SAP S/4HANA Cloud is SAP’s first strategically important Cloud suite to receive a BSI C5 attestation

PwC has audited SAP’s S/4HANA Cloud according to the BSI’s Cloud Computing Compliance Controls Catalogue (BSI C5)

SAP, the world’s largest vendor of enterprise resource planning software, recently engaged PwC to audit its S/4HANA Cloud service according to the Cloud Computing Compliance Controls Catalogue (BSI C5). The BSI C5 was released by the German Federal Office for Information Security (BSI) in 2016 and sets the baseline for information security for cloud providers in Germany.

Only Cloud solutions with a BSI C5 attestation can be used by the public sector in Germany

The BSI commissioned PwC with developing a Cloud-specific requirements catalogue. The BSI C5 provides a set of guidelines and requirements for Cloud security and from the BSI's perspective it defines the basis for assessing the level of information security of a specific Cloud service. In this context, the BSI published the BSI Minimum Standard, which specifies that federal agencies and public IT may only use Cloud services for which the provider holds a BSI C5 attestation.

"For public authorities and private companies the BSI C5 has become an important point of reference – both in Germany and internationally. It reflects the German authorities’ stringent requirements for information security", says Michael Hermann, SAP S/4HANA Cloud Security Officer at SAP. It is possible to combine a BSI C5 audit with assessments according to other compliance schemes.

BSI C5 requirements provide a high level of transparency

BSI C5 contains 114 requirements which support Cloud providers in establishing relevant safeguards in their operation’s organisation. What sets the BSI C5 apart from existing compliance schemes are the so-called surrounding parameters for transparency. They require Cloud providers to make available certain information about, e.g., the location of data centres, the place of jurisdiction or obligations to disclose information, and the investigatory powers of government agencies. Furthermore, a description of the Cloud service needs to be included in the report.

For several years, SAP has relied on PwC’s expertise when it comes to auditing their Cloud solutions. Within SAP’s respective compliance programme, PwC performs audits for SAP’s numerous international Cloud solutions according to globally recognised compliance schemes.