Compliance
Get the assurance you need to know that our products and services meet the latest compliance and security standards. We regularly check compliance through external reviews and audits and follow one common framework, including data security and privacy regulations, worldwide.
ISO/BS Certificates
SAP has developed and implemented an integrated framework based on several international standards. This approach provides a consistent, secure service that meets customer and applicable regulatory requirements. We address client satisfaction and continuous, as well as secure operation of our services, through the effective application of the framework, which includes continuous improvement and the prevents nonconformity. All SAP products and services are certified against ISO/BS standards are annually audited by our certification body.
ISO/IEC 9001 Quality Management System
This standard is based on a number?of quality management principles including a strong customer focus, the?motivation and involvement of top management, as well as the process approach?and continual improvement.
ISO/IEC 27001 Security Management System
ISO/IEC 27001 is possibly the best-known standard in the ISO family. It provides holistic, risked-based approach to security and a comprehensive and measurable set of information security management practices.
ISO/IEC 22301 Business Continuity Management System
ISO 22301 is the international standard for business continuity management. It’s designed to protect business operations from potential disruption. This includes extreme weather, fire, flood, natural disaster, theft, IT outage, staff illness, and terror attacks.
BS 10012 Personal Information Management System
This standard covers areas such as employee security awareness training, risk assessments, data retention, and disposal. It establishes policies and procedures and enables the effective management of personal information on individuals.
ISO/IEC 20000 Service Management
ISO/IEC 27018: ISO 27018 Code of practice for personally DATA protection
ISO/IEC?27018 provides guidance for cloud service providers on protecting personally identifiable information (PII). This standard supports ISO/IEC 27001 by?recommending information security controls for protecting personal data in? the?public cloud.
ISO/IEC 27017 Code of practice for Cloud service information security
ISO/IEC?27017 is the code of practice for information security controls for cloud?services. This standard supports ISO/IEC 27001 by providing guidance on?cloud-specific information security controls.
Service Organization Control Reports
SOC 1 Reports
The auditor of our customer’s financial statements receives information about controls for cloud solutions from SAP that may be relevant to a customer’s internal control over financial reporting. The SOC 1 report follows the SSAE 18 and ISAE 3402 standards on auditing engagements and includes a detailed description of the design (type I/type II) and effectiveness (type II) of the controls audited.
SOC 2 Reports
Customers and prospects are given insights into the control system relevant to security, availability, processing integrity,? confidentiality, or privacy of the data. The SOC 2 report follows the ISAE 3000 and AT 101 auditing standards and is based on AICPA’s trust service principles. The report includes a detailed description of the design (type I/type II) and effectiveness (type II) of the controls audited.
SOC 3 Reports
Interested parties get a report on the control system implemented within cloud solutions from SAP that are relevant to security, availability, processing integrity, confidentiality, or privacy. The SOC 3 report is a short-form record that provides no description of controls testing and results. It also summarizes the results of respective SOC 2 audits.
Other Certifications and Attestations
Payment Card Industry Data Security Standard (PCI DSS)
This global data security standard, also known as PCI DSS, is adopted by the payment card brands for all entities that process, store, or transmit cardholder data. It comprises common sense steps that mirror security best practices.
Good Practice Quality Guidelines and Regulations (GxP)
GxP is an acronym referring to the regulation and guidelines?applicable to life sciences organizations that make food and medical products. These requirements? ensure that food and medical products are safe?for consumers.
Cloud Computing Compliance Controls Catalogue (C5)
C5 has proven itself, due to its neutrality, scope, compactness and testability, as an attestation for a stable foundation for internal auditing and for information security management in regulated industries.
Trusted Information Security Assessment Exchange (TISAX)
TISAX enables mutual acceptance of?Information Security Assessments in the automotive industry and provides a?common assessment and exchange mechanism.
Federal Service for Technical and Export Control (FSTEC)
FSTEC enables Russia?license for activities in the field of technical protection of confidential?information.
Cloud Security Alliance (CSA)
CSA is a not-for-profit?organization with a mission to promote the use of best practices for providing?security assurance within Cloud Computing, as well as, provide education on the uses? and security of Cloud Computing.
Product specific information
See how SAP products can help deal with government and industry specific regulations.
