SAP S/4HANA Cloud, Public Edition Cloud Security Assessment (CSA)

The scope of this 2025-H1 Cloud Security Assessment covers the SAP S/4HANA Cloud, public edition service which is applicable to the SAP commercial offerings.

 

SAP S/4HANA Cloud Public Edition tenants and features are offered via Stock Keeping Unit [SKU] commercial order and assessed in this compliance report.

  • SAP S/4HANA Cloud Public Edition, Finance Base

  • SAP S/4HANA Cloud Public Edition, Finance Premium (as part of 8019461 - SAP Finance Premium)

  • SAP S/4HANA Cloud Public Edition, Supply Chain Base (as part of 8019364 - SAP Supply Chain Base)

  • SAP S/4HANA Cloud Public Edition, Supply Chain Premium (as part of 8019623 - SAP Supply Chain Premium)

  • Core S/4HANA Cloud Public Edition tenant (as part of 8014771 — Core: GROW with S/4HANA Public Edition, base)

  • Core S/4HANA Cloud Public Edition tenant (as part of 8014761 — Core: GROW with S/4HANA Public Edition, premium)

  • Core S/4HANA Cloud Public Edition tenant (as part of 8014782 — Core: GROW with S/4HANA Public Edition, base (CN))

  • Core S/4HANA Cloud Public Edition tenant (as part of 8014822 — Core: GROW with S/4HANA Public Edition, premium (CN))

  • Core S/4HANA Cloud Public Edition tenant (as part of 8010840 — Core: RISE with SAP S/4HANA Cloud and experience management)

  • SAP S/4HANA Cloud, Digital Access

  • CPEA Voucher

  • SAP S/4HANA Cloud for cash management

  • SAP S/4HANA Cloud for receivables management

  • SAP S/4HANA Asset management for resource scheduling

  • SAP S/4HANA Cloud for contract accounting and invoicing

  • SAP S/4HANA Cloud for contract and lease management

  • SAP S/4HANA Cloud for treasury and risk management

  • SAP S/4HANA Cloud for financial asset management

  • SAP S/4HANA Cloud for advanced payment management

  • SAP S/4HANA Cloud for advanced variant configuration, standard version

  • SAP S/4HANA Cloud for advanced variant configuration, professional version

  • SAP S/4HANA Cloud for group reporting

  • SAP Document and Reporting Compliance for S/4HANA Cloud

  • SAP S/4HANA Cloud for product compliance

  • SAP S/4HANA Cloud for upstream contracts management

  • SAP S/4HANA Cloud for upstream oil and gas revenue management

  • SAP S/4HANA Cloud for advanced ATP

  • SAP S/4HANA Cloud for enterprise contract management

  • SAP S/4HANA Cloud for central procurement

  • SAP S/4HANA Cloud for intelligent accounting automation

  • SAP S/4HANA Cloud for EHS environment management

  • SAP S/4HANA Cloud for EHS workplace safety

  • SAP S/4HANA Cloud for retail, fashion, and vertical business

  • SAP S/4HANA Cloud for asset retirement obligations

  • SAP S/4HANA Cloud for field equipment and material logistics planning and executionThis assessment includes Australian deployment on both Microsoft and Amazon hyperscalers, using the Information Security Manual (ISM) controls manual published September 2024.

The scope of a Cloud Security Assessment (CSA) undertaken by an Infosec Registered Assessor Program (IRAP) certified assessor includes the evaluation of the security fundamentals of SAP, and the regional deployment (where applicable) of the Cloud Service offering. The resulting attestation created by the assessor is made available as a Cloud Security Assessment (CSA) Pack to organisation's cyber security team, cloud architects and business representatives to jointly perform a risk assessment and use SAP Cloud Services securely.

 

This CSA Pack includes the Cloud Security Assessment Report (CSAR) and any addendums, the Cloud Controls Matrix(CCM) previously known as a Cloud Security Controls Matrix (CSCM) detailing the individual controls and the responsibilities of SAP subprocessors, SAP and the cloud consumer.

 

This assessment is undertaken in accordance with the Digital Transformation Agency (DTA)’s Secure Cloud Strategy, and Australian Cyber Security Centre (ACSC)’s Cloud Assessment and Authorisation Framework guidelines. For more information see:  https://www.cyber.gov.au/acsc/view-all-content/publications/anatomy-cloud-assessment-and-authorisation.

 

The use of these reports is restricted. A copy of this report is available for all SAP customers, prospects, and partners with a non-disclosure agreement in place.