The CyberTrust Program Overview

The CyberTrust Program is designed to ensure that all third parties comply with SABIC's cybersecurity requirements. This initiative has been established to ensure the adherence of SABIC's third parties to the cybersecurity standards specified in the Third Party CyberTrust Cybersecurity Standard.

Program Scope

Certification under the CyberTrust Program is mandatory for both new and existing suppliers who fall under specific classifications, as detailed in the table below. Furthermore, any supplier with access to SABIC data is required to undergo this certification process.

Type of Service Code Description
General Requirement GR

Suppliers with access to SABIC data to deliver their services or products.
Network Connectivity NC

Suppliers who require access to SABIC network in order to deliver the service, such as Internet service providers, telecom operators, network infrastructure providers, system to system integration, VPN access, site to site, etc.

**Accessing the SABIC Supplier Portal (SAP Ariba) is not considered.

Cloud Computing Services (IaaS, PaaS, SaaS & FaaS) CCS

Suppliers providing cloud computing services that store/host/process SABIC data.

  • Infrastructure as a service (IaaS)
  • Platform as a service (PaaS)
  • Software as a service (SaaS)
  • Function as a service (Faas)
Outsourcing and Managed Services OMS

Suppliers providing outsourcing and/or managed services on behalf of SABIC, such as companies managing IT infrastructure, data center services, and managed security services, etc.
Consultancy Services CS

Suppliers providing consultancy services with access to SABIC’s classified data, such as consultants involved in strategic projects, financial planning, or any other engagement handling confidential data.
Software Management SM

Suppliers providing software development, maintenance and/or packaged solutions/licensed software, such as Software development, maintenance services, Software license, commercial off the shelf (COTS), Website, etc.
OT/ICS products and services OT

Suppliers providing Operational Technology (OT) products and/or services, including providers of industrial control systems, SCADA systems, PLCs and other OT solutions and/or services.
How to get certified?

Assessment Process:

  • Suppliers are required to conduct a self-assessment based on their classification, defining the scope and necessary cybersecurity controls outlined in the SABIC CyberTrust Standard.
  • Suppliers need to refer to SABIC CyberTrust Guidelines to understand the control requirements.
  • Suppliers should select one of the CyberTrust authorized audit firms from the published list on SABIC supplier portal.
  • Suppliers shall sign a contract with the audit firm prior control validation by the audit firm.
  • Suppliers shall submit the CyberTrust Self-Assessment Report to the audit firm prior to conducting the assessment validation by the audit firm.
  • The audit firm will verify the submitted documents and generate the CyberTrust Audit Summary Report.
  • Suppliers must achieve 100% compliance with all applicable SABIC CyberTrust requirements to attain certification.
  • If full compliance is not achieved, the audit firm will provide a non-compliance report with recommendations for achieving compliance.
  • Suppliers should implement necessary controls and submit an updated report for re-validation.
  • Suppliers should submit the CyberTrust Certificate and Audit Summary report to SABIC.

Certificate Validity and Renewal:

Certificates are valid for two years from the issue date. However, if the engagement involves a cybersecurity classification not covered in the current valid certificate, an additional certificate must be obtained and submitted.

List of Authorized Audit Firms and contact information: CyberTrust Authorized Audit Firms List

Downloads:
  • SABIC CyberTrust Standard
  • SABIC CyberTrust Guidelines
  • SABIC CyberTrust Supplier Manual
  • SABIC CyberTrust Report Template
    • Frequently Asked Questions:
    • What is the objective of SABIC CyberTrust Program?

      • The program aims to certify suppliers’ compliance with the SABIC CyberTrust Standard to protect against cybersecurity threats and strengthen their cybersecurity posture

    • What is the validity of SABIC CyberTrust Certificate, and when to renew it?

      • Certificates are valid for two years from the issue date and must be renewed before expiry.

    • I’m not included in any of the specific categories, do I need to obtain the certification?

      • If you are not included in specific categories but having access to SABIC data, obtaining the SABIC CyberTrust certificate for General Requirements is mandatory. Otherwise, it is voluntary to demonstrate commitment to cybersecurity.

    • Do I need to obtain a new certificate each time I bid for a new contract?

      • If the scope of the engagement aligns with the existing certification classification, it is not required to obtain a new certificate. However, if the engagement falls outside the current certification classification, it is necessary to obtain certification for the additional controls relevant to the identified classification.

    • Which audit firm should be chosen to conduct the assessment?

      • You can choose any audit firm from the list of authorized audit firms. You need to sign a contract with the authorized audit firm prior to assessment verification

    • How do I submit the certificate once obtained from the audit firm?

      • You need to submit the SABIC CyberTrust Certificate along with SABIC CyberTrust Report at CyberTrust@sabic.com