Understanding Compliance with Certifications

PCI DSS: The Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS) inspects the company’s credit-card processing system. SAP Infrastructure as a Service does not directly store, process, or transmit cardholder data; however, SAP Infrastructure as a Service hosts other SAP lines of businesses that may store, process, or transmit cardholder data. Examples of the services assessed include load balancing, DNS, audit, metrics, monitoring, block storage, object storage, metal, VMs, and so on.
SWIFT – Banking/Financial Certification: SWIFT is the permission granted by Banking / Financial Certification to run SWIFT Financial Network Applications and messages on SAP Infrastructure as a Service Data Centers, obtained from SWIFT 2020 fulfilling security and operational requirements.

ISO 27001: ISO 27001 was created by the International Organization for Standardization to describe how to manage information security in a company. The ISO 27001 provides a checklist of standards for policies and procedures relevant to data usage and management. Having this certification means best practices are followed for data management, such as documentation of procedures, onboarding/off-boarding procedures, types of encryptions used for the system (such as RSA), and so on.
ISO 22301: ISO 22301:2020 was created by the International Organization for Standardization to specify the requirements of a management system to protect against, reduce the likelihood of, and ensure that your business recovers from disruptive incidents.
Cloud Computing Compliance Controls Catalogue (C5:2020) Type 2 Attestation: C5 (Cloud Computing Compliance Controls Catalogue) is intended primarily for professional cloud service providers. C5 is a catalogue that sets a baseline security level for cloud services. The report includes SAP Infrastructure as a Service because of the live customer systems hosted in SAP SE’s data centers across the world.
KRITIS: Since SAP Infrastructure as a Service is part of SAP’s overall infrastructure and since SAP is considered critical infrastructure, SAP Infrastructure as a Service is KRITIS certified. KRITIS is ‘Critical infrastructure’ that includes organizations or institutions that are essential for the public welfare, where more than 500,000 people would be impacted by the occurrence of a failure or an impairment, as defined by the Bundesamt für Sicherheit in der Informationstechnik (BSI) Act.
SOC 1 Type 2: The System and Organization Controls (SOC) Number 1 is a report on controls at a service organization that are relevant to user entities’ internal control over financial reporting. SOC 1 Type 2 is an audit taken over a period of time to determine the effectiveness of the controls.
SOC 2 Type 2: he System and Organization Controls (SOC) 2 Number 2 is a report specifically designed for entities, such as data centers, and focuses on a business’s non-financial reporting controls that are relevant to security, availability, processing, integrity, confidentiality, or privacy. SOC 2 Type 2 indicates that controls exist and that they are fully functioning. SOC 2 Type 2 focuses on a business’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system.
SOX: The Sarbanes-Oxley Act of 2002 (SOX) is legislation passed by the US Congress to protect shareholders and the public from accounting errors and fraudulent practices in the enterprise.
CCPS: Cybersecurity Classified Protection Scheme (CCPS) certificate is mandated by the China Cyber Security Law. CCPS is a local security certification that applies to all systems, platforms, infrastructure, and websites hosted or registered within the boarder of mainland China.

Understanding Compliance with Certifications

Compliance Certifications Relevant to SAP Infrastructure as a Service

Certifications and Descriptions