ISO 27001:2022

ISO 27001 Organisation Controls

ISO 27001 Annex A 5.1: Policies for information security

ISO 27001 Annex A 5.2: Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3: Segregation of duties

ISO 27001 Annex A 5.4: Management responsibilities

ISO 27001 Annex A 5.5: Contact with authorities

ISO 27001 Annex A 5.6: Contact with special interest groups

ISO 27001 Annex A 5.7: Threat intelligence

ISO 27001 Annex A 5.8: Information security in project management

ISO 27001 Annex A 5.9: Inventory of information and other associated assets

ISO 27001 Annex A 5.10: Acceptable use of information and other associated assets

ISO 27001 Annex A 5.11: Return of assets

ISO 27001 Annex A 5.12: Classification of information

ISO 27001 Annex A 5.13: Labelling of information

ISO 27001 Annex A 5.14: Information transfer

ISO 27001 Annex A 5.15: Access control

ISO 27001 Annex A 5.16: Identity management

ISO 27001 Annex A 5.17: Authentication information

ISO 27001 Annex A 5.18: Access rights

ISO 27001 Annex A 5.19: Information security in supplier relationships

ISO 27001 Annex A 5.20: Addressing information security within supplier agreements

ISO 27001 Annex A 5.21: Managing information security in the ICT supply chain

ISO 27001 Annex A 5.22: Monitoring, review and change management of supplier services

ISO 27001 Annex A 5.23: Information security for use of cloud services

ISO 27001 Annex A 5.24: Information security incident management planning and preparation

ISO 27001 Annex A 5.25: Assessment and decision on information security events

ISO 27001 Annex A 5.26: Response to information security incidents

ISO 27001 Annex A 5.27: Learning from information security incidents

ISO 27001 Annex A 5.28: Collection of evidence

ISO 27001 Annex A 5.29: Information security during disruption

ISO 27001 Annex A 5.30: ICT readiness for business continuity

ISO 27001 Annex A 5.31: Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32: Intellectual property rights

ISO 27001 Annex A 5.33: Protection of records

ISO 27001 Annex A 5.34: Privacy and protection of PII

ISO 27001 Annex A 5.35: Independent review of information security

ISO 27001 Annex A 5.36: Compliance with policies and standards for information security

ISO 27001 Annex A 5.37: Documented operating procedures

ISO 27001 Technical Controls

ISO 27001 Annex A 8.1: User Endpoint Devices

ISO 27001 Annex A 8.2: Privileged Access Rights

ISO 27001 Annex A 8.3: Information Access Restriction

ISO 27001 Annex A 8.4: Access To Source Code

ISO 27001 Annex A 8.5: Secure Authentication

ISO 27001 Annex A 8.6: Capacity Management

ISO 27001 Annex A 8.7: Protection Against Malware

ISO 27001 Annex A 8.8: Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9: Configuration Management 

ISO 27001 Annex A 8.10: Information Deletion

ISO 27001 Annex A 8.11: Data Masking

ISO 27001 Annex A 8.12: Data Leakage Prevention

ISO 27001 Annex A 8.13: Information Backup

ISO 27001 Annex A 8.14: Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15: Logging

ISO 27001 Annex A 8.16: Monitoring Activities

ISO 27001 Annex A 8.17: Clock Synchronisation

ISO 27001 Annex A 8.18: Use of Privileged Utility Programs

ISO 27001 Annex A 8.19: Installation of Software on Operational Systems

ISO 27001 Annex A 8.20: Network Security

ISO 27001 Annex A 8.21: Security of Network Services

ISO 27001 Annex A 8.22: Segregation of Networks

ISO 27001 Annex A 8.23: Web Filtering

ISO 27001 Annex A 8.24: Use of Cryptography

ISO 27001 Annex A 8.25: Secure Development Life Cycle

ISO 27001 Annex A 8.26: Application Security Requirements

ISO 27001 Annex A 8.27: Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28: Secure Coding

ISO 27001 Annex A 8.29: Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30: Outsourced Development

ISO 27001 Annex A 8.31: Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32: Change Management

ISO 27001 Annex A 8.33: Test Information

ISO 27001 Annex A 8.34: Protection of information systems during audit testing

Home / ISO 27001 Annex A Controls / The Ultimate Guide to ISO 27001:2022 Annex A 5.3 Segregation of Duties

The Ultimate Guide to ISO 27001:2022 Annex A 5.3 Segregation of Duties

Last updated Sep 20, 2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

ISO 27001 Segregation of Duty

Segregation of duty is the act of dividing up critical tasks and responsibilities so that no one person has complete control over a process.

Key Takeaways

  • Protect Your Business: Segregating duties is a simple way to protect your business from mistakes and fraud. It means no single person has too much control over important tasks.
  • Smart Security Rule: This ISO 27001 rule helps make sure your company’s information is secure. It’s about splitting up jobs so that everything is double-checked.
  • Easy to Do: You can implement this by writing down who does what and making sure tasks are shared. Regularly checking on these duties keeps your security strong and helps during an audit.

What is ISO 27001 Annex A 5.3?

ISO 27001 Annex A 5.3 Segregation of Duties is an ISO 27001 control that requires an organisation to separate and segregate conflicting information security roles and responsibilities.

Purpose

The purpose of Annex A 5.3 Segregation of Duties is to reduce the risk of fraud, error and bypassing of information security controls.

Definition

ISO 27001 defines ISO 27001 Segregation of Duty as:

Conflicting duties and conflicting areas of responsibility should be segregated.

ISO 27001:2022 Annex A 5.3 Segregation of Duties

How to Implement Annex A 5.3

You are going to have to

Implement Role Based Access Control

Role based access is one of the most common and practical approaches to implementing segregation of duty. By taking the time to identify the roles that you require and removing conflicts in those roles and then assigning individuals to roles rather that allocating access on a case by case basis will significantly help you to remove conflicts in a consistent way.

Divide Responsibilities

Understanding and documenting your processes and systems will allow you to identify the key roles and responsibilities which can then be allocated to more than one individual and ensure no one person has complete control for a process or system. This is part of role based access control.

Prevent Collusion

The way that teams are structured and where they are located and how they interact can have an impact on introducing the opportunity for collusion. Collusion is the working together to commit fraud or circumvent controls.

Monitor and Review

It may be the case that segregation of duty does not work as intended or requires continual improvement. By implementing logging, monitoring and review on a regular basis allows for the identification and management of when it goes wrong and the ongoing and continual improvements to ensure that it remains effective.

Approaches to Segregation of Duty

There are many standard approaches with the most common being:

  • Sequential separation: the two signature principle
  • Individual separation: the four eyes principle
  • Spatial separation: the principle of separate actions in separate locations
  • Factorial separation: process completion requires several factors to be true

Segregation of duty in a small organisation

When you work at a new tech company or an early-stage business, your main goals are speed, efficiency, and making a profit. Because of this, you often don’t think about things like segregation of duty.

For example, a small development team might have access to the development, testing, and production environments, and also act as the tech support. This situation presents a clear conflict of interest. A way to fix this is by having different user accounts for different roles. The other way is to accept the risk and manage it via risk management.

How to identify conflict of interest

You can learn how to find conflicts of interest for ISO 27001 by starting with the idea of segregation of duties. This means you should make sure to separate tasks so that no one person has too much control. You need to identify where these conflicts might exist in your own environment.

You can begin by reviewing the roles and responsibilities you have already defined. You should look for potential conflicts, which may be inherent in the standard definitions of certain roles. Once you have identified what those conflicts could be, you can then figure out how to address them.

How to remove conflict of interest

When you want to remove conflicts or separate duties in a company, it’s simple to do if you have many workers. However, it’s much harder in a small business with only a few people.

If you have a small business, you can choose not to follow this rule. The rule might not be a big risk for you, so you don’t have to put it into place. If you decide to do this, you should write it down as a risk and then manage it. This shows you have accepted the risk and are handling it.

How to remove conflict of interest in internal audit

You should know that if you are assuming everything is okay with how duties are separated, there’s a big area where problems can pop up: internal audits. When companies use their own staff to do these audits, it often leads to a conflict of duty.

Imagine if you pick someone to audit an area, but they are also responsible for running that very area. That creates a conflict. This is something you need to fix to make sure your audits are fair and accurate.

Why the information security manager should not do internal audits

You should not do your own internal audits for ISO 27001 if you are also the information security manager. This is because you need to separate your duties. Consultants often have a coworker perform this task for them. You should keep this in mind as it’s something auditors often notice.

Segregation of duties examples

The following are some common real world examples of Segregation of Duty:

Change Control: the change control process usually has several key steps that include the request for change, the approval of the change and the implementation of the change. There would clearly be a conflict of interest if the person requesting was the same person that approved and then actioned the change. In fact it would make the purpose of having a change control process redundant.

Human Resources: there are many processes in HR that require fairness and objectivity. Take the key processes of hiring, performance management and financial rewards such as pay rise reviews and bonus allocation. If the same individual is responsible for all of these key processes then there is a conflict of interest and a lack of impartiality.

Information Technology (IT): as most processes and business operations rely on the use of information technology this presents the biggest risk to information security and the confidentiality, integrity and availability of data. Most fraud occurs via a compromise of IT. Having one individual with total control can lead to changes being made that cannot be caught with tracks being covered via the manipulation or removal of monitoring and logging.

Remove conflict in duties

You are looking to work out where there may be a conflict in duties and to remove that conflict so that one individual cannot exploit it for their own gain.

Let us consider an example.

If a person could request a pay rise, then approve that pay rise and make the payment – would that be a conflict of interest?

The answer if you are struggling, is yes.

A person should not be able to request something, authorise it and then execute it.

Think about it.

In basic terms what would be point in the process?

The person may as well just go to the last step and pay themselves what they want.

Role Based Access

Role based access is a great way to implement segregation of duties. You spend a little time up front to work out what the various roles are that people have on systems. You define the role, paying particular attention to remove any conflicts. It is then just a matter of allocating people to roles. It isn’t just people that can be included in role based access though. You can also use it for service and technical accounts. By considering a role based access approach there is consistency in the way access is implemented rather than doing it per individual and it makes both the management and the review of access rights a lot more straightforward. The management of a change in access rights when a person moves job or role or leaves becomes a breeze.

Access reviews

One of the checks and balances and good governance is to implement access reviews. Access reviews should be conducted regularly. You will define what this means but best practice is every month. The access review will be conducted by the asset owner, be that a system owner or a data owner. They will review the accounts that have access, the level of access and if that is still required and appropriate. Where it isn’t they will address it through continual improvement. In this process you will be looking to ensure that segregation of duties is still in place and effective.

ISO 27001 Annex A 5.3 Explained: A Complete Guide

In the video ISO 27001 Annex A 5.3 Segregation of Duty Explained show you how to implement it and how to pass the audit.

ISO 27001 Templates

The absolute best way to do this is download the ISO 27001 Toolkit. It includes bonus materials on role based access control with guides on how to do it and templates to make it happen. If that is outside your reach then the ISO 27001 Roles and Responsibilities Template as a stand alone is a good start.

How to pass the ISO 27001 Annex A 5.3 audit

To comply with ISO 27001 Annex A 5.3 Segregation of Duties you are going to implement the ‘how’ to the ‘what’ the control is expecting. You are going to

  • Write your roles and responsibilities to satisfy ISO 20001 Annex A 5.2
  • List out the systems that people use and have a systems inventory
  • For each system define the roles people have within those systems
  • For the roles you define you are going to document what levels of access those roles have
  • Then you are going to allocate those roles to people
  • The allocation, change and removal of roles is going to be documented in your access control process
  • Plan to review access to your systems at least monthly or if significant change occurs
  • Keep records of your review and audit trails of the access control process

What an auditor looks for

The audit is going to check a number of areas. Lets go through them

1. They will check the processes that Annex A 5.3 has defined as needing segregation

The standard has already pre defined processes that it thinks you should have segregation in so either make sure you do or have a compelling reason why you do not that you can justify to the auditor.

  • a) initiating, approving and executing a change;
  • b) requesting, approving and implementing access rights;
  • c) designing, implementing and reviewing code;
  • d) developing software and administering production systems;
  • e) using and administering applications;
  • f) using applications and administering databases;
  • g) designing, auditing and assuring information security controls.

2. They will check conflicting roles

This is obvious but they are going to look for conflicts and they are coming at this with fresh eyes.

3. Documentation

They are going to look at audit trails and all your documentation. They are looking that the roles and responsibilities are defined, that the role based access is defined, that you have a process for access control and they are going to look for evidence of operation ( that you have done it ). They want to see documentation of regular reviews.

Top 3 ISO 27001 Annex A 5.3 Mistakes and How to Fix Them

Based on experience, the top 3 mistakes people make for ISO 27001 annex a 5.3 are

1. You don’t have enough staff to segregate duties

You get stressed because you do not have enough staff to implementation segregation of duty but you do nothing to compensate. It is ok to have conflicts if you cannot avoid it but you should have additional controls in place such as logging and monitoring of activity that IS handled and managed by someone else.

2. One or more members of your team haven’t done what they should have done

Prior to the audit check that all members of the team have done what they should have. Have access reviews taken place? Do people actually have the level of access that is documented in your role based access document or has someone gone and changed the actual access on the systems.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

How can an ISO 27001 Toolkit help with ISO 27001 Annex A 5.3?

The ISO 27001 toolkit provides the templates and training for ISO 27001 annex a 5.3 and specifically role based access templates. The role based access templates allow you to define roles, remove conflict of interest and allocate people to those roles.

ISO 27001 Toolkit

ISO 27001:2022 Annex A 5.3 Segregation of Duties FAQ

What policies do I need for ISO 27001 Segregation of Duties?

For ISO 27001 Segregation of Duties you will need the ISO 27001 Access Control Policy

Why is Segregation of Duties important?

ISO 27001 Segregation of Duties is important because if one person can do everything then there is significant risk. That could be financial risk right down to just plain devilment. Staff are not always happy campers. There are well known cases of people committing crimes and because they have access to logs they cover their tracks. Disgruntled employees causing untold harm.
You trust people right now. You think nothing can go wrong. You shouldn’t. And it can.

What is an example of segregation of duty?

An example of segregation of duty would be that the person that submits their company expenses should not be the person that approves the expenses or makes the payment for the expenses. This prevents fraudulent expense claims being submitted and is a check and balance for errors that might occur.

We cannot implement segregation of duty, we are too small?

If you cannot implement segregation of duty then you should consider alternate compensating controls for checks and balances. Examples of this would be management oversight, enhanced system monitoring, logging. There are many ways to tackle the problem so do not worry if you are a small team and cannot implement full segregation of duty. Manage it via risk management and alternate compensating controls to reduce the risk.

Are there free templates for ISO 27001 Segregation of Duties?

There are templates for ISO 27001 Segregation of Duties located in the ISO 27001 Toolkit.

Do I have to satisfy ISO 27001 Segregation of Duties for ISO 27001 Certification?

Yes. Whilst the ISO 27001 Annex A clauses are for consideration to be included in your ISO 27001 Statement of Applicability there is no reason we can think of that would allow you to exclude ISO 27001 Annex A 5.3 Segregation of Duties. Segregating duties and removing conflicts are a fundamental part of any information security defence and control. They are a fundamental part of any information security management system. They are explicitly required for ISO 27001.

Can I write polices for ISO 27001 Segregation of Duties myself?

Yes. You can write the policies for ISO 27001 Segregation of Duties yourself. You will need a copy of the standard and approximately 3 months of time to do it. It would be advantageous to have a background in information security management systems. There are a number of documents you will require as well as the policy for role based access control. Alternatively you can download them in the ISO 27001 Toolkit.

Where can I get templates for ISO 27001 Segregation of Duties?

ISO 27001 templates for Segregation of Duties are located in the ISO 27001 Toolkit.

How hard is ISO 27001 Segregation of Duties?

ISO 27001 Segregation of Duties is not particularly hard. It can take a lot of time if you are doing it yourself but it is not technically very hard. You are going to identify your systems, define role with the access those roles have and then allocate your people to those roles. Fairly straightforward. We would recommend templates to fast track your implementation.

How long will ISO 27001 Segregation of Duties take me?

ISO 27001 Segregation of Duties will take approximately 3 months to complete if you are starting from nothing and doing it yourself. With an ISO 27001 Toolkit it should take you less than 1 day.

How much will ISO 27001 Segregation of Duties cost?

The cost of ISO 27001 Segregation of Duties will depend how you go about it. If you do it yourself it will be free but will take you about 3 months so the cost is lost opportunity cost as you tie up resource doing something that can easily be downloaded. If you download the ISO 27001 Toolkit then you are looking at a couple of hundred pounds / dollars.

Further Reading

The complete guide to ISO/IEC 27002:2022

ISO 27001 Segregation of Duty Beginner’s Guide

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 5.3 Attribute Table

Control typeInformation
security properties
Cybersecurity
concepts
Operational
capabilities
Security domains
PreventiveConfidentialityProtectGovernanceGovernance and Ecosystem
IntegrityIdentity and
access management
Availability

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.