Skip to Content


Get the assurance you need to know that our cloud offerings meet the latest compliance and security standards. We regularly check compliance through external reviews and audits and follow one common framework, including data security and privacy regulations, worldwide.

ISO/BS Certificates

SAP has developed and implemented an integrated framework based on several international standards. This approach provides a consistent, secure service that meets customer and applicable regulatory requirements. We address client satisfaction and continuous, as well as secure operation of our services, through the effective application of the framework, which includes continuous improvement and the prevents nonconformity. All cloud units certified against ISO/BS standards are annually audited by our certification body.
Previous Next

ISO/IEC 9001 Quality Management System

This standard is based on a number of quality management principles including a strong customer focus, the motivation and implication of top management, as well as the process approach and continuous improvement.

ISO/IEC 27001 Security Management System

ISO/IEC 27001 is possibly the best-known standard in the ISO family. It provides holistic, risked-based approach to security and a comprehensive and measurable set of information security management practices.

icon representing the world on its axis

ISO/IEC 22301 Business Continuity Management System

ISO 22301 is the international standard for business continuity management. It’s designed to protect business operations from potential disruption. This includes extreme weather, fire, flood, natural disaster, theft, IT outage, staff illness, and terror attacks.

icon representing a satellite

BS 10012 Personal Information Management System

This standard covers areas such as employee security awareness training, risk assessments, data retention, and disposal. It establishes policies and procedures and enables the effective management of personal information on individuals.

icon representing a magnifying glass for searching

ISO/IEC 20000 Service Management

This standard covers a system management approach to service management and provides measurable quality guidance for the best-practice framework IT Infrastructure Library (ITIL). It also includes elements from other frameworks such as Control Objectives for Information and Related Technologies (COBIT).

Service Organization Control Reports

SAP offers Service Organization Control (SOC) reports to provide assurance and detailed insight into the design and operating effectiveness of internal control systems implemented within cloud delivery units. SOC reports are industry independent and well-known. Cloud solutions from SAP are audited by our external auditor at least once a year.
Previous Next
Document representing certificates for cloud products

SOC 1 Reports

The auditor of our customer’s financial statements receives information about controls for cloud solutions from SAP that may be relevant to a customer’s internal control over financial reporting. The SOC 1 report follows the SSAE 16 and ISAE 3402 standards on auditing engagements and includes a detailed description of the design (type I/type II) and effectiveness (type II) of the controls audited.

A file folder representing a place to hold SOC certificates

SOC 2 Reports

Customers and prospects are given insights into the control system relevant to security, availability, processing integrity,  confidentiality, or privacy of the data. The SOC 2 report follows the ISAE 3000 and AT 101 auditing standards and is based on AICPA’s trust service principles. The report includes a detailed description of the design (type I/type II) and effectiveness (type II) of the controls audited.

An image of a policy

SOC 3 Reports

Interested parties get a report on the control system implemented within cloud solutions from SAP that are relevant to security, availability, processing integrity, confidentiality, or privacy. The SOC 3 report is a short-form record that provides no description of controls testing and results. It also summarizes the results of respective SOC 2 audits.

Other Certifications and Attestations

Besides ISO standards and SOC reports, selected cloud solutions from SAP provide additional certifications and attestations.
Previous Next
Image of credit card

Payment Card Industry Data Security Standard

This global data security standard, also known as PCI DSS, is adopted by the payment card brands for all entities that process, store, or transmit cardholder data. It comprises common sense steps that mirror security best practices.

Previous Next
A laptop representing a device using cloud solutions

Regional Compliance Requirements

Dedicated cloud solutions from SAP support regional compliance requirements such as FISMA or IRAP. This approach enables services for public sector entities and companies that are required to comply with specific regional regulations.
Back to top