sapcyberx
RISE Journey · 01

Planning SAP RISE

The security decisions you make before you sign the RISE contract are the hardest to change later. Most cost blowouts and audit gaps trace back to assumptions made in the planning phase — before any security specialist was in the room.

One week. We deliver a customised SAP Roles and Responsibilities accelerator and a MoSCoW-prioritised product security assessment — so you go into your RISE journey with full visibility, no surprises, and vendor scope that actually holds.

Book a pre-RISE review
What this looks like in practice

Removed $340K of unnecessary vendor scope before RFP release.

For a recent SAP RISE evaluation, sapcyberx conducted a pre-contract security review and identified security capabilities already included in the customer's RISE subscription that had been scoped as separate line items in the vendor RFP. The customer removed those items from scope before RFP release — saving significant implementation and support cost, and ensuring the security architecture was informed before vendor commitments were locked.

Illustrative based on typical engagement outcome. Results vary by RISE contract scope and existing vendor commitments.

1
Week to full security clarity
$340K
Unnecessary vendor scope removed
0
Surprises post-contract signature

What's worth understanding before you sign

Shared Responsibility

SAP secures the hyperscaler, base OS and platform patching under RISE. You retain full responsibility for application configuration, identity and access, custom code, integrations, Cloud Connector, and AI workloads — including Joule. This boundary is contractual. Most organisations discover it late.

What RISE includes vs what you still own

RISE includes significant security capability — WAF, security groups, Squid proxy, FWaaS, log services, backup immutability and Web Dispatcher. Many organisations scope and budget for these separately. We map exactly what your RISE subscription covers before your vendor RFP goes out.

Where organisations overspend in Year 1

The most common traps: paying for third-party tools that duplicate RISE ECS capabilities, over-scoping identity projects before the architecture is locked, and including remediation work in the SI scope that falls under SAP ECS responsibility. We identify and remove these before commitments are made.

OUR ACCELERATOR

The SAP Roles & Responsibilities document.
Customised to your enterprise.

Every RISE engagement needs clarity on who owns what. Our SAP R&R accelerator is a pre-built, structured document we customise to your exact RISE landscape and enterprise context. It maps every security control to one of three owners: SAP ECS, your internal team, or your implementation and support vendor.

SAP ECS owns

  • Hyperscaler infrastructure
  • Base OS and patching
  • Platform WAF and FWaaS
  • Log service infrastructure
  • Backup immutability

You own

  • Application security configuration
  • Identity and access management
  • Custom code and ABAP
  • Integration and Cloud Connector
  • AI workloads and Joule

Vendor scope (SI/support)

  • Role design and build
  • Security configuration during implementation
  • Ongoing GRC and IAM support
  • Incident response process
  • Security testing sign-off

Delivered as a structured document in Week 1. Used directly in your vendor RFP and contract negotiations. No surprises.

SAP BOM SECURITY ASSESSMENT

Which SAP products do you really need?
Prioritised before you commit.

We assess your target-state SAP product list and apply a MoSCoW security prioritisation — so your investment goes to the right products, in the right sequence, with no security gaps in your go-live architecture.

MUST HAVE

Critical — secure before go-live

  • S/4HANA core security configuration
  • IAS/IPS identity architecture
  • RFC Gateway hardening
  • SAP NDA and pen test rights in MSA
  • Shared responsibility model documented
  • SIEM log export rights confirmed
SHOULD HAVE

Important — first 90 days

  • BTP security baseline
  • Cloud Connector hardening
  • Role design framework and SoD approach
  • GRC tooling decision
  • SuccessFactors and Ariba integration security
  • Fiori catalogue and OData review
COULD HAVE

Valuable — post go-live

  • AI workload and Joule security review
  • Third-party integration pen test
  • SOC integration and alert tuning
  • ISO 27001 and IRAP alignment mapping
  • Custom code static analysis programme
  • Executive security dashboard
WON'T HAVE THIS PHASE

Deferred — future roadmap

  • Full GRC automation
  • Custom SIEM detection rules
  • DLP implementation
  • Full third-party vendor risk programme
  • Continuous pen testing programme

MoSCoW assessment is specific to your SAP Bill of Materials and target-state architecture. Not a generic checklist — built for your landscape.

What you have at the end of Week 1

SAP R&R Document

Customised roles and responsibilities map — SAP ECS, your team, and your vendor. Ready for RFP and contract use.

MoSCoW Product Security Assessment

Security prioritisation across your specific SAP BOM. Must-have controls before go-live clearly identified.

Vendor Scope Recommendations

Line-item guidance on what to include — and what to remove — from your SI and support vendor RFP.

12-Month Security Roadmap

Sequenced security investment plan. Right capabilities, right phase, no duplication of RISE-included controls.

Top-10 Risk Register

Consolidated risk view mapped to ISM, Essential Eight and NIST. Boardroom-ready.

Executive Briefing

One-page summary for CIO, CISO and programme sponsor. No technical jargon. Decision-ready.

Request a quote

Most engagements start within two weeks of first call. Fixed scope after scoping call.

→ Book a 30-minute call
Related
SAP Cyber AssessmentIn Deployment