Skip to Content
Product Information
Author's profile photo Emre Acarer

SAP PLM Technology Bytes: ISO Information Security Management System Certification of SAP Enterprise Product Development


Welcome to second series of “Technology Bytes” of SAP PLM. In this entry due to growing demand, we continue to ask more in Security topic with another exciting news on ISO /IEC 27001 certification of SAP EPD. As you might have heard, SAP Enterprise Product Development has been successfully certified to be compliant with ISO/IEC 27001 standard.

In an era where data breaches and cyber threats have become increasingly prevalent, organizations across industries are prioritizing the implementation of robust information security management systems. SAP Enterprise Product Development, a leading provider of enterprise software solutions, has recently achieved a significant milestone by obtaining the ISO 27001 Information Security Management System (ISMS) certification. This certification underscores SAP’s commitment to safeguarding customer data and ensuring the highest standards of information security.

ISO 27001 certification is not a one-time achievement but rather an ongoing commitment to information security. By implementing a systematic approach to risk management and regularly reviewing and improving security controls, SAP can stay ahead of emerging threats and vulnerabilities, ensuring the ongoing protection of customer data.

Our colleagues and co-author of this blog- Andreas Heck and Shabna Chelakodan answered commonly asked questions about ISO certification. Let us get into details !

Could you please explain what is ISO 27001 (Information Security Management Systems) ?

With this achievement EPD demonstrates credibility and trust, satisfaction and confidence with stakeholders, partners, citizens, and customers. For the certification EPD followed a holistic risked-based approach to compliance, and a comprehensive and measurable set of information security management practices. This certification expresses our commitment towards SAP customers and guarantees the high level of security and quality for SAP critical solutions and services. For the certified line of businesses, the requirements of the international standard ISO 27001:2013 are fulfilled.

Why ISO matters more among other information security standards? What makes them more important among other standards?

  • It systematically examines the organization’s information security risks, taking account of the threats, vulnerabilities, and impacts.
  • Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable.
  • Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis.

What does it mean for customers? What is the value in for them? Could customers use this as a competition advantage?

ISO 27001 is the international standard for managing information security. The focus here is on security of customer’s data managed with the SAP products. To achieve this the standard defines a broad spectrum of domains and controls. For example:

  • Backup and restore is regularly tested to safeguard loss of customer data.
  • Network Communication and Security Architecture requirements safeguard the Cloud products in general.
  • User Access Management defines standards to ensure access to data is restricted.

So, benefit for the customer is the surety of information resources stays secure undamaged, confidential. Reduction of security risk and reduce vulnerability to cyber-attacks threats. The centrally managed framework prepares people, process, and technology to face security risks and other threats.

Could you please tell us about audit process and audit scope? Does SAP EPD standalone obtains the certificates or together with other products? Is that one time audit or continuously audit happens frequently?

EPD is not “solitarily” driving the ISO/SOC certification, instead EPD onboarded to a S/4 central EM ISMS (Enterprise Mgmt.- Information Security Mgmt. System). The central EM ISMS includes additional products and Cloud Delivery. And EPD obtained the ISO 27001 certificate as part of Information security management system.

Being compliance is not an on-time effort – you must ensure the compliance for any time you want to hold those certificates. So, it is a continuous process. A yearly audit cycle has two parts – One internal audit and one external audit.

The internal audit takes place once a year, normally at the beginning of a year/at the end of last year, and always before the yearly external ISO/SOC audit cycle. Before participating in the external audit, newly onboarded services are required to first go through the internal audit. You could treat the internal audit as a “dry run” for external audit, see the problems of your service from the findings and seek for improvement, so that you can better prepare for the external audit. The internal audits are conducted by qualified SAP employees as auditors, while the external ones are conducted by third-party auditors.

Audit scope majorly includes the following domains for EPD – Backup and restore, Business continuity & Disaster Recovery, Change management, Customer system & Tenant decommissioning. Incident management, Malware management, Network communication and security Architecture, Problem management, Secure software development, Security assessments, Security configuration reporting, Security event management, Security patch management, Service & contract management, Supplier management, User & access management

SAP EPD must provide auditors with detailed evidence that proves that all requirements are being followed in detail. Any deviations are documented and need to be resolved by SAP EPD.

There are so many internal and external security policies and standards. How ISO relates to our security policies and standards? Do they complement each other?

When SAP EPD started preparing for the first internal ISO audit, we noticed quickly that ISO does not add completely new requirements to the existing quality and security products standards at SAP. The first step was to simply map the new “specific ISO terms” to the SAP terminology. SAP EPD added no new processes to our product development, but mainly new artifacts which match exactly the ISO requirements. With this new documentation we fulfill the requirements for ISO audits.

Internally the ISO standards to help the SAP EPD development team a little bit to work even more transparent according to industry standards like ISO.

Is there any adjacent further ISO Standard SAP EPD meets together with ISO 27001?

Yes, the certificate states that controls had been covered for an even more comprehensive certification. ISO/IEC 27017:2 015 and ISO/IEC 27018:2019

What news customers wait more and what comes after?

SAP EPD must maintain and ensure the compliance for any time. SAP EPD wants to hold the ISO certificate. Complete recertification happens in 3 years, while annual surveillance audits are needed to maintain validity.

Depending on customer demand we could invest into achieving the SOC and afterwards C5 certifications.


Obtaining the ISO 27001 certification is a significant accomplishment for SAP Enterprise Product Development. By achieving this certification, SAP demonstrates its unwavering commitment to information security, customer trust, and regulatory compliance. With the ever-evolving threat landscape, ISO 27001 provides a robust framework for SAP to continuously assess risks, implement effective controls, and enhance its overall information.

In upcoming blogs and with new technology advancements over the releases, we plan to uncover the rest of questions on the other foundational topics  of SAP EPD. Your feedbacks always matter! Please do ask whatever you’d like to get an answer for, and we’ll pick it up in the next blog.

Till then, please also:

  • Follow the SAP Enterprise Product Development tag,
  • Check the SAP Enterprise Product Development topic page,
  • post and answer questions about SAP Enterprise Product Development,
  • and read other posts on SAP Enterprise Product Development.

For More Information:

Other useful links:


About Authors:

Shabna Chelakodan is EPD ISO lead focusing on ISO/SOC certification for EPD.

Andreas Heck is part of Private Cloud PLM focusing on PLM in S/4HANA Cloud and On-Premise.

Emre Acarer is part of the PLM Cloud Acceleration team focusing on portfolio management for PLM solutions at SAP.




Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo horthen green
      horthen green

      As i know ISO/IEC 27001 is a globally recognized standard for information security management. It provides a framework for establishing, implementing, maintaining, and continually improving an ISMS within an organization. screen mirroring android The standard aims to ensure the confidentiality, integrity, and availability of information assets, which are critical aspects of protecting sensitive information. For SAP Enterprise Product Development, obtaining the ISO/IEC 27001 certification demonstrates the organization's commitment to information security and its ability to safeguard customer data and intellectual property. It signifies that the company has undergone a comprehensive evaluation of its information security risks and implemented appropriate controls to mitigate these risks effectively.


      The ISO/IEC 27001 certification is not specific to SAP PLM (Product Lifecycle Management) technology but is a general standard applicable to any organization seeking to enhance its information security practices. If you are looking for more detailed and specific information about SAP's certification process or SAP's Enterprise Product Development with respect to ISO/IEC 27001, I recommend referring to official SAP documentation, contacting SAP support, or accessing the relevant technology bytes or articles from official SAP sources.

      Author's profile photo Yash Agrawal
      Yash Agrawal

      SAP Enterprise Management System ISO 27001 Certificate (SAP Enterprise Product Development ISO/IEC 27001) -