Compliance Frameworks
SAS follows specific third-party and regulatory standards based on customer and industry requirements. These standards are applied according to the engagement and agreement with the customer. SAS does not guarantee adherence to all listed standards for all services.
Europe, Middle East & Africa
1 Programs and certifications are under development.
2 See SAS’ current FedRAMP status on the FedRAMP Marketplace
Please consult with your account representative regarding applicability of scope.
ISO 9001
ISO 9001 is an international standard for quality management systems. Its purpose is to provide a framework that ensures organizations consistently provide products and services that meet customer and regulatory requirements. Key principles of ISO 9001 include customer focus, continuous improvement, relationship management and evidence-based decision making. For more information, see iso.org/standard/62085
ISO 14001
ISO 14001 is an international standard that defines requirements for and effective Environmental Management Systems (EMS). Its purpose is to provide a framework for organizations to set up an EMS that integrates environmental considerations into their operations. ISO 14001 certification demonstrates the organization's commitment to effective environmental management. For more information, see iso.org/standard/60857
ISO 27001
ISO /IEC 27001 is an international standard on how to manage information security. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. ISO 27001 is a rigorous security framework with requirements for information security management systems. The numerous controls within the framework involve technical, organizational, legal, physical and human resource controls. For more information, see iso.org/standard/27001
ISO 27017
ISO/IEC 27017: Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, is a security standard, which is part of the ISO/IEC 27000 family of standards. It is an extension of ISO 27001, providing guidelines for information security controls within a Cloud computing (cloud services) environment. For more information, see iso.org/standard/43757
ISO 27018
ISO/IEC 27018: Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, is a security standard, which is part of the ISO/IEC 27000 family of standards. It is an extension of ISO 27001 and was the first international standard focused on privacy in cloud computing services . It helps cloud service providers who process Personally Identifiable Information (PII) to assess risk and implement controls for protecting PII. For more information, see iso.org/standard/76559
IT Security Information Technology Security Guidance Publication 33 (ITSG-33)
The Canadian Centre for Cyber Security (CCCS) is Canada’s authoritative source of cyber security expert guidance. The CCCS maintains a Cloud Service Provider Information Technology Security Assessment Process for the CCCS Medium Cloud Security Profile as described in ITSG-33 (IT Security Risk Management: A Lifecycle Approach, Annex 3 – Security Control Catalogue). Meeting the medium cloud security profile is required to host workloads that are classified up to and including Medium categorization, including Protected B data. For more information, see cyber.gc.ca/en/guidance/annex-3a-security-control-catalogue-itsg-33#eff
Criminal Justice Information Services Security Policy (CJIS)
Criminal Justice Information (CJI) is processed by multiple agencies including federal, state and local government. Education and awareness are necessary to provide employees, contractors and other persons with the information to protect Criminal Justice Information provided by the Federal Bureau of Investigation. For more information, see fbi.gov/services/cjis/cjis-security-policy-resource-center
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
HIPAA stands for the Health Insurance Portability and Accountability Act. HIPAA is a U.S. law designed to protect the privacy and security of individuals' medical information. It sets standards for the electronic exchange, privacy and security of health information and establishes requirements for safeguarding personal health data. Compliance with HIPAA is required for healthcare providers, insurers, and other entities handling Personal Health Information. For more information, visit cdc.gov/phlp/php/resources/health-insurance-portability-and-accountability-act-of-1996-hipaa
Internal Revenue Service (IRS) Publication 1075
In order to receive, store or process Federal tax return and return information (FTI), agencies and other authorized recipients must establish effective controls to ensure the adequate protection of the FTI as defined in Internal Revenue Service Title 26 U. S. Code Section 6103 and described in IRS Publication 1075. To meet functional and assurance requirements, the security features of the environment must provide for the managerial, operational and technical controls. For more information, see irs.gov/pub/irs-pdf/p1075.pdf
Family Educational Rights and Privacy Act (FERPA)
The Family Educational Rights and Privacy Act or FERPA grants parents’ specific rights concerning their children's education records. For more information, see studentprivacy.ed.gov/ferpa
The Federal Risk and Authorization Management Program (FedRAMP)
FedRAMP, which stands for the Federal Risk and Authorization Management Program, is a U.S. government program designed to standardize the security assessment, authorization and continuous monitoring processes for cloud services used by federal agencies. Its main goal is to ensure that cloud service providers (CSPs) meet strict security requirements before their services can be used by government agencies.
FedRAMP provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. This helps reduce the risk and cost associated with managing cloud services and ensures that federal data is protected in accordance with federal security requirements. For more information, visit fedramp.gov/
FISMA-NIST 800-53 Rev. 5
The Federal Information Security Management Act (FISMA) requires federal agencies, departments and contractors to adequately safeguard information systems and assets. The guidelines for managing government data systems are detailed in the National Institute of Standards and Technology (NIST) Special Publication 800-53. This document serves as a cybersecurity standard and compliance framework that identifies controls based on risk, cost-effectiveness and operational capability. For more information, see csrc.nist.gov/topics/laws-and-regulations/laws/fisma
SOC 1
Service Organization Controls (SOC) reports aim to instill trust and assurance in a service organization’s processes and controls through an evaluation by an independent Certified Public Accountant. A SOC 1 report specifically addresses outsourced services and the internal controls pertinent to financial reporting. For more information, see aicpa-cima.com/resources/landing/system-and-organization-controls-soc-suite-of-services
SOC 2
The AICPA’s SOC program provides internal control reports for service organizations. A SOC 2 report focuses on controls related to security, availability, processing integrity, confidentiality or privacy. A SOC 2 Type 2 report covers a specific period and audits both the design and effectiveness of these controls. For more information, see aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2
SOC 3
Service Organizational Control (SOC) reports are intended to address the requirements of users who seek assurance regarding a service organization’s controls over the security, availability and processing integrity of its systems, as well as the confidentiality or privacy of the information these systems manage. Given their nature as general-use reports, SOC 3 reports can be freely shared. For more information, see aicpa-cima.com/resources/landing/system-and-organization-controls-soc-suite-of-services
StateRAMP
StateRAMP offers a standardized approach for state and local governments to ensure contractors have adequate security and data controls. It supports governments, assessors and cloud providers by following the NIST SP 800-53 framework, using a "complete once, use many" strategy to save time and costs. For more information, see stateramp.org
U.S. Food & Drug Administration Electronic Records; Electronic Signatures Rule: 21 CFR Part 11
21 Code of Federal Regulations (CFR) Part 11 is a regulation issued by the United States Food and Drug Administration (FDA). It focuses on electronic records and signatures in open and closed computer systems used in FDA-regulated activities, ensuring their integrity, authenticity, and reliability. For more information, see fda.gov/regulatory-information/search-fda-guidance-documents/part-11-electronic-records-electronic-signatures-scope-and-application
Data Privacy Framework Program
The Data Privacy Framework (DPF) program, overseen by the International Trade Administration (ITA) within the U.S. Department of Commerce, enables eligible U.S.-based organizations to self-certify their compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF. To participate, organizations must self-certify to the ITA via the Department's DPF program website and publicly commit to adhering to the DPF Principles. Compliance becomes mandatory once an organization self-certifies. For more information, see www.dataprivacyframework.gov
Digital Operational Resilience Act (DORA)
The Digital Operational Resilience Act (DORA) is a European Union (EU) regulation that creates a comprehensive information and communication technology (ICT) risk management framework for the financial sector within the EU. More specifically, DORA establishes standards that apply to financial institutions, including banks, insurance companies and investment firms, and their “critical” third-party technology service providers. For more information, see eiopa.europa.eu/digital-operational-resilience-act-dora_en
European Banking Authority (EBA) Guidelines on Outsourcing Arrangements
The European Banking Authority (EBA), an EU financial supervisory authority, sets forth guidelines for outsourcing arrangements, including those related to cloud services. The guidelines clearly define outsourcing and assesses the criticality and importance of outsourced activities. For more information, see eba.europa.eu/activities/single-rulebook/regulatory-activities/internal-governance/guidelines-outsourcing
General Data Protection Regulation (GDPR)
The European Union (EU) adopted the General Data Protection Regulation (GDPR) 2016/679 in 2016 to replace Directive 95/46/EC. GDPR is EU's data protection law that regulates how organizations collect and process personal data. It applies to entities that process data of EU citizens and residents, regardless of their location in the world. For more information see, eur-lex.europa.eu
Spanish Nation Security Framework (ENS)
Esquema Nacional de Seguridad (ENS) is a framework designed to ensure the security of information systems in Spain. It is regulated by Royal Decree 311/2022. The framework defines requirements for information security management, risk assessment, and management controls. For more information, see ens.ccn.cni.es/en/what-is-the-ens
Cyber Essentials Plus
Cyber Essentials is a UK government-backed scheme designed to help organizations protect themselves against common cyber threats. It provides a basic level of cybersecurity and is often used as a foundation for more advanced security measures. An advanced level, called Cyber Essentials Plus, includes additional testing and verification. For more information, see www.ncsc.gov.uk/cyberessentials
UK Government G-Cloud Framework
The UK Government G-Cloud is a procurement vehicle for streamlining cloud-computing procurement by UK public-sector agencies. It enables public entities to purchase cloud services on government-approved contracts via an online Digital Marketplace. For more information, see gov.uk/guidance/g-cloud-suppliers-guide
Australian Prudential Regulation Authority (APRA) CPS 230: Operational Risk Management
APRA Cross-Industry Prudential Standards (CPS) 230 applies financial services entities and their outsourcing of a 'material business activity'. It aims to ensure that APRA-regulated entities manage operational risks effectively, maintain critical operations during disruptions, and meet compliance obligations. Its effective date is 1 July 2025. For pre-existing contractual arrangements, the standard applies from the next contract renewal date or 1 July 2026, whichever comes first. CPS 230 replaces several existing standards including CPS 232 Business Continuity Management and CPS 231 Outsourcing. For more information, see www.apra.gov.au
Australian Prudential Regulation Authority (APRA) CPS 231: Outsourcing
APRA Cross-Industry Prudential Standards (CPS) 231 is a prudential standard issued by the Australian Prudential Regulation Authority (APRA). It focuses on the risk management and governance of outsourced service providers by regulated institutions. The standard applies to banks, insurers, and superannuation funds regulated by APRA. For more information, see apra.gov.au
Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234: Information Security
APRA CPS 234 is a prudential standard issued by the Australian Prudential Regulation Authority (APRA). It focuses on information security management. It establishes requirements for APRA-regulated entities to protect their information assets and manage security risks effectively. For more information, see apra.gov.au
Association of Banks in Singapore (ABS) Guidelines
The Association of Banks in Singapore (ABS) has issued the ABS Guidelines on Control Objectives and Procedures for Outsourced Service Providers. The Guidelines contain information security guidance for service providers who deliver services to financial institutions operating in Singapore. A third-party audit of the ABS Guidelines enables a OSP to receive an Outsourced Service Provider Audit Report (OSPAR) attestation. For more information, see abs.org.sg/industry-guidelines/outsourcing