Missing or inadequate cybersecurity training is one of the top five audit findings in Aramco CCC assessments. TPC-7 of the SACS-002 standard mandates that every third-party vendor provides annual cybersecurity training to all employees who handle Aramco-related work. Yet most vendors either skip training entirely, deliver a one-time onboarding presentation, or cannot produce the completion records auditors require. This guide explains exactly what TPC-7 requires, how to structure a training program that satisfies your auditor, and what evidence you need to collect.
What TPC-7 Requires
TPC-7 falls under the PROTECT function of the SACS-002 framework, specifically in the Awareness and Training (AT) domain. The control states that the third party must provide cybersecurity training that addresses acceptable use and good computing practices to all employees.
TPC-7: Third Party must provide cybersecurity training that addresses acceptable use policies and good computing practices. Training must be conducted annually, and completion records must be maintained for audit purposes.
While the standard's wording is concise, the audit evidence requirements behind it are substantial. Authorized audit firms interpret TPC-7 as requiring:
- Annual training delivery to all employees (not just IT staff)
- Coverage of specific topics: phishing, password security, social engineering, data handling, and acceptable use
- Documented completion records with employee names, dates, and training content covered
- Evidence that training was actually completed (not just scheduled)
- A mechanism to handle new hires who join between annual training cycles
Required Training Topics
The SACS-002 standard, combined with the Cybersecurity Controls Requirements Guideline, expects training programs to cover several core areas. Auditors will check that your training materials address each of these topics.
1. Phishing Awareness
Phishing remains the primary attack vector for supply chain compromises. Your training must teach employees to identify phishing emails, suspicious links, and social engineering attempts. Practical examples are essential -- employees should see real-world phishing templates and learn the telltale signs: urgency language, mismatched sender addresses, suspicious attachments, and requests for credentials.
2. Password Security and Hygiene
Training must reinforce the SACS-002 password requirements from TPC-2: minimum 8 characters with special characters, no password reuse across the last 12 passwords, 90-day rotation, and the importance of never sharing credentials. Employees should understand why these rules exist and how compromised passwords lead to breaches.
3. Social Engineering Defense
Beyond email phishing, training should cover phone-based social engineering (vishing), physical tailgating, pretexting, and impersonation attacks. Employees handling Aramco data are high-value targets, and attackers may attempt to extract information through seemingly innocent conversations.
4. Data Protection and Classification
Employees must understand data handling requirements: what constitutes Aramco confidential data, how to classify information, acceptable storage locations, sharing restrictions, and the consequences of unauthorized disclosure. TPC-9 prohibits sharing Aramco data via unauthorized channels -- training must make employees aware of what channels are and are not authorized.
5. Acceptable Use Policy (AUP)
TPC-1 requires a documented Cybersecurity Acceptable Use Policy. TPC-7 requires that training covers this policy. Employees must acknowledge they have read, understood, and agreed to the AUP. This acknowledgment must be documented and available for audit.
6. Incident Reporting
TPC-23 requires 24-hour incident notification to Aramco. Employees are the first line of detection. Training should teach employees how to recognize potential security incidents and the internal procedure for reporting them immediately -- not after waiting to see if the problem resolves itself.
Training Frequency and Scheduling
SACS-002 requires a minimum of annual training. However, best practices and auditor expectations go further:
| Frequency | Activity | Purpose |
|---|---|---|
| Annual | Full cybersecurity training program | Satisfies TPC-7 minimum requirement |
| Quarterly | Phishing simulation campaigns | Tests real-world awareness; identifies employees needing remedial training |
| On hire | New employee onboarding training | Ensures new hires are trained before accessing Aramco-related systems |
| On policy change | Policy update briefing | Ensures employees are aware of new or changed security requirements |
| Post-incident | Targeted remedial training | Addresses specific gaps identified during security incidents |
Role-Specific Training Requirements
Not all employees face the same risks. A well-structured training program includes role-specific modules in addition to the general awareness content.
General Staff
All employees receive the core training: phishing awareness, password hygiene, data handling, AUP acknowledgment, and incident reporting. This is the baseline that satisfies TPC-7 for the majority of your workforce.
IT Administrators
IT staff with privileged access need additional training on: secure system administration, privileged access management, patch management procedures, log monitoring, incident response procedures, and secure configuration standards. Their access level means a compromise of their credentials has far greater impact.
Executives and Management
Executives are high-value targets for business email compromise (BEC) and whale phishing attacks. Their training should include executive-specific social engineering scenarios, authorization procedures for financial transactions, and their role in the incident response chain. They also need to understand their governance responsibilities under TPC-1.
Audit Evidence Requirements
Having a training program is not enough -- you must prove it exists and that people completed it. Auditors will request the following evidence:
| Evidence Item | What Auditors Expect |
|---|---|
| Training materials | The actual content used: slides, videos, interactive modules, or training platform screenshots |
| Training schedule | Annual training calendar showing planned and completed sessions |
| Completion records | Per-employee list showing: name, date completed, modules completed, score (if applicable) |
| Completion certificates | Individual certificates with employee name, date, and training content summary |
| AUP acknowledgments | Signed (digital or physical) acknowledgment that each employee has read and accepted the AUP |
| Phishing simulation results | Campaign reports showing click rates, reporting rates, and remedial actions taken |
| Non-completion escalation | Evidence of follow-up actions for employees who did not complete training by deadline |
Common TPC-7 Audit Failures
Understanding why other vendors fail this control helps you avoid the same mistakes:
- No training at all: The most common failure. The vendor simply never conducted formal cybersecurity training and cannot produce any evidence.
- Training conducted but no records: The vendor held a meeting or presentation but did not track attendance. Without completion records, the auditor cannot verify the control.
- Training materials do not cover required topics: A generic IT orientation that covers how to use the printer and reset your password does not satisfy TPC-7. The content must specifically address cybersecurity threats.
- No new hire training process: Annual training was conducted in January, but three employees hired in June never received training. The auditor will check hire dates against completion dates.
- No AUP acknowledgment: Training was completed but employees were never asked to acknowledge the Acceptable Use Policy. TPC-1 and TPC-7 work together -- the auditor checks for both.
- Stale training content: The training slides reference Windows XP or threats from 2015. Auditors expect training to reflect current threat landscape and the specific SACS-002 requirements.
Phishing Simulations: Testing What Employees Learned
While SACS-002 does not explicitly mandate phishing simulations, they are a best practice that auditors increasingly expect to see. A phishing simulation program demonstrates that your organization does not just teach security awareness -- it tests and measures it.
An effective phishing simulation program includes:
- Quarterly campaigns: At minimum four simulations per year using different phishing templates
- Varied difficulty levels: From obvious spam to sophisticated spear-phishing that mimics real Aramco communications
- Click tracking: Record which employees clicked on the simulated phishing link
- Reporting metrics: Track how many employees correctly reported the simulation to IT/security
- Immediate feedback: Employees who click receive instant educational feedback explaining what they missed
- Remedial training: Repeat offenders are enrolled in additional focused training
- Trend reporting: Month-over-month and quarter-over-quarter improvement metrics
How MassiveGRID's Training Component Works
Building a training program from scratch -- sourcing content, setting up a learning management system, configuring phishing simulations, designing completion tracking, and generating audit reports -- is a significant undertaking. Most Aramco vendors do not have an internal training department or the tools to deliver and track cybersecurity education at scale.
MassiveGRID's Security Awareness Training component, included in the CCC-Compliant Infrastructure Package, provides:
- Pre-built training modules: SACS-002-aligned content covering all required topics: phishing, passwords, social engineering, data protection, AUP, and incident reporting
- Learning management system (LMS): Web-based platform accessible from any device. Employees complete modules at their own pace with progress saved automatically
- Automated phishing simulations: Quarterly campaigns with customizable templates, click tracking, and immediate educational feedback
- Completion tracking: Real-time dashboard showing which employees have completed training, who is overdue, and aggregate completion rates
- Certificate generation: Timestamped completion certificates generated automatically for each employee -- ready for auditor review
- AUP acknowledgment workflow: Digital signature workflow for Acceptable Use Policy with timestamped records
- Role-specific training paths: Pre-configured tracks for general staff, IT administrators, and executives
- New hire onboarding: Automated enrollment triggers when new users are added to the system
- Audit report exports: One-click export of all training evidence in formats accepted by authorized audit firms
- Multi-language support: Training available in English and Arabic for organizations with diverse workforces
Building Your Training Calendar
Here is a recommended annual training calendar that satisfies TPC-7 and demonstrates a mature security awareness program:
| Month | Activity | Duration |
|---|---|---|
| January | Annual full cybersecurity training (all required modules) | 60-90 minutes |
| March | Q1 phishing simulation campaign | Ongoing (1-2 weeks) |
| June | Q2 phishing simulation + mid-year refresher (focused topic) | 15-30 minutes + simulation |
| September | Q3 phishing simulation campaign | Ongoing (1-2 weeks) |
| November | Q4 phishing simulation + AUP re-acknowledgment | 15 minutes + simulation |
| Ongoing | New hire onboarding training (within first week of employment) | 60-90 minutes |
Training Effectiveness Metrics
A mature training program measures its own effectiveness. Track these metrics to demonstrate continuous improvement to your auditor:
- Training completion rate: Target 100% within 30 days of annual training launch
- Phishing click rate: Baseline measurement in Q1, with target reduction of 50%+ by Q4
- Phishing report rate: Percentage of employees who correctly reported the simulation (higher is better)
- Time to complete: Average time employees spend on training (too fast may indicate clicking through without reading)
- Assessment scores: If training includes knowledge checks, track average scores and failure rates
- Repeat offender rate: Percentage of employees who click on multiple simulation campaigns
Pro tip: Present these metrics to your auditor proactively. A vendor that tracks training effectiveness demonstrates a mature security culture, not just checkbox compliance. This creates a favorable impression during the assessment.
Get Training as Part of the Full CCC Package
Security awareness training is one of ten components in the MassiveGRID Aramco CCC-Compliant Infrastructure Package. Together with email hosting, encrypted file hosting, firewall, VPN, monitoring, patch management, backup/DR, and identity access management, it provides everything you need to satisfy the infrastructure and operational controls of SACS-002.