1. Purpose

This is a comprehensive Procedure document for SyWay SAP systems Patch Maintenance, covering both On-Premise and SaaS/Cloud (Public and Private) deployments. This procedure defines the standardized process for planning, assessing, applying, testing, validating and documenting SAP patches (Support Packages, Security Notes, Kernel patches, Hotfixes etc.) across the landscape. The goal is to minimize security risks, ensure system stability and compliance, reduce downtime, and maintain business continuity while adhering to the shared responsibility model in cloud environments.

1.1 Key Objectives

Apply security patches regularly on monthly basis (especially SAP Security Notes released on Patch Day).
Manage functional corrections, support packages, Hotfix Collections (HFC), Kernel updates and other Infrastructure patches.
Coordinate maintenance across SAP Rise Private Cloud Edition (PCE), BTP and SaaS solutions.

2. Scope

Include the scope details in this section. Rise, BTP, SaaS, Azure/AWS

3. Guiding Principles

Prioritize security notes and aim to complete installation across the landscape within the same month
Avoid patching before Major release
Always test in non-production environments first
Use SAP Cloud ALM for unified visibility across hybrid landscape
Maintain uniform patch levels across landscape where possible
Maintain detailed documentation of all changes for future reference (i.e., SOX and GDPR compliance)
Define clear rollback plans in production (backups + transport rollback)
Schedule regular Patch Day reviews with relevant stakeholders
For SaaS, subscribe to product community pages and cloud service status for schedule

4. Roles and Responsibilities

4.1 Shared Responsibility Model

Under RISE with SAP, security responsibilities are divided between SAP Enterprise Cloud Services (ECS) and the customer. That means SAP do not handles all patching automatically

SAP ECS — Infrastructure Layer

Customer — Application Layer

• OS-level security patching (hyperscaler VMs)

• Database (HANA) patching & administration

• Network, compute & storage maintenance

• HotNews/Emergency notes with no manual steps

• JAVA component patches (standard contract)

• System reboots for infrastructure patches

• 24×7 infrastructure monitoring

• Key management for data at rest

• Review & risk-assess all SAP Security Notes

• Request application patches via Service Request

• Provide downtime windows for scheduled patches

• Test all implemented notes in DEV and QAS

• Authorise transport to Production

• User administration, roles & authorisations

• Custom ABAP/code security & SoD management

• RFC access restriction & security configuration

4.2 RACI Matrix

Activity	Syway Platform Team	Syway Platform Lead	Functional Owner	SAP ECS
Review published Security Notes (me.sap.com)	R	C	I	I
Identify relevant notes	R	C	C	C
Note assessment & prioritisation	R	C	C	I
Raise Jira	R	A	I	I
Implement note — application layer	R	C	I	I
Testing	R	C	R	I
Approve & deploy via Active Control	R	A	C	I

R = Responsible | A = Accountable | C = Consulted | I = Informed

5. Patch types and Frequency

Include Security Notes, SPS, Hotfixes, Kernel, Infrastructure OS/DB and component specific (ST-PI, ST-A/PI etc.)

1. Purpose

1.1 Key Objectives

2. Scope

3. Guiding Principles

4. Roles and Responsibilities

4.1 Shared Responsibility Model

4.2 RACI Matrix

5. Patch types and Frequency

6. Schedule

6.1 SAP Rise

6.2 Public Cloud (SaaS)

6.3 Azure/AWS dependent components

7. Compliance & KPIs