SAP Knowledge Base Article - Public

2681625 - How to Get SOC1, SOC2 or ISO 27001 Reports for Audits


You require a SOC 1, SOC 2 or ISO 27001 report for audit purposes and want to know how/where to request it.


  • SAP Business ByDesign
  • SAP Cloud for Customer


SAP has developed and implemented an integrated framework based on several international standards. This approach provides a consistent, secure service that meets customer and applicable regulatory requirements. We address client satisfaction and continuous, as well as secure operation of our services, through the effective application of the framework, which includes continuous improvement and the prevents nonconformity. All cloud units certified against ISO/BS standards are annually audited by our certification body.

ISO 27001 is possibly the best-known standard in the ISO family. It provides holistic, risked-based approach to security and a comprehensive and measurable set of information security management practices.

SOC 1 Report: The auditor of our customer’s financial statements receives information about controls for cloud solutions from SAP that may be relevant to a customer’s internal control over financial reporting. The SOC 1 report follows the SSAE 16 and ISAE 3402 standards on auditing engagements and includes a detailed description of the design (type I/type II) and effectiveness (type II) of the controls audited.

SOC 2 Report: Customers and prospects are given insights into the control system relevant to security, availability, processing integrity,  confidentiality, or privacy of the data. The SOC 2 report follows the ISAE 3000 and AT 101 auditing standards and is based on AICPA’s trust service principles. The report includes a detailed description of the design (type I/type II) and effectiveness (type II) of the controls audited.

You can find these reports in the SAP Cloud Trust Center. If the reports are not available in the compliance center, then you can request the report by accessing the link Request for SOC report.

See Also

Once you have requested the report, it takes around 2-3 weeks for the report to be sent to the requestor. We recommend, based on your audit schedule, that you kindly request the SOC or ISO reports in advance to avoid any delays/incidents.

You can also view more details in our SAP Cloud Trust Center.


SOC1, SOC2, ISO27001, Audit reports , KBA , soc reports , soc report , soc , SRD-CC-CI-CCS , ByD Service Control Center , How To


SAP Business ByDesign all versions ; SAP Cloud for Customer add-ins all versions ; SAP Cloud for Customer core applications all versions