Overview

What Is the SABIC Cyber Trust Standard?

The SABIC Cyber Trust Standard is a structured, risk-based cybersecurity compliance programme developed by SABIC — one of the world's largest petrochemical companies — to systematically evaluate and certify the cybersecurity posture of its third-party vendors, suppliers, contractors, and digital service providers. It ensures that every entity with access to SABIC's systems, data, or operational technology meets a defined and auditable security baseline.

As a wholly owned subsidiary of Saudi Aramco since 2020, SABIC operates across 50+ countries with an expansive and complex supply chain. The Cyber Trust Standard was established to manage the cascading cyber risk that this global footprint creates. Rooted in international frameworks including IEC 62443, ISO/IEC 27001, and NIST CSF, the programme is tailored specifically to the risks of the petrochemical and manufacturing sectors.

0
Trust Levels
0
Countries of Operation
0
Security Controls Evaluated
0
Months Certificate Validity
🔒

Important: Compliance with the SABIC Cyber Trust Standard is mandatory for all third parties that connect to, process data for, or operate within SABIC's digital or operational environments. Vendors who fail to achieve or maintain certification risk contract termination and removal from SABIC's approved vendor register.

Programme Structure

The Three Cyber Trust Levels

SABIC's Cyber Trust Standard operates on a tiered model with three distinct certification levels. Each level corresponds to the risk profile and depth of integration your organisation has with SABIC's systems and data. Vendors must be assessed at the level that matches their engagement — there is no option to self-select a lower tier.

L1
Level 1 — Foundational
Cyber Trust Basic
For vendors with limited, indirect access — sharing data via email, portals, or handling low-sensitivity SABIC information.
  • Baseline security policy requirements
  • Basic access controls and password standards
  • Security awareness training for all staff
  • Self-assessment with documentation evidence
  • Timeline: 1–3 months typically
L2
Level 2 — Advanced
Cyber Trust Standard
For vendors with direct system access, processing sensitive SABIC data, or providing managed IT/OT services.
  • All Level 1 controls plus enhanced requirements
  • MFA, SIEM, vulnerability management
  • Incident response plan and testing
  • Third-party audit by SABIC-approved assessor
  • Timeline: 3–8 months typically
L3
Level 3 — Enhanced
Cyber Trust Premium
For vendors with deep OT/ICS integration, critical infrastructure access, or handling classified SABIC operational data.
  • All Level 2 controls plus OT/ICS security
  • SCADA/ICS network segmentation and hardening
  • Advanced threat hunting and red team exercises
  • Onsite assessment with live system testing
  • Timeline: 6–14 months typically
Framework Pillars

Core Control Pillars

The SABIC Cyber Trust Standard evaluates vendors across nine core control pillars, each containing multiple sub-controls with specific evidence requirements. Compliance across all applicable pillars is mandatory for certification at any trust level.

01
Security Governance
Cybersecurity policy, CISO appointment, executive accountability, and risk management framework.
02
Network Security
Firewalls, IDS/IPS, network segmentation, encrypted communications, and DMZ architecture.
03
Identity & Access Management
MFA, privileged access management, zero-trust principles, and role-based access control.
04
Security Monitoring & Response
SIEM deployment, 24/7 SOC monitoring, incident response plan, and breach notification within SABIC SLAs.
05
Endpoint & Asset Security
EDR/AV deployment, asset inventory, patch management, USB controls, and device hardening standards.
06
Data Protection
Data classification, encryption at rest and transit, DLP solutions, and data residency compliance.
07
Cloud & Third-Party Risk
Cloud security configuration, sub-vendor assessments, and SABIC-approved cloud platform usage policies.
08
Security Awareness & Training
Mandatory annual training, phishing simulation programmes, role-specific training, and documented completion records.
09
Vulnerability & Pentest
Regular vulnerability scans, periodic penetration testing, risk-rated remediation timelines, and evidence packages.
Who Must Comply

Does Your Organisation Need Cyber Trust?

Any organisation that engages commercially or technically with SABIC falls within the programme's scope. Use the table below to understand your applicable trust level based on your engagement profile:

Vendor Engagement Profile Required Level Typical Timeline
Email/portal interaction — low-sensitivity data exchange Level 1 1–3 months
IT software/services with direct network or system access Level 2 3–8 months
Managed IT services or cloud services for SABIC workloads Level 2 3–8 months
Engineering firms handling SABIC process/design data Level 2 3–8 months
OT/ICS/SCADA system vendors or integrators Level 3 6–14 months
Critical infrastructure providers or plant-level integrators Level 3 6–14 months
Compliance Roadmap

How to Get Cyber Trust Certified

Achieving SABIC Cyber Trust certification is a structured, evidence-driven process. Partnering with an experienced compliance team like CyberOps from the start dramatically reduces audit risk, accelerates timelines, and increases your first-attempt success rate.

7-Step Cyber Trust Certification Journey
01
Determine Your Trust Level
Work with your SABIC procurement contact or the SABIC Cyber Trust portal to formally identify which of the three trust levels applies to your organisation. This is determined by the nature, depth, and criticality of your integration with SABIC's systems and data. Misidentifying your level wastes significant time and resources.
Week 1
02
Comprehensive GAP Assessment
Conduct a thorough internal GAP analysis measuring your current security posture against every control within your applicable trust level. Each control must be rated as Compliant, Partially Compliant, or Non-Compliant, with supporting evidence. This assessment forms the foundation of your entire remediation programme.
Week 2–5
03
Risk-Based Remediation Planning
Transform your GAP findings into a structured remediation plan with clear task owners, priorities, technical specifications, and timelines. Prioritise critical and high-risk gaps first — especially those in identity management, network security, and incident response, which are the most common audit failure points in Cyber Trust assessments.
Week 5–7
04
Technical Controls Implementation
Execute technical remediation across all nine pillars. Key implementations include: deploying MFA across all privileged accounts, configuring SIEM with SABIC-relevant detection rules, deploying EDR on all in-scope endpoints, enforcing network segmentation, enabling DLP, and establishing encrypted backup processes. Every implementation must generate documentary evidence.
Month 1–5
05
Vulnerability Assessment & Penetration Testing
The SABIC Cyber Trust Standard requires documented evidence of recent vulnerability assessments and penetration tests against all in-scope systems. For Level 3, this extends to OT/ICS environments. All findings must be remediated within defined SLA windows, and the remediation evidence must be formally documented and ready for auditor review.
Month 4–6
06
Evidence Pack Compilation & Mock Audit
Assemble your complete evidence pack, organised by the nine control pillars. This includes configuration screenshots, policy documents, training completion certificates, audit logs, scan reports, penetration test summaries, and remediation records. Before submitting to the official assessor, conduct a full internal mock audit to identify and close any remaining gaps.
Month 5–7
07
Official Audit, Certification & Continuous Maintenance
The approved assessor conducts the formal Cyber Trust audit — reviewing your evidence pack, interviewing key staff, and performing technical testing where required. Successful completion results in your Cyber Trust certificate, valid for 12 months. Plan your annual renewal cycle 60–90 days before expiry to maintain uninterrupted contract eligibility with SABIC.
Month 7–14 + Annual
Risk Awareness

The Real Cost of Non-Compliance

For any vendor doing business with SABIC, the consequences of failing to achieve or maintain Cyber Trust certification extend far beyond the certification programme itself. SABIC treats cybersecurity compliance as a contractual obligation — not an optional best practice.

⚠ Contract Suspension & Vendor Deregistration

Vendors who fail to obtain or maintain a valid Cyber Trust certificate face immediate contract suspension and potential removal from SABIC's global approved vendor register. Reinstatement requires a full re-audit cycle, which can take 3–14 months depending on trust level. For vendors deriving significant revenue from SABIC contracts, this represents a critical business continuity risk that can trigger cascading financial, reputational, and operational consequences.


Beyond direct contract risk, a non-compliant vendor that suffers a security incident affecting SABIC's systems, data, or operations faces significant legal and financial liability. Given SABIC's global reach and its ownership by Saudi Aramco, cybersecurity incidents at the vendor level can have diplomatic and regulatory ramifications extending well beyond Saudi Arabia.

Our Services

Why CyberOps for SABIC Cyber Trust?

CyberOps has a dedicated SABIC Cyber Trust practice with deep expertise across all three trust levels — from foundational Level 1 assessments to the most complex Level 3 OT/ICS engagements. Our team has supported vendors across multiple industries including petrochemicals, engineering, IT services, logistics, and construction in achieving their Cyber Trust certification on the first attempt.

Our full-service offering covers every phase of the journey: trust level determination, comprehensive GAP assessment against all nine pillars, technical remediation delivery, policy and procedure development, vulnerability assessment and penetration testing, evidence pack compilation, mock audit facilitation, approved assessor coordination, and post-certification continuous monitoring.

Start Your SABIC Cyber Trust Journey Today

Get a free trust level determination and readiness assessment from our specialists — before your next SABIC contract renewal.

Get in Touch