TPC-23 is one of the highest-stakes controls in the SACS-002 standard. It requires that third-party vendors notify Aramco of any cybersecurity incident within 24 hours of detection. That is not 24 business hours -- it is 24 clock hours, including weekends and holidays. Without a documented Incident Response Plan that your team has rehearsed, meeting this deadline under the pressure of an active incident is virtually impossible. This guide explains exactly what your IRP must contain, how escalation procedures must work, and the common failures that cause vendors to lose their CCC certification.
What TPC-23 Requires
TPC-23 mandates that the third party must have a documented Incident Response Plan and must notify Aramco of any cybersecurity incident within 24 hours. The control is not just about having a document -- it is about having a functional process that your team can execute under pressure.
TPC-23: Third Party must maintain a Cybersecurity Incident Response Plan and must notify Saudi Aramco within 24 hours of any confirmed or suspected cybersecurity incident affecting Aramco data, systems, or services.
Auditors evaluate TPC-23 by examining the IRP document, verifying that contact information is current, checking that employees know the escalation procedures, and reviewing records of any past incidents or tabletop exercises.
What Counts as an Incident
The 24-hour notification requirement applies to any event that could affect the confidentiality, integrity, or availability of Aramco data or systems. This includes:
- Confirmed breaches: Unauthorized access to systems containing Aramco data
- Suspected breaches: Indicators of compromise detected but not yet confirmed -- you must still notify within 24 hours
- Malware infections: Ransomware, trojans, or other malicious software on systems that process Aramco data
- Data exposure: Accidental exposure of Aramco data through misconfiguration, email error, or unauthorized sharing
- Denial of service: Attacks or failures that disrupt services provided to Aramco
- Lost or stolen devices: Laptops, mobile phones, or storage media containing Aramco data
- Insider threats: Employees accessing data beyond their authorization or exfiltrating information
- Physical security breaches: Unauthorized access to facilities housing Aramco-related systems
The key principle is: when in doubt, notify. Late notification is a compliance violation. Unnecessary notification is not.
Required IRP Sections
A compliant Incident Response Plan must include the following sections. Auditors will check for each one and verify that the information is current and actionable.
1. Purpose, Scope, and Definitions
Define what the plan covers, who it applies to, and what constitutes a cybersecurity incident. Include clear definitions of incident severity levels so responders can quickly classify events and determine the appropriate response.
2. Incident Severity Classification
Define severity levels that determine response urgency and escalation paths. A typical classification:
| Severity | Description | Response Time | Aramco Notification |
|---|---|---|---|
| Critical | Active breach, ransomware, Aramco data confirmed compromised | Immediate | Within 4 hours |
| High | Suspected breach, malware detected, data exposure suspected | Within 1 hour | Within 12 hours |
| Medium | Failed intrusion attempt, phishing campaign, policy violation | Within 4 hours | Within 24 hours |
| Low | Minor anomaly, single failed login, non-targeted spam | Next business day | Not required unless escalated |
Note that even Medium-severity incidents require Aramco notification within the 24-hour TPC-23 window. Setting internal targets tighter than 24 hours gives your team a buffer.
3. Roles and Responsibilities
Assign specific individuals to incident response roles. Do not use generic titles -- include names, phone numbers, and email addresses. Auditors will verify this information is current.
- Incident Response Lead: The person who coordinates the response. Must be reachable 24/7.
- Technical Lead: The person who performs containment, eradication, and recovery actions.
- Communications Lead: The person responsible for Aramco notification and internal communications.
- Executive Sponsor: Senior management representative who authorizes response actions and resource allocation.
- External Contacts: Aramco CISO contact details, MassiveGRID support line, law enforcement contacts if applicable.
4. Aramco Notification Procedure
This is the most critical section for TPC-23 compliance. Document the exact steps for notifying Aramco:
- Who to contact: The specific Aramco CISO or designated security contact for your vendor relationship. Include primary and backup contacts.
- How to contact: The required communication channel (typically email to a designated address, followed by phone confirmation).
- What to include: Incident description, systems affected, data potentially exposed, timeline of events, containment actions taken, point of contact for follow-up.
- When to notify: Within 24 hours of detection. Document the clock-start trigger (when does the 24-hour window begin?).
- Escalation if contact fails: Backup notification channels if the primary contact is unreachable.
Critical detail: The 24-hour clock starts when the incident is detected, not when it is confirmed. If your monitoring system flags a potential breach at 2:00 AM on Friday, the notification deadline is 2:00 AM Saturday -- regardless of whether your team has fully investigated the alert by then.
5. Response Phases
Document the standard incident response lifecycle with specific actions for each phase:
Identification
How incidents are detected (monitoring alerts, employee reports, third-party notification), initial triage procedures, and severity classification.
Containment
Short-term containment (isolate affected systems, block malicious IPs, disable compromised accounts) and long-term containment (apply temporary fixes while preparing for eradication).
Eradication
Remove the root cause (malware removal, vulnerability patching, credential rotation), verify all traces of the threat are eliminated.
Recovery
Restore affected systems from clean backups, verify system integrity, monitor for recurrence, gradually return to normal operations.
Post-Incident Review
Conduct a lessons-learned review within 5 business days. Document what happened, what worked, what failed, and what changes are needed. Update the IRP based on findings. Provide Aramco with a post-incident report if requested.
6. Evidence Preservation
Document how your team preserves evidence during an incident: log retention, system snapshots, chain-of-custody procedures. This is critical for post-incident analysis and for providing Aramco with detailed reports.
7. Testing and Maintenance
The IRP must be tested at least annually through tabletop exercises or simulated incidents. Document the testing schedule, results, and any plan updates made based on test findings. Auditors will ask for testing records.
The 24-Hour Notification: What Can Go Wrong
The 24-hour notification window is where most vendors fail -- not because they lack an IRP document, but because their process breaks down under real conditions:
- No after-hours coverage: The incident is detected at 11 PM by an automated alert, but nobody checks the alert until 9 AM the next day. Ten hours are already gone before anyone even reads the notification.
- Unclear escalation path: The IT administrator who detects the incident does not know who to call, or the designated contact's phone number is outdated. Hours are lost trying to reach the right person.
- Waiting for confirmation: The team detects a suspected breach but delays notification until they can "confirm" it. By the time they confirm, the 24-hour window has passed. Remember: suspected incidents also trigger the notification requirement.
- No Aramco contact information: The team has an IRP but it does not include the Aramco CISO contact details. Nobody knows who to call or what email to send the notification to.
- Notification template not ready: The team scrambles to write a notification email during the incident. The result is either incomplete (missing required details) or delayed (took too long to draft).
Tabletop Exercise Requirements
SACS-002 expects that you test your IRP at least annually. A tabletop exercise is the standard approach:
- Present a realistic incident scenario (e.g., ransomware detected on a server containing Aramco project files)
- Walk through each phase of the IRP with the response team
- Verify that contact information is current and communication channels work
- Time the Aramco notification process -- can your team draft and send the notification within the 24-hour window?
- Document the exercise: date, participants, scenario, actions taken, gaps identified, plan updates
Auditors will request the tabletop exercise documentation. If you cannot produce evidence of testing, the auditor will flag TPC-23 as non-compliant even if you have a well-written IRP.
IRP Audit Evidence Checklist
| Evidence Item | What to Prepare |
|---|---|
| IRP document | Current version with version number, effective date, last review date, and management approval |
| Contact roster | Up-to-date names, phone numbers, and emails for all IRP roles including Aramco contacts |
| Notification template | Pre-drafted Aramco notification email template with placeholder fields |
| Tabletop exercise records | Date, participants, scenario description, outcomes, and plan updates from the most recent exercise |
| Incident log | If any incidents occurred, documentation of response actions and Aramco notification timestamps |
| Employee awareness | Evidence that employees know how to report incidents (covered in security awareness training per TPC-7) |
| Annual review record | Evidence that the IRP was reviewed and updated within the last 12 months |
How MassiveGRID's Template Accelerates Compliance
Building an IRP that satisfies TPC-23 requires understanding not just the control requirements, but also the practical realities of incident response -- escalation timing, evidence preservation, Aramco-specific notification formats, and testing procedures. Most vendors underestimate the effort required to produce a plan that actually works under pressure.
MassiveGRID's CCC-Compliant Infrastructure Package includes a ready-made IRP template that:
- Covers all 7 required sections with pre-written content mapped to TPC-23 requirements
- Includes a severity classification matrix calibrated to Aramco notification timelines
- Provides a pre-drafted Aramco notification email template with all required fields
- Includes a tabletop exercise scenario and facilitator guide for annual testing
- Has placeholder fields for your company contacts, Aramco contacts, and escalation paths
- Is written in formal policy language accepted by authorized audit firms
The 24/7 monitoring component of the infrastructure package integrates directly with the IRP -- alerts are routed to the designated Incident Response Lead, ensuring the 24-hour clock does not start silently while your team sleeps.
Get the IRP Template as Part of the Full CCC Package
The Incident Response Plan template is one of six governance templates included in the MassiveGRID Aramco CCC-Compliant Infrastructure Package, alongside the Acceptable Use Policy, Data Classification Policy, Risk Assessment Template, Off-boarding Checklist, and Media Sanitization Procedure. Combined with 10 infrastructure components and direct access to authorized audit firm partners, it provides the full path from zero to certified.