ISO 27001 in the HRIS Layer: How Workday and SAP Map to Annex A
ISO 27001 Annex A controls feel abstract until you map them to specific HRIS configuration items. Once you do, the test procedure becomes obvious. Here is how A.9, A.12, and A.14 translate to Workday, SuccessFactors, and Oracle HCM.
A.9 — Access Control
Maps directly to Workday security groups, ISSGs, and the ISU model. In SuccessFactors it is Permission Roles, Permission Groups, and RBP rules. In Oracle it is data roles and the security console role hierarchy. Evidence: quarterly privileged access review attestations + 'View Members of Security Group' exports.
A.12 — Operations Security
Maps to integration monitoring, alert subscribers, and change management. Evidence: 'View Integration System' showing alert subscribers, 'Integration Audit' showing failure response, change tickets for every Preview promotion.
A.14 — System Acquisition, Development & Maintenance
Maps to Preview promotion controls and calculated field validation. Evidence: change records showing config tested in Preview before production; 'All Calculated Fields' filtered Has Errors = No.
Multi-platform coverage in one scan
Yoetz.ai tags every finding with the matching Annex A control number. Fixing one ISU misconfiguration in Workday simultaneously satisfies A.9.2.3 and the equivalent ISO mapping in SuccessFactors and Oracle.
Continue reading
Find out what's broken in your tenant
Free first scan. Read-only access. Results in under 2 hours.
Start Your Free Scan