The scope of this report covers the SAP Concur Cloud Security Assessment (CSA) Pack for 2024 deployed in Australia using the Information Security Manual (ISM) controls manual published March 2024.

 

The scope of a Cloud Security Assessment (CSA) undertaken by an Infosec Registered Assessor Program (IRAP) certified assessor includes the evaluation of the security fundamentals of SAP, and the regional deployment (where applicable) of the Cloud Service offering.

 

The resulting attestation created by the assessor is made available as a Cloud Security Assessment (CSA) Pack to organization's cyber security team, cloud architects and business representatives to jointly perform a risk assessment and use SAP Cloud Services securely.

 

This CSA Pack will include the Cloud Security Assessment Report (CSAR) and any addendums, the Cloud Security Controls Matrix (CSCM) detailing the individual controls and the responsibilities of SAP and the cloud consumer. A SAP Cloud Service CSA Pack can be provided to SAP Customers, Prospects and Partners who are subject to a Non-Disclosure Agreement (NDA) with SAP.

 

This assessment is undertaken in accordance with the Digital Transformation Agency (DTA)’s Secure Cloud Strategy, and Australian Cyber Security Centre (ACSC)’s Anatomy of a Cloud Assessment and Authorisation guidelines.

 

For more information see: https://www.cyber.gov.au/acsc/view-all-content/publications/anatomy-cloud-assessment-and-authorisation