Sign in Subscribe
4 min read

SO/IEC 27001 Update 2022/2023 – New Requirements for SAP S/4HANA in the Azure Cloud

Share
SO/IEC 27001 Update 2022/2023 – New Requirements for SAP S/4HANA in the Azure Cloud
Image by Tumisu from Pixabay

By Eckhart Mehler for CISOsCISO — a perspective on cybersecurity leadership, governance and the decisions that determine whether organizations retain control.

The cybersecurity landscape has entered a new era with the release of the ISO/IEC 27001:2022 standard—an overhaul that has far-reaching implications for organizations that rely on SAP S/4HANA deployments in Microsoft Azure. For CISOs and security leaders, this transition represents a renewed emphasis on holistic information security management and underscores the importance of adopting a future-proof approach to compliance. Planning for timely compliance adjustments is vital, especially given how quickly the regulatory and threat landscapes evolve. Below, we explore the salient updates of ISO/IEC 27001:2022, their impact on SAP S/4HANA in the Azure cloud, and strategies for ensuring seamless implementation.

⚙️ 1. The Evolving Standard: Structural & Annex A Changes

ISO/IEC 27001:2022 is characterized by a restructured framework that aligns more closely with the newest version of ISO/IEC 27002. This updated alignment is notable in Annex A, where controls have been consolidated, refined, and grouped to better address contemporary security challenges—particularly those around cloud services, supply chain security, and Zero Trust principles. Key changes include:

  1. Streamlined Control Sets: The original 114 controls in Annex A have been reduced and reorganized into fewer, more coherent groups, reflecting modern security themes such as cloud security, threat intelligence, and secure configuration baselines.
  2. Focus on Emerging Threats: New controls explicitly emphasize threat intelligence, monitoring, and the integration of security practices within DevOps and continuous delivery environments.
  3. Enhanced High-Level Structure (HLS): The revised standard’s HLS aligns with other ISO management system standards, easing the integration of multiple compliance frameworks and promoting a more unified governance approach.

For organizations running SAP S/4HANA, these updates demand a fresh look at governance and operational processes. Workload placement in Azure magnifies the necessity to address new cloud-oriented controls and maintain rigorous oversight of hybrid environments.

☁️ 2. Impact on Running SAP S/4HANA in Microsoft Azure

SAP workloads are mission-critical, handling large volumes of sensitive data and supporting essential business processes. When these workloads run in Microsoft Azure, a shared responsibility model is invoked, wherein the cloud provider manages key security layers (physical infrastructure, hypervisor, core services) while the customer organization retains control over application-layer security, data protection, and identity management. The ISO/IEC 27001:2022 revisions reinforce several critical considerations:

  • Cloud Configuration Management: The updated controls stress secure configurations as a baseline. With Azure, organizations must utilize Azure Policy, Azure Blueprints, and custom templates to enforce consistent security settings across SAP S/4HANA instances.
  • Identity & Access Management (IAM): Stricter measures for privileged access and identity governance require integration of Azure Active Directory’s Conditional Access and multifactor authentication (MFA) to protect SAP application layers.
  • Data Encryption & Key Management: Encryption controls have become more explicit, highlighting the importance of managing cryptographic keys in secure vaults (e.g., Azure Key Vault) and ensuring encryption of data at rest and in transit.
  • Resilience & Disaster Recovery: Robust business continuity and disaster recovery strategies must align with the updated standard’s emphasis on resilience. Services like Azure Site Recovery facilitate rapid restoration of SAP workloads in the face of disruption.
  • Supply Chain Security: Running SAP in Azure often involves extensive third-party integrations. The new ISO standard mandates greater due diligence and monitoring of vendors, demanding a thorough review of all external services connected to SAP systems.

🔧 3. Planning for Timely Compliance Adjustments: A Roadmap

Achieving and maintaining compliance with ISO/IEC 27001:2022 in SAP S/4HANA on Azure requires deliberate, strategic planning. CISOs should lead a coordinated effort across IT, security, risk management, and compliance teams:

  1. Gap Analysis: Begin by mapping existing controls to the revised Annex A. Identify which of the newly introduced or updated controls apply to your SAP workloads, and pinpoint areas of partial or non-compliance.
  2. Azure-Specific Controls: Align each relevant ISO control with corresponding Azure services and best practices. Ensure your organization is leveraging the built-in monitoring and compliance capabilities within Azure Security Center and Microsoft Defender for Cloud.
  3. Policy & Procedure Updates: With the refined control categories, update your security policies and operational playbooks accordingly. Maintain robust documentation to demonstrate compliance for audits and certifications.
  4. Automation & Continuous Monitoring: Incorporate automated security checks, log correlation, and real-time alerting. Tools like Azure Monitor and Azure Log Analytics can help detect anomalies within your SAP ecosystem.
  5. Training & Awareness: The newly structured standard places increased emphasis on employee and vendor awareness. Regularly train both technical and non-technical stakeholders on compliance obligations and practical security measures in the cloud.

4. Tips for a Seamless Implementation

  • Establish Clear Ownership: Define responsibilities across teams—CISO, SAP Basis administrators, cloud architects, and compliance officers—so that no aspect of the control landscape is overlooked.
  • Leverage Built-In Tools: Utilize Azure-native governance services (Azure Policy, Microsoft Defender for Cloud, etc.) to simplify your control enforcement and monitoring.
  • Adopt Zero Trust Principles: The new standard resonates with Zero Trust security approaches, calling for strict identity verification, minimal privileges, and micro-segmentation—particularly important for SAP workloads where data is highly sensitive.
  • Engage with Auditors Early: If you aim for certification under the new ISO/IEC 27001:2022, align with your auditors or certification body early in the transition. Proactive engagement will help identify potential pitfalls and expedite the assessment.
  • Continuous Improvement Mindset: Compliance is not a checkbox exercise. Embrace continuous security improvement by regularly reviewing and updating your controls, especially as Azure and SAP technology evolve.

🚀 Concluding Thoughts: Future-Proofing SAP in the Cloud

The ISO/IEC 27001:2022 update underscores the dynamic nature of cybersecurity and the essential role of holistic, proactive security for cloud-based ERP systems like SAP S/4HANA on Azure. The tightened alignment with current security practices and the introduction of cloud-focused controls mean that organizations must not only comply but continuously refine their security posture to stay ahead of emerging threats.

A well-structured, well-implemented Information Security Management System (ISMS) aligned with the new standard positions an organization to protect its critical SAP workloads effectively. Through a comprehensive approach—covering governance, cloud-native controls, and workforce awareness—CISOs can steer their enterprises toward a resilient, future-proof security posture that meets both current compliance mandates and tomorrow’s evolving landscape.

Publication Note & Disclaimer
This article was originally published on LinkedIn on April 6, 2025 and may have been edited or updated for publication on this site.

It reflects my personal professional perspective and does not represent the official policy or position of my employer. Drafting and editorial refinement may have been supported by commercially available AI-assisted tools. The analysis, conclusions and final curation are entirely my own.

For information regarding image credits, copyrights, trademarks and other intellectual property rights, please refer to the Imprint.

Published by:

Eckhart Mehler

Member discussion