If the client is just going to use policy manager, all of the other stuff will need to be included as will. I would suggest a separate machine for the CCS VM because of the heavy processor usage that the scanning will be doing. I would suggest at least a minimal recommendation of a single server for the CCS Core and a single SQL Server to hold the databases. The Core server would need to include the following: CCS Directory Server, CCS Application Server, CCS Web Portal, CCS Manager and I would think that 8 cores and 16 GB with 500 GB of disk space should be sufficient to runn all of these processes. In addition I would recommend a similar machine to run SQL on with at least 8 cores and 16 GB of RAM with at least 500 GB of disk space. This should leave enough room to grow. Without knowing the specifics of the client environment, I can only make assumptions. If they decided they wanted to use some of the other capabilities of CCS like standards manager, etc, then they could deploy other managers and potentiallly remove the manager from the main core server to help share the load.
Hope this helps