SAP has recently announced that it has achieved Tier 3 alignment with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).
A couple of things that stood out for me:
- The journey began in 2021 under the guidance of SAP’s Chief Security Officer. According to their blog post, they managed to close the gaps by the end of 2023, which means it took them about two years to reach this milestone.
- The starting point remains unclear. Given SAP’s existing adherence to many compliance standards, it’s likely that they started at a relatively high level of maturity, but there are no specific details about their initial position.
- No specifics on the challenges. SAP hasn’t disclosed which areas had the most significant gaps or were the most challenging to address during this process. Perhaps they will reveal it in their planned webinar.
- Custom self-assessment methodology. SAP hired EY to do the assessment and developed their own self-assessment methodology. They even went further. Here is a direct quote from the site:
This methodology was reviewed and validated by a global independent audit firm, and the results of the self-assessment were further reviewed and validated by a second, global independent auditor.
- Can we get this methodology? According to their brochure, if you are an SAP customer, you can get the assessment methodology from your SAP representative. I wish they just made it public. Also, I am sure you could also check with your local EY partner 😉
You might also like…
- If you’re interested in assessing your own organization’s maturity, check out our free NIST CSF Maturity Assessment Template
- I also wrote about how NIST is becoming more popular with time here
Additional resources
SAP blog post that provides some background details of their approach:
There is an online webinar scheduled for October 9th, 2024, that will cover this topic in more detail:
https://www.sap.com/events/2024-10-09-online-how-sap-is-safeguarding-its-customers.html
You can also find more information in SAP’s official brochure:
https://www.sap.com/documents/2024/08/e49580a9-d27e-0010-bca6-c68f7e60039b.html
Pingback: NIST CSF 2.0 Maturity Assessment – allaboutgrc