SAP Compliance Offerings
SAP Compliance Offerings - Explore Certificates, Reports, and Attestations
At SAP, we keep our finger on the pulse of ever-increasing security challenges by building a security foundation based on industry standards and compliance and regulatory requirements. View SAP’s latest security compliance offerings and reports.
ISO/BS Certificates
Find below the available ISO and BS certificates for SAP solutions. Click on “find a certificate” to see a list of the available documents to view and download.
System and Organization Controls (SOC)
SAP offers System and Organization Controls (SOC) reports to provide insights into the design and operating effectiveness of internal control systems implemented within cloud delivery units. For legal reasons, you will need to give further information when requesting some of the SOC reports. For any questions, please click on the contact us box on this page.
Industry-specific offerings
Industry offerings focused on protecting your primary business interest by sector.
Regional offerings
Regional offerings focusing locally to protect your global cloud business interests.
Other offerings
Other offerings to ensure full protection around your cloud business.
ISO 9001 – Quality Management System
Based upon quality management principles including strong customer focus and with the involvement of top SAP management with the ultimate goal of continual improvement.
ISO/IEC 27001 – Security Management System
Provides a holistic, risked-based approach to security and a comprehensive and measurable set of information security management practices.
ISO 22301 – Business Continuity Management System
Protects business operations from potential disruption, i.e. extreme weather, fire, natural disaster, theft, IT outage, and more.
BS 10012 Personal Information Management System
Includes employee security awareness training, risk assessments, data retention, and disposal.
ISO/IEC 27018 – Code of Practice for Personally Identifiable information
Guidance for cloud service providers to protect personally identifiable information (PII). Supports ISO/IEC 27001 by recommending information security controls for protecting personal data in the public cloud.
ISO/IEC 27017 Code of practice for Cloud service information security
Codes of practice for information security controls for cloud services.Supports ISO/IEC 27001 by providing guidance on cloud-specific information security controls.
To view all ISO/BS Certificates
SOC 1 Reports
Auditors of SAP's customer financial statements receives information about controls for cloud solutions from SAP that are often relevant to a customer’s internal control over financial reporting. This SOC 1 report follows the SSAE 18 and ISAE 3402 standards for auditing engagements and includes a detailed description of the design (type I/type II) and effectiveness (type II) of the controls audited.
SOC 2 Reports
Customers and prospects are able to gain insights into the control system relevant to security, availability, processing integrity, confidentiality, or privacy of data. The SOC 2 report follows the ISAE 3000 and AT 101 auditing standards and is based on AICPA’s trust service principles. Includes a detailed description of the design (type I/type II) and effectiveness (type II) of the audited controls.
Bridge Letters
Bridge letters are intended to cover the gap between the end date of the referenced report and the issue date of the bridge letter. Bridge letters provide customers with information as to whether there have been any significant changes to their controls environment that could adversely impact the conclusions reached in the most recently completed SOC examination.
To view all System and Organization Controls (SOC) Reports
Payment Card Industry Data Security Standard (PCI DSS)
This global data security standard, also known as PCI DSS, is adopted by the payment card brands for all entities that process, store, or transmit cardholder data. Comprised of steps that mirror security best practices across the industry.
Good Practice Quality Guidelines and Regulations (GxP)
GxP is a collection of quality guidelines and regulations created to ensure that bio/pharmaceutical products are safe, meet their intended use, and adhere to quality processes during manufacturing, control, storage, and distribution.
Trusted Information Security Assessment Exchange (TISAX)
TISAX enables mutual acceptance of Information Security Assessments in the automotive industry and provides a common assessment and exchange protocol.
Federal Risk and Authorization Management Program (FedRAMP)
For government agencies, the question of security is at the heart of every Information Technology (IT) project. Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
To view all industry specific compliance offerings
Cloud Computing Compliance Controls Catalogue (C5)
C5 has proven itself, due to its neutrality, scope, compactness and testability, as an attestation for a stable foundation for internal auditing and for information security management in regulated industries.
EU Cloud Code of Conduct (EU Cloud CoC)
Endorsed by the European Data Protection Board and approved by the Belgian Data Protection Authority, the EU Cloud CoC allows Cloud Service Providers to demonstrate adherence to GDPR requirements (Article 28 GDPR and its related Articles).
Critical Infrastructure (CI)
SAP serves Critical Infrastructure (CI) providers in many countries across the globe and contributes to their compliance to the respective cybersecurity regulations. Furthermore, SAP itself is a registered CI provider in Germany (KRITIS), and in a growing number of other countries.
Cloud Security Assessment (IRAP-CSA)
The Australian Government Cloud Security Assessment and Authorisation Framework defines a means for an organisation’s cyber security team, cloud architects and business representatives to jointly perform a risk assessment and use SAP Cloud Services securely.
Spain National Security Framework (ENS)
The National Security Framework (ENS) is made up of the basic principles and minimum requirements necessary for adequate protection of the information processed and the services provided by the entities within its scope of application, in order to ensure access, confidentiality, integrity, traceability, authenticity, availability and conservation of data, information and services used by electronic means that they manage in the exercise of their competences
NIS2, DORA and RCE Frequently Asked Questions (FAQ)
As an informational resource, this document outlines frequently asked questions (FAQ) around NIS2, DORA and RCE and their impact on SAP. This document does not provide legal or professional advice, and SAP may modify any opinion expressed in this FAQ as regulatory and security requirements evolve. Customers are encouraged to seek independent counsel and guidance on these laws in support of their compliance efforts
Cybersecurity Classified Protection Scheme (CCPS)
The CCPS is China’s regional regulatory security certification mandated by article 21 of the China Cybersecurity Law (CCSL). It’s a nationwide security program that standardizes security design, assessment, audit, certification, renewal, and monitoring of every system or network hosted in mainland China. Any organization who owns or operates such a system or network is legally obligated to comply with the CCPS.
Information System Security Management and Assessment Program (ISMAP)
The Information system Security Management and Assessment Program (commonly known as ISMAP) is an information system security management and assessment program (commonly known as ISMAP) that enables governments to assess and register cloud services that meet the government's security requirements. This system is based on the "Basic Framework for the Security Evaluation System for Cloud Services in Government Information Systems" (decided by the Cyber Security Strategy Headquarters on January 30, 2020).
To view all regional compliance offerings
SAP Software Accessibility
The "SAP Accessibility Status Documents" inform users about product-specific accessibility features describing the testing environment. These documents also report current status of standards, guidelines, and requirements. Available as VPAT® US for our US customers. and as VPAT® EN 301 549 for our international customers.
Sustainability ISO 14001 and ISO 50001
A multi-site certificate confirms that SAP’s environmental management system is in compliance with the international ISO 14001:2015 standard. The appendix for this certificate includes all certified sites covered by SAP's environmental management system.
Cloud Security Alliance (CSA)
The Cloud Security Alliance (CSA), a not-for-profit organization that develops and promotes best security practices for cloud computing that provides focus and guidance for SAP deployments.
Ethics and Compliance
SAP is committed to the highest standards of ethical business practices. We strive to undertake business with integrity and following both the spirit and the letter of the law in all global markets we operate in.
IDW PS 880
Attestation according to the German Institute of Public Auditors (IDW)
To view all other compliance offerings
Compliance resources
Additional access to documentation
The support portal edition of the SAP Trust Center extends the public offering by granting access to additional information, documents, and other content available only to SAP customers and partners with a valid SAP user ID. Sign in and learn more.
Ethics and compliance at SAP
By doing business the right way, in accordance with our Global Code of Ethics and Business Conduct, SAP can positively impact social and economic development, furthering education, justice, democracy, prosperity, development, and health worldwide.
Security Compliance
Security compliance focuses on ensuring an organization acts in accordance with security requirements based on laws, regulations, industry standards, and the organization’s published policies.
Cloud Delivery Processes
Get insights into our cloud delivery processes and the ways they support critical business operations for cloud services.
Compliance FAQs
Frequently Asked Questions
Since 1998 SAP has held an ISO 9001 certificate. We are also certified according to ISO 27001, ISO 22301, and BS 10012. All locations worldwide work according to one common process framework, including data security and privacy regulations. We regularly check compliance though internal reviews and audits.
It specifies a framework for implementing a personal information management system (PIMS) in compliance with the General Data Protection Regulation (GDPR) and mandates the implementation of such a system within corporate security programs. It describes a framework to manage the privacy of personal data and implement necessary policies, procedures, and controls to help ensure compliance with the GDPR.
The SOC 1 report covers all live customer systems during the audit cycle. It provides information about controls at a service-organization level that is relevant to the customer's internal control over financial reporting, known as IT general controls.
IT general controls cover:
- IT strategy
- Environment and organization
- Logical and physical
- Access controls
- Program development
- Change management
- Computer operations such as incident management, backup, and monitoring
The SOC 2 report provides the management of a service organization, customers, and others with a report about the controls of a service organization that is relevant to the security, availability, and processing integrity of its system and the confidentiality and privacy of the data processed by that system. While security is always assessed in each SOC 2 report, management may decide to scope in other criteria, known as trust services criteria (TSPs).
These additional TSPs are:
- Confidentiality
- Integrity
- Availability
- Privacy
Our current certification portfolio includes BSI C5 (Cloud Computing Compliance Controls Catalogs), CSA STAR (Cloud Security Alliance Security Trust Assurance and Risk), ISO 22301:2021 (Business Continuity Management), ISO/IEC 27001:2013 (Information Security Management System), ISO/IEC 27017:2015 (Code of practice for Cloud service information security), ISO/IEC 27018:2019 (Code of practice for Personally identifiable information in public clouds), ISO 9001:2015 (Quality management systems), PCI-DSS (Payment Card Industry Data Security Standard), SOC1, SOC2 Report (System and Organization Controls Report), and TISAX (Trusted Information Security Assessment Exchange).
Bridge letters are intended to cover the gap between the end date of the referenced report and the issue date of the bridge letter. Bridge letters provide customers with information as to whether there have been any significant changes to their controls environment that could adversely impact the conclusions reached in the most recently completed SOC examination. Bridge letters are available on request on the SAP Trust Center.