As company you are relying on SAP to provide support and services. But how do you know if SAP is doing a good job on this part?
If an internal auditor or external auditor asks you to show or explain the elements of SAP delivered support, where do you get the information?
SAP trust center
SAP has a good site to start with this information: the SAP trust center.
Here you can find:
- Security policies
- Security frameworks
- List of sub-processors employed by SAP to provide services (sub-processor can be on infrastructure level like AWS, Azure, etc, but also manpower like Accenture, TCS, etc.)
- Compliance documents like SOC1, SOC2, ISO 27001, ISO 9001, etc reports (or go directly to the compliance finder)
Not all reports are public. For some you must be customer of the product or service. Some parts require acknowledgement of non-disclosure agreement before you can get the report.
Security white paper
Another good document is the SAP security white paper.