ISO 27001 Segregation of Duty
ISO 27001 segregation of duty can be confusing and a challenge for small organisations. In this ISO 27001 article you will learn
- What ISO 27001 Segregation of Duty is
- How to implement it
Table of contents
What is ISO 27001 Segregation of Duty?
ISO 27001 Segregation of Duty is the act of dividing up critical tasks and responsibilities so that no one person has complete control over a process.
Why do ISO 27001 Segregation of Duty
Segregation of duty is a requirement of the ISO 27001 standard and covered in ISO 27001 Annex A 5.3 Segregation of Duties
By putting in place segregation of duty you will:
- Prevent fraud: the single biggest reason to implement segregation of duty is to eliminate the opportunity for fraud and to make it more difficult for a single individual to manipulate a process for personal gain.
- Enhance security: by implementing role based access (RBAC) and dividing roles and responsibilities based on business need and the experience of individuals will protect against unauthorised access and use.
- Reduce errors: by involving more than one person mistakes and inconsistencies can be caught that a single person may not catch or see.
Why ISO 27001 Segregation of Duty is important
Inadequate segregation of duties and responsibilities within an organisation can create significant security vulnerabilities. This lack of separation can increase the risk of fraud, misuse of resources, unauthorised access, and other security incidents.
Furthermore, when individuals can easily collude, the risk of these security breaches increases. Insufficient controls to prevent or detect such collusion exacerbate this problem.
To comply with the requirements outlined in ISO 27001 Segregation of Duty, organisations must:
- Identify critical duties and areas of responsibility that require segregation.
- Implement and maintain effective controls to enforce this segregation.
How to implement Segregation of Duty
Time needed: 1 hour and 30 minutes
How to implement ISO 27001 Segregation of Duty
- Approaches to Segregation of Duty
There are many standard approaches with the most common being:
Sequential separation: the two signature principle
Individual separation: the four eyes principle
Spatial separation: the principle of separate actions in separate locations
Factorial separation: process completion requires several factors to be true - Implement Role Based Access Control
Role based access is one of the most common and practical approaches to implementing segregation of duty. By taking the time to identify the roles that you require and removing conflicts in those roles and then assigning individuals to roles rather that allocating access on a case by case basis will significantly help you to remove conflicts in a consistent way.
- Divide Responsibilities
Understanding and documenting your processes and systems will allow you to identify the key roles and responsibilities which can then be allocated to more than one individual and ensure no one person has complete control for a process or system. This is part of role based access control.
- Prevent Collusion
The way that teams are structured and where they are located and how they interact can have an impact on introducing the opportunity for collusion. Collusion is the working together to commit fraud or circumvent controls.
- Monitor and Review
It may be the case that segregation of duty does not work as intended or requires continual improvement. By implementing logging, monitoring and review on a regular basis allows for the identification and management of when it goes wrong and the ongoing and continual improvements to ensure that it remains effective.
ISO 27001 Segregation of Duty Examples
The following are some common real world examples of Segregation of Duty:
Change Control: the change control process usually has several key steps that include the request for change, the approval of the change and the implementation of the change. There would clearly be a conflict of interest if the person requesting was the same person that approved and then actioned the change. In fact it would make the purpose of having a change control process redundant.
Human Resources: there are many processes in HR that require fairness and objectivity. Take the key processes of hiring, performance management and financial rewards such as pay rise reviews and bonus allocation. If the same individual is responsible for all of these key processes then there is a conflict of interest and a lack of impartiality.
Information Technology (IT): as most processes and business operations rely on the use of information technology this presents the biggest risk to information security and the confidentiality, integrity and availability of data. Most fraud occurs via a compromise of IT. Having one individual with total control can lead to changes being made that cannot be caught with tracks being covered via the manipulation or removal of monitoring and logging.
ISO 27001 Segregation of Duty Templates
ISO 27001 Access Control Policy
The ISO 27001 access control policy enables you to perform segregation of duty and access control management. Built into a powerful ISO 27001 access control policy template that is pre built and ready to go.
ISO 27001 Roles and Responsibilities Template
The ISO 27001 Roles and Responsibilities document enables you to document your information security roles and identify and manage conflicts. Built into a powerful ISO 27001 Roles and Responsibilities template that is pre built and ready to go.
Watch the Tutorial
Watch the ISO 27001 tutorial How to implement ISO 27001 Segregation of Duty
Further Reading
For a detailed guide on how to implement Segregation of Duty, read the implementation guide ISO 27001 Annex A 5.3 Segregation of Duties
