ISO 27001:2022 Annex A 5.3 Segregation of duties

/ By
ISO 27001 Annex A 5.3 Segregation of duties

In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.3 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 5.3 Segregation of Duties

ISO 27001 Annex A 5.3 requires organizations to separate conflicting duties and areas of responsibility to reduce the risk of fraud, error, and the bypassing of security controls. The core principle is that no single person should have enough authority to execute a sensitive process from start to finish without a second person’s involvement. This “Four Eyes” principle creates a system of checks and balances that protects both the organization and its employees.

Core requirements for compliance include:

  • Identification of Conflict: You must analyze your business processes to find where a single person has too much control. Common conflict areas include change management, financial payments, and user access provisioning.
  • Role-Based Access Control (RBAC): Implementing RBAC is the most practical way to enforce segregation. By defining roles with specific, non-overlapping permissions, you ensure that “the person who requests” is technically different from “the person who approves.”
  • Audit Independence: The person responsible for a security control should never be the one to audit it. This is a common failure point for Information Security Managers who try to perform their own internal audits.
  • Regular Access Reviews: You must conduct periodic reviews (ideally monthly) to ensure that roles haven’t drifted and that employees haven’t accumulated “conflicting” permissions over time.
  • Small Business Adaptability: If your team is too small to separate duties physically, you must implement compensating controls like enhanced logging, management oversight, and mandatory risk acceptance in your risk register.

Audit Focus: Auditors will look for “The Self-Approval Trap”:

  1. Change Control: “Show me a recent system change. Who requested it, and who approved it? If they are the same person, you have a non-conformity.”
  2. Access Provisioning: “Can your IT Administrator grant themselves ‘Global Admin’ rights without any secondary notification or approval?”
  3. Independence of Audit: “Who performed the internal audit of the HR process? If it was the HR Manager, that is a conflict of duty.”

Segregation of Duties Matrix (Audit Cheat Sheet):

Role A (The Maker) Role B (The Checker) Conflict? ISO 27001 Rule ISO 27001:2022 Control
Request Purchase Approve Purchase YES One person cannot do both. Annex A 5.3
Write Code Deploy to Prod YES Developers should not have Prod access. Annex A 5.3 / 8.32
Create User Audit Logs YES Admins cannot audit their own actions. Annex A 5.3 / 8.15
Request Access Grant Access YES Self-approval is strictly forbidden. Annex A 5.3 / 5.18

Table of contents

Key Takeaways

  • Segregating duties is a simple way to protect your business from mistakes and fraud. It means no single person has too much control over important tasks.
  • This ISO 27001 rule helps make sure your company’s information is secure. It’s about splitting up jobs so that everything is double-checked.
  • You can implement this by writing down who does what and making sure tasks are shared. Regularly checking on these duties keeps your security strong and helps during an audit.

What is Segregation of Duty?

Segregation of duty is the act of dividing up critical tasks and responsibilities so that no one person has complete control over a process.

What is ISO 27001 Annex A 5.3?

ISO 27001 Annex A 5.3 Segregation of Duties is an ISO 27001 control that requires an organisation to separate and segregate conflicting information security roles and responsibilities.

ISO 27001 Annex A 5.3 requires you to separate key duties. By splitting up tasks, you prevent any single person from having total control over a process. This creates checks and balances for better security.

ISO 27001 Annex A 5.3 Purpose

The purpose of Annex A 5.3 Segregation of Duties is to reduce the risk of fraud, error and bypassing of information security controls.

ISO 27001 Annex A 5.3 Definition

ISO 27001 defines ISO 27001 Segregation of Duty as:

Conflicting duties and conflicting areas of responsibility should be segregated.

ISO 27001:2022 Annex A 5.3 Segregation of Duties

Watch the ISO 27001 Annex A 5.3 Tutorial

In the video ISO 27001 Annex A 5.3 Segregation of Duty Explained show you how to implement it and how to pass the audit.

ISO 27001 Annex A 5.3 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.3 Segregation of Duties. The podcast explores what it is, why it is important and the path to compliance.

A 5.3 Implementation Guidance

You are going to have to

Implement Role Based Access Control

Role based access is one of the most common and practical approaches to implementing segregation of duty. By taking the time to identify the roles that you require and removing conflicts in those roles and then assigning individuals to roles rather that allocating access on a case by case basis will significantly help you to remove conflicts in a consistent way.

Divide Responsibilities

Understanding and documenting your processes and systems will allow you to identify the key roles and responsibilities which can then be allocated to more than one individual and ensure no one person has complete control for a process or system. This is part of role based access control.

Prevent Collusion

The way that teams are structured and where they are located and how they interact can have an impact on introducing the opportunity for collusion. Collusion is the working together to commit fraud or circumvent controls.

Monitor and Review

It may be the case that segregation of duty does not work as intended or requires continual improvement. By implementing logging, monitoring and review on a regular basis allows for the identification and management of when it goes wrong and the ongoing and continual improvements to ensure that it remains effective.

How to Implement Annex A 5.3

The effective implementation of Segregation of Duties (SoD) is a foundational pillar for preventing fraud, reducing human error, and mitigating insider threats. This process involves identifying high-risk workflows and ensuring that no single individual has the authority to initiate, approve, and execute a critical transaction or system change. By following these steps, you will establish a verifiable framework for operational integrity that meets the expectations of ISO 27001 lead auditors.

1. Formalise the Segregation of Duties Policy and Matrix

Establish a documented policy that defines the organisational approach to role separation. This action results in a governance layer that identifies which specific duties are deemed “conflicting” and must never be held by the same individual.

  • Create a Segregation of Duties (SoD) matrix mapping roles against sensitive business and technical processes.
  • Document the “Rules of Engagement” (ROE) for emergency access (break-glass) scenarios where SoD may be temporarily bypassed.
  • Identify critical workflows such as financial payments, software deployment to production, and administrative access management.

2. Provision Role-Based Access Control (RBAC) and IAM Roles

Execute the configuration of your Identity and Access Management (IAM) systems to enforce defined role boundaries. This result-focused step ensures that technical permissions are automatically aligned with the SoD matrix, preventing “privilege creep” as staff change positions.

  • Define distinct IAM roles for “Requestors,” “Approvers,” and “Executors” within your cloud and on-premise infrastructure.
  • Enforce Multi-Factor Authentication (MFA) for all accounts with the authority to approve high-risk changes.
  • Utilise the principle of least privilege to ensure users only possess the technical permissions required for their specific segmented task.

3. Formalise Technical Approval Workflows

Provision automated workflows within your ticketing or CI/CD systems that mandate secondary sign-offs for critical actions. This action ensures that the segregation of duties is technically enforced at the point of execution, rather than relying on manual policy adherence.

  • Configure GitHub or GitLab protected branches to require at least one independent peer review before code is merged.
  • Implement “Four-Eyes” approval protocols within banking and procurement software for all transactions above a defined financial threshold.
  • Set up automated triggers in your IT Service Management (ITSM) tool that block administrators from approving their own change requests.

4. Provision Compensating Controls for Small Teams

Execute alternative oversight mechanisms when the size of the organisation makes full role separation physically impossible. This result-oriented step provides the “equivalent security” required by ISO 27001 auditors to mitigate the risk of concentrated authority.

  • Increase the frequency of independent audit log reviews for individuals holding high-privilege or conflicting roles.
  • Formalise a schedule for a virtual CISO or external third party to perform quarterly spot checks on sensitive transactions.
  • Deploy automated alerting for anomalous activities performed by “Super Users” to ensure rapid detection of policy violations.

5. Execute Periodic Access Reviews and Recertification

Perform a structured audit of user permissions at least twice per year to verify that role separation remains effective. This action results in the identification and remediation of unauthorised access before it can be exploited.

  • Generate “Access Certification” reports to be reviewed and signed off by departmental heads and the CISO.
  • Revoke any legacy permissions identified during the review that create a conflict of interest or an SoD violation.
  • Maintain a log of all access reviews and remediation actions as mandatory evidence for your next ISO 27001 audit.

Approaches to Segregation of Duty

There are many standard approaches with the most common being:

  • Sequential separation: the two signature principle
  • Individual separation: the four eyes principle
  • Spatial separation: the principle of separate actions in separate locations
  • Factorial separation: process completion requires several factors to be true

Segregation of duty in a small organisation

When you work at a new tech company or an early-stage business, your main goals are speed, efficiency, and making a profit. Because of this, you often don’t think about things like segregation of duty.

For example, a small development team might have access to the development, testing, and production environments, and also act as the tech support. This situation presents a clear conflict of interest. A way to fix this is by having different user accounts for different roles. The other way is to accept the risk and manage it via risk management.

How to identify conflict of interest

You can learn how to find conflicts of interest for ISO 27001 by starting with the idea of segregation of duties. This means you should make sure to separate tasks so that no one person has too much control. You need to identify where these conflicts might exist in your own environment.

You can begin by reviewing the roles and responsibilities you have already defined. You should look for potential conflicts, which may be inherent in the standard definitions of certain roles. Once you have identified what those conflicts could be, you can then figure out how to address them.

How to remove conflict of interest

When you want to remove conflicts or separate duties in a company, it’s simple to do if you have many workers. However, it’s much harder in a small business with only a few people.

If you have a small business, you can choose not to follow this rule. The rule might not be a big risk for you, so you don’t have to put it into place. If you decide to do this, you should write it down as a risk and then manage it. This shows you have accepted the risk and are handling it.

How to remove conflict of interest in internal audit

You should know that if you are assuming everything is okay with how duties are separated, there’s a big area where problems can pop up: internal audits. When companies use their own staff to do these audits, it often leads to a conflict of duty.

Imagine if you pick someone to audit an area, but they are also responsible for running that very area. That creates a conflict. This is something you need to fix to make sure your audits are fair and accurate.

Why the information security manager should not do internal audits

You should not do your own internal audits for ISO 27001 if you are also the information security manager. This is because you need to separate your duties. Consultants often have a coworker perform this task for them. You should keep this in mind as it’s something auditors often notice.

Segregation of duties examples

The following are some common real world examples of Segregation of Duty:

Change Control: the change control process usually has several key steps that include the request for change, the approval of the change and the implementation of the change. There would clearly be a conflict of interest if the person requesting was the same person that approved and then actioned the change. In fact it would make the purpose of having a change control process redundant.

Human Resources: there are many processes in HR that require fairness and objectivity. Take the key processes of hiring, performance management and financial rewards such as pay rise reviews and bonus allocation. If the same individual is responsible for all of these key processes then there is a conflict of interest and a lack of impartiality.

Information Technology (IT): as most processes and business operations rely on the use of information technology this presents the biggest risk to information security and the confidentiality, integrity and availability of data. Most fraud occurs via a compromise of IT. Having one individual with total control can lead to changes being made that cannot be caught with tracks being covered via the manipulation or removal of monitoring and logging.

Remove conflict in duties

You are looking to work out where there may be a conflict in duties and to remove that conflict so that one individual cannot exploit it for their own gain.

Let us consider an example.

If a person could request a pay rise, then approve that pay rise and make the payment – would that be a conflict of interest?

The answer if you are struggling, is yes.

A person should not be able to request something, authorise it and then execute it.

Think about it.

In basic terms what would be point in the process?

The person may as well just go to the last step and pay themselves what they want.

Role Based Access

Role based access is a great way to implement segregation of duties. You spend a little time up front to work out what the various roles are that people have on systems. You define the role, paying particular attention to remove any conflicts. It is then just a matter of allocating people to roles. It isn’t just people that can be included in role based access though. You can also use it for service and technical accounts. By considering a role based access approach there is consistency in the way access is implemented rather than doing it per individual and it makes both the management and the review of access rights a lot more straightforward. The management of a change in access rights when a person moves job or role or leaves becomes a breeze.

Access reviews

One of the checks and balances and good governance is to implement access reviews. Access reviews should be conducted regularly. You will define what this means but best practice is every month. The access review will be conducted by the asset owner, be that a system owner or a data owner. They will review the accounts that have access, the level of access and if that is still required and appropriate. Where it isn’t they will address it through continual improvement. In this process you will be looking to ensure that segregation of duties is still in place and effective.

Segregation of Duties Matrix Example

Role A (Maker)Role B (Checker)Conflict?Allowed?
Request PurchaseApprove Purchase❌ YESNO (Same person cannot do both).
Write CodeDeploy to Production❌ YESNO (Devs shouldn’t touch Prod).
Create UserAudit User Logs❌ YESNO (Admins shouldn’t audit themselves).
Request AccessGrant Access❌ YESNO (Self-approval forbidden).

How to pass the ISO 27001 Annex A 5.3 audit

To comply with ISO 27001 Annex A 5.3 Segregation of Duties you are going to implement the ‘how’ to the ‘what’ the control is expecting. You are going to

  • Write your roles and responsibilities to satisfy ISO 20001 Annex A 5.2
  • List out the systems that people use and have a systems inventory
  • For each system define the roles people have within those systems
  • For the roles you define you are going to document what levels of access those roles have
  • Then you are going to allocate those roles to people
  • The allocation, change and removal of roles is going to be documented in your access control process
  • Plan to review access to your systems at least monthly or if significant change occurs
  • Keep records of your review and audit trails of the access control process

What an auditor looks for

The audit is going to check a number of areas. Lets go through them

1. They will check the processes that Annex A 5.3 has defined as needing segregation

The standard has already pre defined processes that it thinks you should have segregation in so either make sure you do or have a compelling reason why you do not that you can justify to the auditor.

  • a) initiating, approving and executing a change;
  • b) requesting, approving and implementing access rights;
  • c) designing, implementing and reviewing code;
  • d) developing software and administering production systems;
  • e) using and administering applications;
  • f) using applications and administering databases;
  • g) designing, auditing and assuring information security controls.

2. They will check conflicting roles

This is obvious but they are going to look for conflicts and they are coming at this with fresh eyes.

3. Documentation

They are going to look at audit trails and all your documentation. They are looking that the roles and responsibilities are defined, that the role based access is defined, that you have a process for access control and they are going to look for evidence of operation ( that you have done it ). They want to see documentation of regular reviews.

Top 3 ISO 27001 Annex A 5.3 Mistakes and How to Fix Them

Based on experience, the top 3 mistakes people make for ISO 27001 annex a 5.3 are

1. You don’t have enough staff to segregate duties

You get stressed because you do not have enough staff to implementation segregation of duty but you do nothing to compensate. It is ok to have conflicts if you cannot avoid it but you should have additional controls in place such as logging and monitoring of activity that IS handled and managed by someone else.

2. One or more members of your team haven’t done what they should have done

Prior to the audit check that all members of the team have done what they should have. Have access reviews taken place? Do people actually have the level of access that is documented in your role based access document or has someone gone and changed the actual access on the systems.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Applicability of ISO 27001 Annex A 5.3 across different business models.

Business Type Applicability & Interpretation Examples of Control
Small Businesses

Compensating Controls. You likely don’t have enough staff to separate every duty. Compliance allows for “Management Oversight” instead. If one person does everything, the owner must check the logs.

The “Owner Review”: A monthly check where the Director reviews the bank transfer logs or payroll adjustments, acting as the “Second Pair of Eyes.”
External Bookkeeper: Using an external accountant to reconcile the books, separating the “Doer” (internal staff) from the “Checker” (external).
Tech Startups

The “Dev vs. Ops” Divide. The biggest risk is developers pushing malicious code to production. Segregation means the person who writes the code cannot be the only one who approves its deployment.

Pull Request (PR) Rules: Configuring GitHub so that the main branch is protected and requires at least one peer review before merging.
CI/CD Pipelines: Using automated pipelines to deploy code, removing the need for developers to have direct SSH access to production servers.
AI Companies

Data vs. Model Integrity. To prevent “Data Poisoning” or bias, the person selecting the training data should ideally be different from the person evaluating the model’s safety.

Red Teaming Separation: Ensuring the “Red Team” (who attack the model) are organizationally distinct from the “Model Builders,” preventing conflicts of interest.
Access Segmentation: Granting “Read-Only” access to raw datasets for most researchers, reserving “Write/Delete” access for data engineers.
Applicability of ISO 27001 Annex A 5.3 across different business models.

Fast Track ISO 27001 Annex A 5.3 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 5.3 (Segregation of duties), the requirement is to divide critical tasks and responsibilities among different people to reduce the risk of fraud, error, and bypassing security controls. This is a fundamental organisational control that creates essential “checks and balances.”

Compliance Factor SaaS Compliance Platforms High Table ISO 27001 Toolkit Audit Evidence Example
Policy Ownership Rents access to your SoD rules; if you cancel the subscription, your documented “Maker-Checker” standards and history vanish. Permanent Assets: Fully editable Word/Excel Access Control Policies and SoD Matrix templates you own forever. A localized “Segregation of Duties Matrix” stored on your secure drive defining conflicting roles (e.g., Developer vs. Deployer).
Operational Utility Attempts to “automate” conflicts via dashboards that cannot determine the physical “four-eyes” checks needed for your team. Governance-First: Provides a “Duties Procedures” framework to formalize your existing workflows into an auditor-ready system. A “Role Description” proving that the individual who creates a supplier in the system cannot also approve payments to them.
Cost Efficiency Charges a “Headcount Tax” or “Role Fee” based on the number of users tracked, creating perpetual overhead as you grow. One-Off Fee: A single payment covers your SoD governance for 10 roles or 1,000, with zero recurring costs. Allocating budget to hiring additional security personnel rather than monthly “governance dashboard” subscription fees.
Structural Freedom Mandates rigid reporting formats that often fail to align with lean startup environments or specialized department structures. 100% Agnostic: Procedures adapt to any operating style—from “Maker-Checker” digital workflows to physical “four-eyes” principles. The ability to evolve your organizational chart and departmental responsibilities without reconfiguring a rigid SaaS module.

Summary: For Annex A 5.3, the auditor wants to see that you have identified conflicting roles and documented how they are separated. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

ISO 27001 Annex A 5.3 FAQ

What is ISO 27001 Annex A 5.3?

ISO 27001 Annex A 5.3 is an organisational control that requires conflicting duties and areas of responsibility to be segregated to reduce the risk of unauthorised or unintentional modification or misuse of organisational assets.

  • Prevents fraud and error by ensuring no single person has end-to-end control over a sensitive process.
  • Minimises the risk of insider threats and malicious activity.
  • Ensures that a system of checks and balances is integrated into business operations.
  • Protects employees from false accusations by providing a transparent audit trail.

Is segregation of duties mandatory for ISO 27001?

Yes, segregation of duties is a mandatory control in ISO 27001:2022 if your risk assessment identifies that a single individual could compromise a critical process without detection.

  • It must be documented in your Statement of Applicability (SoA).
  • Exceptions must be justified and supported by alternative “compensating controls.”
  • Auditors view it as a foundational pillar of a mature Information Security Management System (ISMS).

What are common examples of segregation of duties?

Practical implementation of SoD involves separating the roles of “requesting,” “authorising,” and “executing” within a technical or financial workflow.

  • Software Development: Developers should not have the permission to push code directly to production without a peer review.
  • Access Management: The person who requests access should not be the same person who approves or provisions it.
  • Finance: The person who raises an invoice should not be the person who authorises the payment.
  • Backups: The person responsible for data operations should not be the only person able to delete or modify backup logs.

How can small organisations implement segregation of duties?

When staff numbers are limited, segregation of duties is achieved by implementing “compensating controls” that provide oversight where role separation is not physically possible.

  • Increase the frequency and depth of management reviews and audit log monitoring.
  • Implement automated alerts for high-risk actions or configuration changes.
  • Engage external third parties or virtual CISOs to provide independent verification.
  • Ensure all critical actions require a second “digital signature” or approval via a ticketing system.

What is the difference between Segregation of Duties and Least Privilege?

The primary difference is that Segregation of Duties (SoD) focuses on separating workflow steps between different people, while Least Privilege focuses on restricting a single user’s access to only what is necessary.

  • SoD prevents a single person from completing a whole process alone.
  • Least Privilege (Annex A 8.2) ensures a person cannot access data they don’t need for their job.
  • They are complementary: SoD provides horizontal control, while Least Privilege provides vertical control.

How do auditors verify Annex A 5.3 compliance?

Auditors look for verifiable evidence that duties are split and that no “Super User” can bypass the organisation’s internal controls.

  • Inspection of job descriptions and organisational charts defining split roles.
  • Review of system logs and ticketing history (e.g., Jira, ServiceNow) to prove different people requested and approved changes.
  • Examination of the Statement of Applicability for clearly defined SoD exclusions and compensating controls.
  • Interviews with staff to confirm they understand the boundaries of their specific roles.

Further Reading

How to Implement ISO 27001:2022 Annex A 5.3: Segregation of Duties

The complete guide to ISO/IEC 27002:2022

ISO 27001 Segregation of Duty Beginner’s Guide

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 5.3 Attribute Table

Control typeInformation
security properties		Cybersecurity
concepts		Operational
capabilities		Security domains
PreventiveConfidentialityProtectGovernanceGovernance and Ecosystem
IntegrityIdentity and
access management
Availability
, , , , , , ,
Stuart Barker
🎓 MSc Security 🛡️ Lead Auditor ⚡ 30+ Years Exp 🏢 Ex-GE Leader

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Shopping Basket
Scroll to Top