SAP systems form the backbone of IT infrastructure in many organisations, holding critical business data and processes. In an era of digital transformation and growing threats, security audits of these systems have become not only good practice but often a regulatory requirement. How can you prepare effectively for such an audit and ensure that your SAP systems meet the highest security standards?
Key areas of SAP security
These cover every aspect that affects the protection of data, users and infrastructure. Security in a SAP environment is multi-layered and requires a holistic approach encompassing both technical safeguards and organisational procedures. Ensuring an adequate level of protection requires attention to various factors, such as access control, activity monitoring, system updates, risk management, and compliance with standards and regulations. All these elements must work together to minimise the risk of unauthorised access, data breaches or system failures, while also ensuring compliance with legal and industry requirements. A properly configured SAP environment that addresses these key areas provides a solid foundation for maintaining application security within the organisation.
1. Identity and access management (IAM)
The foundation of SAP security rests on the proper management of user accounts and their permissions. Key principles include:
-
Applying the principle of least privilege
-
Implementing segregation of duties (SoD)
-
Conducting regular reviews of user access
-
Using “firefighter accounts” only in exceptional circumstances
Automating permission control with GRC tools enables effective management of this area at organisational scale.
2. Role and authorisation configuration
Properly defining roles (SAP authorisations) is not merely a matter of organisational tidiness, but a fundamental element of security. As part of the audit, the following are verified:
-
Critical authorisations and their assignment
-
Potential conflicts in the segregation of duties
-
Role content - whether they contain only the necessary transactions and permissions
Regular permission reviews are good practice, allowing the removal of unnecessary permissions and accounts.
3. Authentication and MFA
Multi-factor authentication (MFA) is becoming standard practice, particularly for administrative and remote access. In SAP systems, MFA can be integrated via:
-
The SAP Identity Authentication service
-
Identity solutions provided by cloud vendors
Implementing Single Sign-On (SSO) linked to a corporate IdP simplifies identity management and allows organisations to apply centralised password policies.
4. Monitoring and activity logging
SAP offers several key logging mechanisms:
-
Security Audit Log - records user activity at the system level
-
Read Access Logging (RAL) - tracks access to sensitive data
Enabling and properly configuring these logs makes it possible to answer questions such as: who accessed personal or financial data, and when? Log data should be reviewed regularly, and security alerts should be configured for critical events.
5. SIEM integration and continuous monitoring
Integrating SAP monitoring with SIEM systems is recommended so that the security operations centre (SOC) has a complete picture of incidents. The audit examines:
-
Whether logging has been enabled
-
Whether anyone is reviewing the alerts
-
Whether an incident response process exists
6. Penetration testing and vulnerability management
Penetration testing allows weak points in the system to be identified before attackers find them. A SAP system should meet minimum hardening requirements, such as those described in the BSI IT-Grundschutz guidelines.
Patch management is a key element - SAP issues monthly patch bulletins (Security Notes). The best practice is to apply significant security patches promptly.
7. System configuration and hardening
A SAP security audit examines, among other things:
-
SAP system parameters - the so-called profile parameters
-
Disabling unused functionality
-
Database and operating system security
-
Network configuration and cryptography
All communication channels should be encrypted, and password policy should meet corporate standards.
8. Encryption and data protection
Sensitive data in SAP must be protected both in transit and at rest. The SAP HANA database natively supports strong encryption (AES-256). Proper cryptographic key management is essential for effective data protection.
9. Backup and disaster recovery
Backup and Disaster Recovery (DR) are a critical element of data security. Organisations should:
-
Test recovery procedures regularly
-
Maintain up-to-date contingency plans
-
Ensure recovery time objectives (RTO) and recovery point objectives (RPO) align with business requirements
10. Incident management and continuous improvement
Organisations should have response procedures for incidents affecting SAP systems, including:
-
A defined response plan
-
Conducting incident exercises (simulations)
-
Recording and reporting incidents in line with requirements
Regulatory compliance and SAP security
NIS2
The new NIS2 directive (which took effect in October 2024) imposes a range of cybersecurity obligations, including:
-
Implementing appropriate technical and organisational measures
-
Risk analysis and security policies
-
Incident handling procedures
-
Business continuity plans
-
Vulnerability management
-
Use of cryptography
-
Multi-factor authentication
-
Penalties for non-compliance may reach up to EUR 10 million or 2% of turnover.
ISO/IEC 27001
The international information security management standard provides a sound reference point for SAP security. Audits often map SAP controls to ISO 27001 requirements, covering:
-
Access control
-
Password policies
-
Backups
-
Business continuity
BSI IT-Grundschutz
The German security standard defines detailed guidelines for SAP systems:
-
Physical protection of servers
-
Secure configuration
-
Regular updates
-
Staff training
Organisational aspects of a SAP security audit
The success of an audit depends not only on technical matters, but also on organisational preparation:
-
The audit team and cooperation - assigning responsible individuals from various areas
-
Audit preparation - precisely defining the scope and plan
-
Tools and automation - using automated tools to identify gaps
-
Report and post-audit actions - developing a remediation plan with priorities
-
Continuous improvement and awareness - treating security as a process, not a one-off task
SNOK as a partner in SAP security audits
SNOK offers comprehensive support in the field of SAP system security. Our team of experts can:
-
Prepare your organisation for a SAP security audit
-
Conduct an internal pre-audit identifying areas requiring attention
-
Independently carry out a full security audit in line with industry best practices and regulatory requirements
-
Develop a detailed remediation plan and support its implementation
-
Implement continuous SAP security monitoring solutions
With experience in SAP security audits in both on-premise and cloud environments, SNOK delivers a comprehensive approach that addresses not only technical matters, but also organisational and regulatory considerations.
Summary
Preparing for a SAP security audit requires a holistic approach covering technical, formal and organisational aspects. Understanding the key security areas enables better risk management and compliance with regulatory requirements.
Regular audits - both internal and external - are not merely an obligation, but an investment in the security of critical business systems. With proper preparation, a SAP security audit becomes a valuable improvement tool rather than an unwelcome chore.
Contact the SNOK team to find out how we can help your organisation prepare for or conduct a SAP security audit.