ISO27002: 2022 Clause 5.3 Segregation of Duties
In this article I lay bare ISO27001 Annex A 5.3 / ISO27002: 2022 Clause 5.3 Segregation of Duties.
A beginners guide, exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO27001 certification. We show you exactly what changed in the ISO27001:2022 update. I am Stuart Barker the ISO27001 Ninja and this is ISO27001 Annex A 5.3
- ISO27002: 2022 Clause 5.3 Segregation of Duties
- What is ISO27001 Annex A 5.3?
- ISO27001 Annex A 5.3 Definition
- ISO27001 Annex A 5.3 Implementation Guide
- ISO27001 Annex A 5.3 Templates
- How to comply with ISO27001 Annex A 5.3
- How to pass an audit of ISO27001 Annex A 5.3
- What will an audit check?
- Top 3 Annex ISO27001 A 5.3 Mistakes People Make
- Why is ISO27001 Annex A 5.3 Important?
- ISO27001 Annex A 5.3 FAQ
- Matrix of controls and attribute values
- See Also
What is ISO27001 Annex A 5.3?
ISO27001 Annex A 5.3 Segregation of Duties is an ISO27002: 2022 control that requires an organisation to separate and segregate conflicting information security roles and responsibilities.
ISO27001 Annex A 5.3 Definition
The ISO27001 standard defines ISO27001 Annex A 5.3 Segregation of Duties as:
Conflicting duties and conflicting areas of responsibility should be segregated.ISO27001 Annex A 5.3
ISO27001 Annex A 5.3 Implementation Guide
You are looking to work out where there may be a conflict in duties and to remove that conflict so that one individual cannot exploit it for their own gain.
Let us consider an example.
If a person could request a pay rise, then approve that pay rise and make the payment – would that be a conflict of interest?
The answer if you are struggling, is yes.
A person should not be able to request something, authorise it and then execute it.
Think about it.
In basic terms what would be point in the process?
The person may as well just go to the last step and pay themselves what they want.
So how do you go about implementing this control? Let us take a look.
You are going to have to
- define your roles and responsibilities as covered in ISO27001 Annex A 5.2 Information Security Roles And Responsibilities
- identify where there are conflicts and remove them
- implement role based access controls
- regularly review the access
The absolute best way to do this is download the ISO27001 Templates Toolkit. It includes bonus materials on role based access control with guides on how to do it and templates to make it happen. If that is outside your reach then the ISO27001 Roles and Responsibilities Template as a stand alone is a good start.
ISO27001 Annex A 5.3 Templates
If you want to write these yourself I totally commend you. And pity you in equal measure. You could save months of effort with these templates that take 25 years of experience and distill it in a pack of prewritten best practice awesomeness.
How to comply with ISO27001 Annex A 5.3
To comply with ISO27001 Annex A 5.3 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to
- Write your roles and responsibilities to satisfy ISO20001 Annex A 5.2
- List out the systems that people use and have a systems inventory
- For each system define the roles people have within those systems
- For the roles you define you are going to document what levels of access those roles have
- Then you are going to allocate those roles to people
- The allocation, change and removal of roles is going to be documented in your access control process
- Plan to review access to your systems at least monthly or if significant change occurs
- Keep records of your review and audit trails of the access control process
How to pass an audit of ISO27001 Annex A 5.3
To pass an audit of ISO27001 Annex A 5.3 you are going to make sure that you have followed the steps above in how to comply.
You are going to do that by first conducting an internal audit, following the How to Conduct an ISO27001 Internal Audit Guide.
What will an audit check?
The audit is going to check a number of areas. Lets go through them
#1 Processes the Annex A 5.3 has defined as needing segregation
The standard has already pre defined processes that it thinks you should have segregation in so either make sure you do or have a compelling reason why you do not that you can justify to the auditor.
- a) initiating, approving and executing a change;
- b) requesting, approving and implementing access rights;
- c) designing, implementing and reviewing code;
- d) developing software and administering production systems;
- e) using and administering applications;
- f) using applications and administering databases;
- g) designing, auditing and assuring information security controls.
#2 Conflicting Roles
This is obvious but they are going to look for conflicts and they are coming at this with fresh eyes.
They are going to look at audit trails and all your documentation. They are looking that the roles and responsibilities are defined, that the role based access is defined, that you have a process for access control and they are going to look for evidence of operation ( that you have done it ). They want to see documentation of regular reviews.
Top 3 Annex ISO27001 A 5.3 Mistakes People Make
The top 3 Mistakes People Make For ISO27001 Annex A 5.3 are
#1 You don’t have enough staff to segregate duties
You get stressed because you do not have enough staff to implementation segregation of duty but you do nothing to compensate. It is ok to have conflicts if you cannot avoid it but you should have additional controls in place such as logging and monitoring of activity that IS handled and managed by someone else.
#2 One or more members of your team haven’t done what they should have done
Prior to the audit check that all members of the team have done what they should have. Have access reviews taken place? Do people actually have the level of access that is documented in your role based access document or has someone gone and changed the actual access on the systems.
#3 Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
Why is ISO27001 Annex A 5.3 Important?
ISO27001 Annex A 5.3 Segregation of Duties is important because if one person can do everything then there is significant risk. That could be financial risk right down to just plain devilment. Staff are not always happy campers. There are well known cases of people committing crimes and because they have access to logs they cover their tracks. Disgruntled employees causing untold harm.
You trust people right now. You think nothing can go wrong. You shouldn’t. And it can.
ISO27001 Annex A 5.3 FAQ
For ISO27001 Annex A 5.3 Segregation of Duties you will need the ISO27001 Access Control Policy: https://hightable.io/product/access-control-policy-template/
An example of segregation of duty would be that the person that submits their company expenses should not be the person that approves the expenses or makes the payment for the expenses. This prevents fraudulent expense claims being submitted and is a check and balance for errors that might occur.
If you cannot implement segregation of duty then you should consider alternate compensating controls for checks and balances. Examples of this would be management oversight, enhanced system monitoring, logging. There are many ways to tackle the problem so do not worry if you are a small team and cannot implement full segregation of duty. Manage it via risk management and alternate compensating controls to reduce the risk.
There are templates for ISO27001 Annex A 5.3 located here: https://hightable.io/iso-27001-toolkit/
ISO27001 Annex A 5.3 Sample PDF: https://hightable.io/iso-27001-toolkit/
Yes. Whilst the ISO27001 Annex A clauses are for consideration to be included in your Statement of Applicability there is no reason we can think of that would allow you to exclude ISO27001 Annex A 5.3. Segregating duties and removing conflicts are a fundamental part of any information security defence and control. They are a fundamental part of any information security management system. They are explicitly required for ISO27001.
Yes. You can write the policies for ISO27001 Annex A 5.3 yourself. You will need a copy of the standard and approximately 3 months of time to do it. It would be advantageous to have a background in information security management systems. There are a number of documents you will require as well as the policy for role based access control. Alternatively you can download them here: https://hightable.io/iso-27001-toolkit/
ISO27001 templates for ISO27001 Annex A 5.3 are located here: https://hightable.io/iso-27001-toolkit/
ISO27001 Annex A 5.3 is not particularly hard. It can take a lot of time if you are doing it yourself but it is not technically very hard. You are going to identify your systems, define role with the access those roles have and then allocate your people to those roles. Fairly straightforward. We would recommend templates to fast track your implementation.
ISO27001 Annex A 5.3 will take approximately 3 months to complete if you are starting from nothing and doing it yourself. With an ISO27001 Template Toolkit it should take you less than 1 day.
The cost of ISO27001 Annex A 5.3 will depend how you go about it. If you do it yourself it will be free but will take you about 3 months so the cost is lost opportunity cost as you tie up resource doing something that can easily be downloaded. If you download an ISO27001 Policy Template toolkit then you are looking at a couple of hundred pounds / dollars.
Matrix of controls and attribute values
- Guaranteed ISO 27001 Certification up to 10x Faster and 30x Cheaper
- The Ultimate ISO 27001 TOOLKIT so you can do it yourself
- ISO 27001 Exposed: The facts you must know (Not knowing these could cost you $10,000s!)
- 25 Things You Must Know Before Going for ISO 27001 Certification (Number 3 will blow your mind!)
- The Ultimate Reference Guide to ISO 27001 Controls