Compliance offerings from SAP
How our compliance offerings support our customers’ business needs
SAP is committed to prioritizing compliance through precise standards and practices that guarantee data integrity, regulatory adherence, and ethical conduct across all of our customers’ operations. Explore how to gain insights into these critical areas.
SAP Compliance Offerings - Explore Certificates, Reports, and Attestations
At SAP, we keep our finger on the pulse of ever-increasing security challenges by building a security foundation based on industry standards, compliance, and regulatory requirements. View our latest security compliance offerings and reports.
ISO 9001 Quality Management System
Based on quality management principles including strong customer focus and involving top SAP management with the ultimate goal of continuous improvement.
ISO/IEC 27001 Security Management System
Provides a holistic, risked-based approach to security and a comprehensive and measurable set of information security management practices.
ISO 22301 Business Continuity Management System
Protects business operations from severe disruption, such as extreme weather, fire, natural disaster, theft, IT outage, and more.
BS 10012 Personal Information Management System
Includes employee security awareness training, risk assessments, data retention, and disposal.
ISO/IEC 27018 Code of Practice for Personally Identifiable information
Guidance for cloud service providers to protect personally identifiable information (PII). Supports ISO/IEC 27001 by recommending information security controls for protecting personal data in the public cloud.
ISO/IEC 27017 Code of Practice for Cloud Service Information Security
Codes of practice for information security controls for cloud services. Supports ISO/IEC 27001 by providing guidance on cloud-specific information security controls.
SOC 1 reports
Auditors of SAP's customer financial statements receive information from SAP about controls for cloud solutions that are often relevant to a customer’s internal control over financial reporting. This SOC 1 report follows the SSAE 18 and ISAE 3402 standards for auditing engagements and includes a detailed description of the design (type I/type II) and effectiveness (type II) of the audited controls.
SOC 2 reports
Customers and potential customers gain insights into the control system relevant to security, availability, processing integrity, confidentiality, or privacy of data. The SOC 2 report follows the ISAE 3000 and AT 101 auditing standards and is based on AICPA’s trust service principles. Includes a detailed description of the design (type I/type II) and effectiveness (type II) of the audited controls.
Bridge letters
Bridge letters are intended to cover the gap between the end date of the referenced report and the issue date of the bridge letter. Bridge letters provide customers with information as to whether there have been any significant changes to their controls environment that could adversely impact the conclusions reached in the most recently completed SOC examination.
Payment Card Industry Data Security Standard (PCI DSS)
This global data security standard, also known as PCI DSS, is adopted by the payment card brands for all entities that process, store, or transmit cardholder data. Comprised of steps that mirror security best practices across the industry.
Good Practice Quality Guidelines and Regulations (GxP)
GxP is a collection of quality guidelines and regulations created to ensure that biopharmaceutical products are safe, meet their intended use, and adhere to quality processes during manufacturing, control, storage, and distribution.
Trusted Information Security Assessment Exchange (TISAX)
TISAX enables mutual acceptance of Information Security Assessments in the automotive industry and provides a common assessment and exchange protocol.
Federal Risk and Authorization Management Program (FedRAMP)
For government agencies, security is at the heart of every IT project. Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
Network & Information Directives (NIS2)
NIS2 is the most recent EU directive aimed and harmonizing and improving its cybersecurity framework for Critical Infrastructure (CI) providers. In addition to SAP being a registered CI provider, SAP serves Critical Infrastructure (CI) providers in many countries across the globe and contributes to their compliance with their respective cybersecurity regulations. SAP is a registered CI provider in Germany (KRITIS), subject to German jurisdiction. We are monitoring Germany’s adoption of its draft NIS2 law and will provide further updates as matters evolve.
The Data Operational Resiliency Act DORA (DORA)
Published on or about NIS2’s publication, DORA is the latest cybersecurity law regulating EU financial entities, and ‘ ICT third-party service providers’ who offer cybersecurity services to financial entities, like SAP. These laws provide for financial sector-specific requirements, with a focus on resiliency. To the extent addressed under NIS2, these requirements take precedence (lex specialis). SAP is preparing for DORA’s applicability on 17 January 2025 and update information on DORA as this new regulation evolves.
Cloud Computing Compliance Controls Catalogue (C5)
C5 has proven itself, because of its neutrality, scope, compactness, and testability, as an attestation for a stable foundation for internal auditing and for information security management in regulated industries.
EU Cloud Code of Conduct (EU Cloud CoC)
Endorsed by the European Data Protection Board and approved by the Belgian Data Protection Authority, the EU Cloud CoC allows cloud service providers to demonstrate adherence to GDPR requirements (Article 28 GDPR and its related Articles).
Cloud Security Assessment (IRAP-CSA)
The Australian Government Cloud Security Assessment and Authorization Framework defines a means for an organization’s cybersecurity team, cloud architects, and business representatives to jointly perform a risk assessment and use SAP Cloud Services securely.
Spain National Security Framework (ENS)
The National Security Framework (ENS) is made up of the basic principles and minimum requirements necessary for the adequate protection of the information processed and the services provided by an organization. ENS compliance helps ensure access, confidentiality, integrity, traceability, authenticity, availability and conservation of data and services processed by electronic means.
Cybersecurity Classified Protection Scheme (CCPS)
The CCPS is China’s regional regulatory security certification mandated by article 21 of the China Cybersecurity Law (CCSL). It’s a nationwide security program that standardizes security design, assessment, audit, certification, renewal, and monitoring of every system or network hosted in mainland China. Any organization who owns or operates such a system or network is legally obligated to comply with the CCPS.
Information System Security Management and Assessment Program (ISMAP)
ISMAP is Japan’s information system security management and assessment program that enables governments to assess and register cloud services that meet the government's security requirements. This program is based on the "Basic Framework for the Security Evaluation System for Cloud Services in Government Information Systems".
SAP software accessibility
The "SAP Accessibility Status Documents" inform users about product-specific accessibility features describing the testing environment. These documents also report the current status of standards, guidelines, and requirements. They are available as VPAT US for our US customers, and as VPAT EN 301 549 for our international customers.
Sustainability ISO 14001 and ISO 50001
A multisite certificate confirms that SAP’s environmental management system complies with the international ISO 14001:2015 standard. The appendix for this certificate includes all certified sites covered by SAP's environmental management system. At some sites we have a ISO50001:2018 certification, ensuring we are in line with energy management standards.
Cloud Security Alliance (CSA)
The Cloud Security Alliance (CSA), a not-for-profit organization that develops and promotes best security practices for cloud computing and provides focus and guidance for SAP deployments.
Ethics and compliance
SAP is committed to the highest standards of ethical business practices. We strive to undertake business with integrity and follow both the spirit and the letter of the law in all global markets in which we operate.
IDW PS 880
Attestations of SAP software pursuant to the German Institute of Public Auditors (IDW).
Compliance resources
Ethics and compliance at SAP
By doing business the right way, in accordance with our Global Code of Ethics and Business Conduct, SAP positively impacts social and economic development, furthering education, justice, democracy, prosperity, development, and health worldwide.
Cloud delivery processes
Get insights into our cloud delivery processes and the ways they support critical business operations for cloud services.