Businessman and businesswoman working on a laptop computer

SAP Compliance Offerings

Explore Certificates, Reports, and Attestations

SAP Compliance Offerings - Explore Certificates, Reports, and Attestations

At SAP, we keep our finger on the pulse of ever-increasing security challenges by building a security foundation based on industry standards and compliance and regulatory requirements. View SAP’s latest security compliance offerings and reports.

ISO 9001 – Quality Management System

Based upon quality management principles including strong customer focus and with the involvement of top SAP management with the ultimate goal of continual improvement.

ISO/IEC 27001 – Security Management System

Provides a holistic, risked-based approach to security and a comprehensive and measurable set of information security management practices. 

ISO 22301 – Business Continuity Management System

Protects business operations from potential disruption, i.e. extreme weather, fire, natural disaster, theft, IT outage, and more.

BS 10012 Personal Information Management System 

Includes employee security awareness training, risk assessments, data retention, and disposal.

ISO/IEC 27018 – Code of Practice for Personally Identifiable information 

Guidance for cloud service providers to protect personally identifiable information (PII). Supports ISO/IEC 27001 by recommending information security controls for protecting personal data in the public cloud. 

ISO/IEC 27017 Code of practice for Cloud service information security

Codes of practice for information security controls for cloud services.Supports ISO/IEC 27001 by providing guidance on cloud-specific information security controls.

To view all ISO/BS Certificates

      SOC 1 Reports

      Auditors of SAP's customer financial statements receives information about controls for cloud solutions from SAP that are often relevant to a customer’s internal control over financial reporting. This SOC 1 report follows the SSAE 18 and ISAE 3402 standards for auditing engagements and includes a detailed description of the design (type I/type II) and effectiveness (type II) of the controls audited.

      Find documents
      SOC 2 Reports

      Customers and prospects are able to gain insights into the control system relevant to security, availability, processing integrity,  confidentiality, or privacy of data. The SOC 2 report follows the ISAE 3000 and AT 101 auditing standards and is based on AICPA’s trust service principles. Includes a detailed description of the design (type I/type II) and effectiveness (type II) of the audited controls.

      Find documents
      Bridge Letters

      Bridge letters are intended to cover the gap between the end date of the referenced report and the issue date of the bridge letter. Bridge letters provide customers with information as to whether there have been any significant changes to their controls environment that could adversely impact the conclusions reached in the most recently completed SOC examination.

      Find documents

      To view all System and Organization Controls (SOC) Reports

      Payment Card Industry Data Security Standard (PCI DSS)

      This global data security standard, also known as PCI DSS, is adopted by the payment card brands for all entities that process, store, or transmit cardholder data. Comprised of steps that mirror security best practices across the industry. 

      Good Practice Quality Guidelines and Regulations (GxP)

      GxP is a collection of quality guidelines and regulations created to ensure that bio/pharmaceutical products are safe, meet their intended use, and adhere to quality processes during manufacturing, control, storage, and distribution.

      Trusted Information Security Assessment Exchange (TISAX)

      TISAX enables mutual acceptance of Information Security Assessments in the automotive industry and provides a common assessment and exchange protocol.

      Federal Risk and Authorization Management Program (FedRAMP)

      For government agencies, the question of security is at the heart of every Information Technology (IT) project. Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

      To view all industry specific compliance offerings

      Cloud Computing Compliance Controls Catalogue (C5)

      C5 has proven itself, due to its neutrality, scope, compactness and testability, as an attestation for a stable foundation for internal auditing and for information security management in regulated industries.

      EU Cloud Code of Conduct (EU Cloud CoC)

      Endorsed by the European Data Protection Board and approved by the Belgian Data Protection Authority, the EU Cloud CoC allows Cloud Service Providers to demonstrate adherence to GDPR requirements (Article 28 GDPR and its related Articles).

      Critical Infrastructure (CI)

      SAP serves Critical Infrastructure (CI) providers in many countries across the globe and contributes to their compliance to the respective cybersecurity regulations. Furthermore, SAP itself is a registered CI provider in Germany (KRITIS), and in a growing number of other countries.

      Cloud Security Assessment (IRAP-CSA)

      The Australian Government Cloud Security Assessment and Authorisation Framework defines a means for an organisation’s cyber security team, cloud architects and business representatives to jointly perform a risk assessment and use SAP Cloud Services securely.

      Spain National Security Framework (ENS)

      The National Security Framework (ENS) is made up of the basic principles and minimum requirements necessary for adequate protection of the information processed and the services provided by the entities within its scope of application, in order to ensure access, confidentiality, integrity, traceability, authenticity, availability and conservation of data, information and services used by electronic means that they manage in the exercise of their competences

      NIS2, DORA and RCE Frequently Asked Questions (FAQ)

      As an informational resource, this document outlines frequently asked questions (FAQ) around NIS2, DORA and RCE and their impact on SAP. This document does not provide legal or professional advice, and SAP may modify any opinion expressed in this FAQ as regulatory and security requirements evolve. Customers are encouraged to seek independent counsel and guidance on these laws in support of their compliance efforts

      Cybersecurity Classified Protection Scheme (CCPS)

      The CCPS is China’s regional regulatory security certification mandated by article 21 of the China Cybersecurity Law (CCSL). It’s a nationwide security program that standardizes security design, assessment, audit, certification, renewal, and monitoring of every system or network hosted in mainland China. Any organization who owns or operates such a system or network is legally obligated to comply with the CCPS.

      Information System Security Management and Assessment Program (ISMAP)

      The Information system Security Management and Assessment Program (commonly known as ISMAP) is an information system security management and assessment program (commonly known as ISMAP) that enables governments to assess and register cloud services that meet the government's security requirements. This system is based on the "Basic Framework for the Security Evaluation System for Cloud Services in Government Information Systems" (decided by the Cyber ​​Security Strategy Headquarters on January 30, 2020).

      To view all regional compliance offerings

      SAP Software Accessibility

      The "SAP Accessibility Status Documents" inform users about product-specific accessibility features describing the testing environment. These documents also report current status of standards, guidelines, and requirements. Available as VPAT® US for our US customers. and as VPAT® EN 301 549 for our international customers.

      Sustainability ISO 14001 and ISO 50001

      A multi-site certificate confirms that SAP’s environmental management system is in compliance with the international ISO 14001:2015 standard. The appendix for this certificate includes all certified sites covered by SAP's environmental management system.

      Cloud Security Alliance (CSA)

      The Cloud Security Alliance (CSA), a not-for-profit organization that develops and promotes best security practices for cloud computing that provides focus and guidance for SAP deployments.

      Ethics and Compliance

      SAP is committed to the highest standards of ethical business practices. We strive to undertake business with integrity and following both the spirit and the letter of the law in all global markets we operate in. 

      IDW PS 880

      Attestation according to the German Institute of Public Auditors (IDW)

      To view all other compliance offerings

      placeholder

      A message to our customers

      Delay in delivery of HY2 2023 SOC reports

      Compliance resources

      placeholder
      Additional access to documentation

      The support portal edition of the SAP Trust Center extends the public offering by granting access to additional information, documents, and other content available only to SAP customers and partners with a valid SAP user ID. Sign in and learn more.

      placeholder
      Ethics and compliance at SAP

      By doing business the right way, in accordance with our Global Code of Ethics and Business Conduct, SAP can positively impact social and economic development, furthering education, justice, democracy, prosperity, development, and health worldwide. 

      placeholder
      Security Compliance

      Security compliance focuses on ensuring an organization acts in accordance with security requirements based on laws, regulations, industry standards, and the organization’s published policies.

      placeholder
      Cloud Delivery Processes

      Get insights into our cloud delivery processes and the ways they support critical business operations for cloud services.

      Compliance FAQs

      Frequently Asked Questions

      Since 1998 SAP has held an ISO 9001 certificate. We are also certified according to ISO 27001, ISO 22301, and BS 10012. All locations worldwide work according to one common process framework, including data security and privacy regulations. We regularly check compliance though internal reviews and audits.

      It specifies a framework for implementing a personal information management system (PIMS) in compliance with the General Data Protection Regulation (GDPR) and mandates the implementation of such a system within corporate security programs. It describes a framework to manage the privacy of personal data and implement necessary policies, procedures, and controls to help ensure compliance with the GDPR.

      The SOC 1 report covers all live customer systems during the audit cycle. It provides information about controls at a service-organization level that is relevant to the customer's internal control over financial reporting, known as IT general controls.

      IT general controls cover:  

      • IT strategy
      • Environment and organization
      • Logical and physical
      • Access controls
      • Program development 
      • Change management
      • Computer operations such as incident management, backup, and monitoring

      The SOC 2 report provides the management of a service organization, customers, and others with a report about the controls of a service organization that is relevant to the security, availability, and processing integrity of its system and the confidentiality and privacy of the data processed by that system. While security is always assessed in each SOC 2 report, management may decide to scope in other criteria, known as trust services criteria (TSPs).

      These additional TSPs are:

      • Confidentiality
      • Integrity
      • Availability
      • Privacy

      Our current certification portfolio includes BSI C5 (Cloud Computing Compliance Controls Catalogs), CSA STAR (Cloud Security Alliance Security Trust Assurance and Risk), ISO 22301:2021 (Business Continuity Management), ISO/IEC 27001:2013 (Information Security Management System), ISO/IEC 27017:2015 (Code of practice for Cloud service information security), ISO/IEC 27018:2019 (Code of practice for Personally identifiable information in public clouds), ISO 9001:2015 (Quality management systems), PCI-DSS (Payment Card Industry Data Security Standard), SOC1, SOC2 Report (System and Organization Controls Report), and TISAX (Trusted Information Security Assessment Exchange).

      Bridge letters are intended to cover the gap between the end date of the referenced report and the issue date of the bridge letter. Bridge letters provide customers with information as to whether there have been any significant changes to their controls environment that could adversely impact the conclusions reached in the most recently completed SOC examination. Bridge letters are available on request on the SAP Trust Center.