How to Implement ISO 27001 Annex A 5.3: Segregation of Duties

In this ultimate how to implement guide to ISO 27001 Annex A 5.3 Segregation of Duties, you will learn directly from an ISO 27001 Lead Auditor:

• The requirement of the control
• The required implementation steps
• The minimum requirement

I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.

Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.

Implementing ISO 27001 Annex A 5.3 is the operational enforcement of segregation of duties to minimize the risk of internal fraud and error. This control requires organizations to divide critical business functions between multiple individuals, ensuring that no single person has the authority to initiate, approve, and execute high-risk transactions. By establishing these checks and balances, companies protect assets and ensure accountability.

ISO 27001 Segregation of Duties Implementation Checklist

Use this implementation checklist to achieve compliance with ISO 27001 Annex A 5.3. This control ensures that conflicting duties are identified and managed to reduce the risk of unauthorised or unintentional modification of organisational assets.

Create a Segregation of Duties (SoD) Conflict Matrix

Control Requirement: Conflicting duties and areas of responsibility must be identified and segregated.

Required Implementation Step: Open a spreadsheet and list all high-risk business processes (e.g., procurement, payroll, system administration). Map these against job roles to identify “conflicts” where one person could perform and conceal a malicious act.

Minimum Requirement: A documented table identifying at least three key areas (Finance, IT, and HR) where duties are split between two different people.

Audit Active Directory Domain Administrator Privileges

Control Requirement: Access to high-level administrative functions must be restricted to prevent a single point of failure or misuse.

Required Implementation Step: Go to your Active Directory or Azure AD management console and export the ‘Domain Admins’ or ‘Global Admins’ group. Remove any users who do not require these rights for their primary daily tasks.

Minimum Requirement: A screenshot of the admin group showing that no more than two named individuals have full system-wide administrative authority.

Separate Financial Approval and Payment Execution

Control Requirement: Responsibility for initiating a transaction must be separate from the responsibility for approving it.

Required Implementation Step: Open your online banking portal or accounting software settings. Verify that the “Maker/Checker” or “Dual Authorisation” feature is active for all outgoing payments and payroll runs.

Minimum Requirement: A redacted bank statement or portal screenshot showing two different user IDs required for a single transaction approval.

Mandate Peer Review for Source Code Commits

Control Requirement: Technical changes must be reviewed by someone other than the person who developed the change.

Required Implementation Step: Navigate to your Git repository settings (GitHub, GitLab, or Bitbucket). Enable “Branch Protection” on your ‘main’ or ‘production’ branches to require a pull request and at least one independent approval before merging.

Minimum Requirement: A sample Pull Request (PR) log showing the developer’s name and a different colleague’s approval name.

Restrict Developer Access to Production Environments

Control Requirement: Development, testing, and operational environments must be separated to reduce the risk of unauthorised changes.