KPMG SAP cyber and data security

Protect your SAP environment with an approach tailored to your risk appetite and the cyber threats your organization faces.

Mick McGarry

Mick McGarry

Principal, Advisory, GRC Technology, KPMG US

+1 214-840-8249

Eric Bloesch

Eric Bloesch

Partner, Tech Assurance - Audit, KPMG US

+1 267-256-8311

Engel Schmidt

Engel Schmidt

Senior Director, Security & Controls Solutions, KPMG US

+1 713 319 2000

Due to the increased threat of cyber attack, existing security and governance strategies are simply no longer adequate to protect the interconnected SAP landscape. Organizations must change their approach to securing the SAP landscape and adopt a holistic SAP security and governance strategy that protects the entire SAP technology stack. This requires the ability to proactively identify SAP cyber security threats and implement a security and governance strategy to address evolving risk.

The target security operations model 

The growing potential and high risk of ERP breaches has companies searching for the most effective way to safeguard their assets across all businesses and functions as they transition to S/4HANA. The solution starts with a strong cyber security framework, including leading practices and technologies that enable organizations to continuously detect and monitor their core business systems long past implementation. 

Report and enhance

Meaningful reporting increases the visibility and insights into system threats and vulnerabilities, the effectiveness of the security operations program over time, and opportunities for enhancement to continuously improve and build resilience.


Security governance

An effective SAP cyber governance strategy identifies the cybersecurity risks within the SAP ecosystem and prioritizes them based on business objectives, vulnerability magnitude, and regulatory requirements. Risk mitigation requirements are then based on the findings and analysis.


People, process, and technology

Driven by the security governance strategy, develop a target operating model (TOM) for managing SAP cyber security, aligns process, people and technology to determine how a risk is managed, prioritized, and responded to. Note that the process, people and technology may also influence the governance strategy.


Assess, defend, comply, and control

Advanced technologies increase efficiency and effectiveness by: 

  • assessing, identifying and prioritizing application threats and vulnerabilities
  • integrating continuous monitoring of threats to defend the SAP ecosystem in real time
  • automating compliance reporting and the audit process to comply with regulatory requirements
  • controlling operational risks associated with SAP maintenance through fortification and the identification of system and code misconfigurations and vulnerabilities.

Risk remediation

Upon identification of threats and vulnerabilities, risks are triaged based on relevancy and impact, followed by activities to remediate, mitigate and/or respond.



KPMG has advised companies how to design and implement effective application security for more than two decades, including helping them implement leading practice processes and tools to manage SAP security risks.

We help clients identify risks and implement leading practices and solutions to secure their SAP landscape. Our approach incorporates cyber security process design and technology adoption into your modern ERP project to enable a leading practice SAP security target operating model. Tools and benchmarks are leveraged implement proper SAP S4/HANA security controls based on a cyber security framework established by the National Institute of Standards and Technology (NIST).

Whatever your approach to SAP S/4HANA transformation—starting from scratch or migrating legacy, deploying on-premises or in the cloud—we can help. Working with Onapsis, we can help with vulnerability management, threat monitoring, application security testing, and compliance automation solutions help prepare legacy applications and code for migration and accelerate development of new HANA and Fiori apps. Using these tools from the start of your project ensures applications and data are protected throughout the project and helps prevent project delays due to security, compliance, or quality issues.

Read our documents to learn more.

Learn how KPMG and Onapsis work together

SAP cyber and data security
KPMG and Onapsis work side by side with organizations throughout their migration to SAP S4/HANA to help ensure a secure and efficient outcome.

Learn about our 4-step assessment

KPMG SAP cyber security
Our four-step SAP cyber security assessment can provide an in-depth review of your SAP landscape and your ability to protect your most important information assets against cyber attack.