
| Real-time Protection (TPC-6) | On-access scan configuration | Screenshot | Yes |
| IPSec VPN (TPC-52) | Tunnel config + encryption params | Config export + screenshot | Yes |
| TLS Certificates (TPC-52) | Cert details + SSL test results | Certificate export + test report | Yes |
| SFTP Config (TPC-52) | SSH config + cipher suites | Config file export | Yes |
| Firewall Rules | Rule sets + network segmentation | Config export + diagram | Yes |
| Log Retention | Retention policy + sample exports | Policy doc + log samples | Yes |
| Log Integrity | Access controls on log storage | Config screenshot | Yes |
| SIEM/Monitoring | Dashboard + alert configuration | Screenshot + alert rules | Yes |
| Penetration Test | Full pen test report + remediation | PDF report | Coordinated (partner firm) |
| Data Classification | Classification policy + asset inventory | Policy document + spreadsheet | Template provided |
| Backup Configuration | Backup schedule + retention + test restores | Config screenshot + restore log | Yes |
| Incident Response Plan | IR plan document + contact list | Policy document | Template provided |
How MassiveGRID Generates Audit-Ready Evidence
One of the most time-consuming aspects of CCC certification is gathering and formatting evidence. Vendors often spend weeks taking screenshots, exporting configurations, and assembling documentation that proves their infrastructure meets each control requirement. With MassiveGRID's CCC-compliant infrastructure package, the majority of this evidence is generated automatically.
The MassiveGRID compliance management interface provides:
- One-click evidence export: Generate timestamped, attributed evidence packages for each control area directly from your infrastructure management dashboard
- Continuous compliance monitoring: Real-time dashboards show the current compliance status of every control, with alerts when configurations drift from the required baseline
- Pre-formatted evidence packages: Evidence is exported in the format assessors expect, organized by control number, with appropriate context and attribution metadata
- Historical compliance records: Access evidence from any point in time during your subscription, useful for demonstrating sustained compliance between assessment cycles
- Assessment coordination: MassiveGRID's compliance team works directly with your chosen assessment firm to answer infrastructure-related questions and provide supplementary evidence when requested
For vendors managing their own file hosting and data security, evidence generation is particularly important because data access controls and encryption configurations change frequently as team members join or leave projects.
Preparing Your Evidence Timeline
Do not wait until the assessment is scheduled to begin gathering evidence. A structured preparation timeline ensures everything is current and complete when the assessor requests it:
- 90 days before assessment: Review all control areas and identify any gaps in implementation. Address missing controls and begin documenting remediation.
- 60 days before assessment: Conduct an internal pre-assessment using the checklist above. Verify that all evidence types are available and meet the four acceptability criteria (timestamped, attributable, current, complete).
- 30 days before assessment: Generate fresh evidence for all control areas. Replace any evidence older than 30 days. Compile the complete evidence package organized by control number.
- Assessment week: Refresh any time-sensitive evidence (log samples, scan results, dashboard screenshots) within 48 hours of the assessment date.
For organizations approaching their first CCC assessment, our comprehensive Aramco CCC compliance guide provides an overview of the entire certification process, while our CCC renewal guide covers what changes at recertification.
Get Your Evidence Package Ready
The difference between a smooth CCC assessment and a prolonged, frustrating process almost always comes down to evidence preparation. Vendors with organized, complete, current evidence packages typically complete their assessments in days. Vendors who scramble to gather evidence reactively can spend weeks or months in back-and-forth with assessors.
MassiveGRID's CCC-compliant infrastructure package eliminates the evidence-gathering burden for all infrastructure-related controls. Explore the full compliance package to see how automated evidence generation works, or contact our compliance team for a readiness assessment that identifies evidence gaps before your auditor does.