SAP Knowledge Base Article - Public

2681625 - How to get SOC1, SOC2 or ISO 27001 reports for Audits

Symptom

You want to request for a SOC 1 or SOC 2 or ISO 27001 report for audit purpose.

Environment

SAP Business ByDesign, SAP Hybris Cloud for Customer

Cause

SAP has developed and implemented an integrated framework based on several international standards. This approach provides a consistent, secure service that meets customer and applicable regulatory requirements. We address client satisfaction and continuous, as well as secure operation of our services, through the effective application of the framework, which includes continuous improvement and the prevents nonconformity. All cloud units certified against ISO/BS standards are annually audited by our certification body.

ISO 27001 is possibly the best-known standard in the ISO family. It provides holistic, risked-based approach to security and a comprehensive and measurable set of information security management practices.

SOC 1 Report : The auditor of our customer’s financial statements receives information about controls for cloud solutions from SAP that may be relevant to a customer’s internal control over financial reporting. The SOC 1 report follows the SSAE 16 and ISAE 3402 standards on auditing engagements and includes a detailed description of the design (type I/type II) and effectiveness (type II) of the controls audited.

SOC 2 Report : Customers and prospects are given insights into the control system relevant to security, availability, processing integrity,  confidentiality, or privacy of the data. The SOC 2 report follows the ISAE 3000 and AT 101 auditing standards and is based on AICPA’s trust service principles. The report includes a detailed description of the design (type I/type II) and effectiveness (type II) of the controls audited.

 

Resolution

You can find these reports in the SAP Cloud Trust Center .If the reports are not available in the compliance center, then you can request the report via accessing the link Request for SOC report

Please note: Once you have requested the report, it takes around 2-3 weeks for the report to be sent to the requestor.

See Also

We recommend, based on your audit schedule, kindly request the SOC or ISO reports in advance to avoid any delays/incidents.

You can also view our SAP Cloud Trust Center to know more detials.

Keywords

SOC1, SOC2, ISO27001, Audit reports , KBA , SRD-CC-CC , Control Centre , How To

Product

SAP Business ByDesign all versions ; SAP Cloud for Customer all versions