The scope of this 2023-H2 Cloud Security Assessment covers the SAP S/4HANA Cloud, private edition service which is applicable to the SAP commercial offerings:

• RISE with SAP S/4HANA Cloud, private edition

• RISE with SAP S/4HANA Cloud, private edition, tailored option

• SAP ERP, private cloud edition

• SAP ERP, private cloud edition, tailored option

This assessment includes Australian deployment on both Microsoft and Amazon hyperscalers, using the Information Security Manual (ISM) controls manual published June 2023.

 

The scope of a Cloud Security Assessment (CSA) undertaken by an Infosec Registered Assessor Program (IRAP) certified assessor includes the evaluation of the security fundamentals of SAP, and the regional deployment (where applicable) of the Cloud Service offering. The resulting attestation created by the assessor is made available as a Cloud Security Assessment (CSA) Pack to organisation's cyber security team, cloud architects and business representatives to jointly perform a risk assessment and use SAP Cloud Services securely.

This CSA Pack includes the Cloud Security Assessment Report (CSAR) and any addendums, the Cloud Controls Matrix (CCM) previously known as a Cloud Security Controls Matrix (CSCM) detailing the individual controls and the responsibilities of SAP subprocessors, SAP and the cloud consumer.

 

This assessment is undertaken in accordance with the Digital Transformation Agency (DTA)’s Secure Cloud Strategy, and Australian Cyber Security Centre (ACSC)’s Cloud Assessment and Authorisation Framework guidelines. For more information see: https://www.cyber.gov.au/acsc/view-all-content/publications/anatomy-cloud-assessment-and-authorisation.

 

The use of these reports is restricted. A copy of this report is available for all SAP customers, prospects, and partners with a non-disclosure agreement in place.