Welcome to second series of “Technology Bytes” of SAP PLM. In this entry due to growing demand, we continue to ask more in Security topic with another exciting news on ISO /IEC 27001 certification of SAP EPD. As you might have heard, SAP Enterprise Product Development has been successfully certified to be compliant with ISO/IEC 27001 standard.
In an era where data breaches and cyber threats have become increasingly prevalent, organizations across industries are prioritizing the implementation of robust information security management systems. SAP Enterprise Product Development, a leading provider of enterprise software solutions, has recently achieved a significant milestone by obtaining the ISO 27001 Information Security Management System (ISMS) certification. This certification underscores SAP's commitment to safeguarding customer data and ensuring the highest standards of information security.
ISO 27001 certification is not a one-time achievement but rather an ongoing commitment to information security. By implementing a systematic approach to risk management and regularly reviewing and improving security controls, SAP can stay ahead of emerging threats and vulnerabilities, ensuring the ongoing protection of customer data.
Our colleagues and co-author of this blog- Andreas Heck and Shabna Chelakodan answered commonly asked questions about ISO certification. Let us get into details !
Could you please explain what is ISO 27001 (Information Security Management Systems) ?
With this achievement EPD demonstrates credibility and trust, satisfaction and confidence with stakeholders, partners, citizens, and customers. For the certification EPD followed a holistic risked-based approach to compliance, and a comprehensive and measurable set of information security management practices. This certification expresses our commitment towards SAP customers and guarantees the high level of security and quality for SAP critical solutions and services. For the certified line of businesses, the requirements of the international standard ISO 27001:2013 are fulfilled.
Why ISO matters more among other information security standards? What makes them more important among other standards?
It systematically examines the organization's information security risks, taking account of the threats, vulnerabilities, and impacts.
Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable.
Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.
What does it mean for customers? What is the value in for them? Could customers use this as a competition advantage?
ISO 27001 is the international standard for managing information security. The focus here is on security of customer’s data managed with the SAP products. To achieve this the standard defines a broad spectrum of domains and controls. For example:
Backup and restore is regularly tested to safeguard loss of customer data.
Network Communication and Security Architecture requirements safeguard the Cloud products in general.
User Access Management defines standards to ensure access to data is restricted.
So, benefit for the customer is the surety of information resources stays secure undamaged, confidential. Reduction of security risk and reduce vulnerability to cyber-attacks threats. The centrally managed framework prepares people, process, and technology to face security risks and other threats.
Could you please tell us about audit process and audit scope? Does SAP EPD standalone obtains the certificates or together with other products? Is that one time audit or continuously audit happens frequently?
EPD is not "solitarily" driving the ISO/SOC certification, instead EPD onboarded to a S/4 central EM ISMS (Enterprise Mgmt.- Information Security Mgmt. System). The central EM ISMS includes additional products and Cloud Delivery. And EPD obtained the ISO 27001 certificate as part of Information security management system.
Being compliance is not an on-time effort - you must ensure the compliance for any time you want to hold those certificates. So, it is a continuous process. A yearly audit cycle has two parts – One internal audit and one external audit.
The internal audit takes place once a year, normally at the beginning of a year/at the end of last year, and always before the yearly external ISO/SOC audit cycle. Before participating in the external audit, newly onboarded services are required to first go through the internal audit. You could treat the internal audit as a “dry run” for external audit, see the problems of your service from the findings and seek for improvement, so that you can better prepare for the external audit. The internal audits are conducted by qualified SAP employees as auditors, while the external ones are conducted by third-party auditors.
Audit scope majorly includes the following domains for EPD – Backup and restore, Business continuity & Disaster Recovery, Change management, Customer system & Tenant decommissioning. Incident management, Malware management, Network communication and security Architecture, Problem management, Secure software development, Security assessments, Security configuration reporting, Security event management, Security patch management, Service & contract management, Supplier management, User & access management
SAP EPD must provide auditors with detailed evidence that proves that all requirements are being followed in detail. Any deviations are documented and need to be resolved by SAP EPD.
There are so many internal and external security policies and standards. How ISO relates to our security policies and standards? Do they complement each other?
When SAP EPD started preparing for the first internal ISO audit, we noticed quickly that ISO does not add completely new requirements to the existing quality and security products standards at SAP. The first step was to simply map the new “specific ISO terms” to the SAP terminology. SAP EPD added no new processes to our product development, but mainly new artifacts which match exactly the ISO requirements. With this new documentation we fulfill the requirements for ISO audits.
Internally the ISO standards to help the SAP EPD development team a little bit to work even more transparent according to industry standards like ISO.
Is there any adjacent further ISO Standard SAP EPD meets together with ISO 27001?
Yes, the certificate states that controls had been covered for an even more comprehensive certification. ISO/IEC 27017:2 015 and ISO/IEC 27018:2019
What news customers wait more and what comes after?
SAP EPD must maintain and ensure the compliance for any time. SAP EPD wants to hold the ISO certificate. Complete recertification happens in 3 years, while annual surveillance audits are needed to maintain validity.
Depending on customer demand we could invest into achieving the SOC and afterwards C5 certifications.
Obtaining the ISO 27001 certification is a significant accomplishment for SAP Enterprise Product Development. By achieving this certification, SAP demonstrates its unwavering commitment to information security, customer trust, and regulatory compliance. With the ever-evolving threat landscape, ISO 27001 provides a robust framework for SAP to continuously assess risks, implement effective controls, and enhance its overall information.
In upcoming blogs and with new technology advancements over the releases, we plan to uncover the rest of questions on the other foundational topics of SAP EPD. Your feedbacks always matter! Please do ask whatever you’d like to get an answer for, and we’ll pick it up in the next blog.
Till then, please also:
Follow the SAP Enterprise Product Development tag,
Check the SAP Enterprise Product Development topic page,