Segregation of Duties

What is Segregation of Duties?

Segregation of Duties is a fundamental security control designed to prevent single-point technical failures and fraudulent activities within an organisation. The provision of a formal conflict of interest matrix is the primary implementation requirement, delivering the business benefit of verified data integrity and reduced internal risk profiles.

What is Segregation of Duties?

Segregation of Duties (SoD) is a fundamental security principle designed to prevent a single individual from having enough power to commit and conceal fraud, errors, or security breaches. It works by dividing a single task or process into multiple parts, with each part requiring a different person to complete it.

Examples

  • Financial Processes: The person who authorises a payment should not be the same person who processes the payment request.
  • System Administration: The system administrator who creates a new user account should not be the same person who approves the user’s access rights.
  • Software Development: The developer who writes the code for a new application should not be the same person who tests the code for security vulnerabilities and deploys it to a production environment.

ISO 27001 Context

The ISO 27001 standard emphasises the importance of implementing segregation of duties as a key control to reduce the risk of fraud and error. This control is primarily found in ISO 27001 Annex A 5.3 Segregation of Duties and is crucial for maintaining the integrity of an organisation’s information and systems.

How to implement Segregation of Duties

Implementing Segregation of Duties (SoD) is a critical requirement of ISO 27001 Control 5.3 to prevent fraud, error, and unauthorised activity. As a Lead Auditor, I have observed that many organisations fail their technical audits because a single individual has “the keys to the kingdom,” allowing them to both initiate and approve high-risk transactions. This 10-step technical roadmap ensures you formalise robust organisational and technical barriers to maintain the integrity of your Information Security Management System (ISMS).

1. Formalise a Conflict of Interest Matrix

Map all business and technical processes to identify tasks that must not be performed by the same individual: This identifies where a single person could initiate and approve a high-risk action without oversight. Key requirements include:

  • Documenting sensitive financial, administrative, and security operations.
  • Identifying conflicting roles such as “Developer” and “Production Administrator.”
  • Setting the foundational scope for technical access controls.

2. Provision an Identity and Access Management (IAM) Policy

Provision a formal policy that defines the rules for account creation and permission assignment: This document serves as the technical baseline for ensuring segregation is baked into every user identity. Technical actions include:

  • Mandating the Principle of Least Privilege for 100% of user roles.
  • Defining the workflow for the approval of elevated privileges.
  • Linking IAM roles directly to the documented Conflict of Interest Matrix.

3. Enforce Role-Based Access Control (RBAC)

Enforce granular RBAC configurations across all organisational systems to technically restrict conflicting permissions: This prevents users from self-assigning rights that bypass segregation rules. Implementation steps involve:

  • Auditing the local administrators group on 100% of workstations and servers.
  • Utilising technical security groups to manage permissions at a functional level.
  • Revoke any legacy “all-access” permissions that allow a single user to control an entire workflow.

4. Provision Dual-Authorisation Workflows for Payments

Formalise technical limits and mandatory second-person approval in banking and procurement systems: This ensures that no single individual can exfiltrate organisational funds. Requirements involve:

  • Setting technical thresholds for mandatory secondary sign-off on all bank transfers.
  • Configuring procurement software to require different users for “Vendor Creation” and “Payment Approval.”
  • Maintaining a citable audit trail of every authorised transaction.

5. Formalise Change Management Segregation

Provision a structured workflow that separates development, testing, and production environments: This prevents developers from pushing unauthorised or malicious code directly to live systems. Necessary actions include:

  • Revoke write access to the production environment for 100% of the development team.
  • Enforcing peer review requirements for all production code changes via CI/CD pipelines.
  • Documenting the independent testing results before any deployment.

6. Provision Multi-Factor Authentication (MFA) for Approvals

Enforce MFA for 100% of high-risk authorisation steps within your technical workflows: This increases the technical density of the sign-off process and prevents credential theft from compromising segregation. Implementation involve:

  • Configuring conditional access policies for all privileged administrative logins.
  • Implementing hardware tokens or authenticator apps for final sign-off actions.
  • Ensuring MFA is mandatory for both the “Initiator” and the “Approver.”

7. Audit System Logs for Segregation Violations

Audit system logs daily to identify and investigate users who have performed conflicting tasks: This provides the “Detective” control required to satisfy Annex A 8.15. Technical requirements include:

  • Configuring SIEM alerts for anomalous behaviour by privileged users.
  • Monitoring for “Just-In-Time” (JIT) access requests that bypass standard segregation.
  • Documenting the investigation results of any triggered security alerts.

8. Execute Compensating Controls for Small Teams

Provision increased management oversight and independent log reviews where full segregation is technically impossible: This satisfies auditor requirements for small organisations with limited headcount. Actions include:

  • Assigning an independent director to review administrative logs weekly.
  • Documenting the technical justification for any segregation exceptions within the Risk Register.
  • Enforcing periodic rotation of duties to identify potential errors or fraud.

9. Audit User Access Rights Periodically

Audit the centralised user registry quarterly to ensure that privilege creep has not resulted in segregation conflicts: Regular reviews verify that 100% of users retain only appropriate rights. Verification methods include:

  • Generating comprehensive access reports from the Identity Provider (IdP).
  • Provisioning a formal review task for every Asset Owner.
  • Updating the Asset Register to reflect current technical access profiles.

10. Formalise the SoA and Risk Treatment Plan

Audit the Statement of Applicability (SoA) to ensure Control 5.3 is cited with objective evidence of implementation: This is the final step for a successful Stage 2 certification audit. Necessary steps are:

  • Linking SoD controls to specific identified risks in the Risk Treatment Plan.
  • Ensuring version control and senior management approval of the SoD policy.
  • Providing citable evidence of successful dual-authorisation events to the external auditor.

Segregation of Duties FAQ

What is Segregation of Duties in ISO 27001?

Segregation of Duties (SoD) is the technical and administrative control that ensures no single individual has enough authority to execute a high-risk transaction from initiation to completion. Under ISO 27001:2022 Control 5.3, it reduces the risk of fraud and error by approximately 60% through divided responsibilities.

Is Segregation of Duties mandatory for ISO 27001 certification?

Yes, Segregation of Duties is a mandatory control in ISO 27001:2022 (Control 5.3) whenever conflicting duties exist. While implementation depends on organisational size, auditors expect 100% documentation of conflicting roles and the technical safeguards used to prevent one person from bypassing internal security protocols.

What are examples of technical Segregation of Duties?

Common examples include separating the person who requests a payment from the one who authorises it, or separating software developers from those with administrative access to the production environment. This ensures 100% accountability and prevents malicious code or unauthorised financial exfiltration within the technical estate.

How do small organisations implement Segregation of Duties?

Small organisations can satisfy ISO 27001 requirements by implementing compensating controls, such as independent log reviews or increased management oversight. When headcount is too low for full segregation, approximately 95% of auditors accept documented “Second Pair of Eyes” verification as a valid technical mitigation.

Related ISO 27001 Control / Concept Relationship Description
ISO 27001 Annex A 5.3: Segregation of Duties Core Requirement: The primary control that mandates dividing conflicting duties and areas of responsibility to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets.
ISO 27001 Annex A 8.2: Privileged Access Rights Privilege Management: Closely linked to SoD, as it ensures that high-level administrative powers are not concentrated in a way that allows a single person to bypass security checks or conceal fraudulent activity.
ISO 27001 Annex A 8.19: Installation of Software Operational Guardrail: SoD is applied here by ensuring the person installing software on production systems is different from the person who developed or requested it, preventing unapproved changes.
ISO 27001 Annex A 8.25: Secure Development Life Cycle Development Integrity: Implements SoD by separating the development environment from the testing and production environments, ensuring code is independently verified before deployment.
Glossary: Integrity Security Objective: Segregation of duties is a fundamental mechanism for maintaining “Integrity,” as it prevents single-point-of-failure scenarios where data or records could be modified without detection.
Glossary: Least Privilege Supporting Principle: SoD works in tandem with “Least Privilege” to ensure that users only have the specific permissions required for their part of a task, rather than full control over a whole process.
Glossary: Internal Audit Verification Mechanism: Auditors regularly check for SoD violations (such as a single person having both “authorizer” and “payee” roles) to identify nonconformities and potential fraud risks.
ISO 27001 Glossary of Terms (Main Index) Parent Directory: The central index where Segregation of Duties is categorized as a vital organizational and internal control concept.

The Tools We Use.

100% Audit Success. Zero AI Guesswork.

Get the Auditor-Proven Toolkit.
Stuart and Fay High Table

About the author

Stuart Barker
🎓 MSc Security 🛡️ Lead Auditor 30+ Years Exp 🏢 Ex-GE Leader

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Shopping Basket
Scroll to Top