SABIC Cyber Trust Standard: Readiness Assessment

**GV.01:** Is there a documented, executive-approved policy specifically addressing the SABIC Cyber Trust Standard requirements?

**GV.02:** Do you have a formally assigned Risk Owner responsible for managing cybersecurity risk related to the SABIC engagement?

**GV.03:** Is a recurring, formal cybersecurity risk assessment performed on all systems and assets connected to or supporting SABIC data?

**GV.04:** Do all employees, including contractors, receive mandatory annual security awareness training that covers data handling and the consequences of non-compliance?

**DF.01:** Are all endpoints (servers, laptops, mobile devices) protected by up-to-date antivirus and Endpoint Detection and Response (EDR) solutions?

**DF.02:** Is Multi-Factor Authentication (MFA) mandatory for all remote access and access to critical systems handling SABIC data?

**DF.03:** Do you have a documented Vulnerability Management process, including patch deployment, running monthly security scans on all internet-facing assets?

**DF.04:** Are network security controls (firewalls) formally reviewed and configured to explicitly restrict access only to necessary services and ports (Principle of Least Privilege)?

**DF.05:** Do you regularly test and verify that backups of critical SABIC-related data are complete, secure, and restorable?

**RS.01:** Is a formal Incident Response (IR) plan documented, maintained, and **tested** at least annually?

**RS.02:** Does the IR plan include specific procedures for communicating an incident to SABIC, as required by the standard?

**RS.03:** Do you have a Business Continuity (BC) and Disaster Recovery (DR) plan in place to ensure critical business functions resume within defined recovery objectives (RTO/RPO)?

**TP.01:** Do you conduct formal cybersecurity due diligence (assessments, reviews) before onboarding any new third-party vendor handling SABIC data?

**TP.02:** Are security clauses requiring NCA alignment and adherence to SABIC standards included in all relevant vendor contracts?

**ICS.01:** Is your ICS network physically and logically separated (network segmentation) from your corporate IT network using industrial firewalls and/or a DMZ?

**ICS.02:** Are all remote access sessions into the ICS environment strictly logged and require Multi-Factor Authentication (MFA)?

**ICS.03:** Are regular backups of PLC/SCADA configurations performed, and is the backup media stored securely offline?