ISO 27001 Segregation of Duty Ultimate Guide

Home / ISO 27001 Tutorials / ISO 27001 Segregation of Duty Ultimate Guide

ISO 27001 Segregation of Duty

In this ISO 27001 ultimate guide to ISO 27001 Segregation of Duty you will learn

  • What ISO 27001 Segregation of Duty is
  • How to implement Segregation of Duty for ISO 27001

I am Stuart Barker the ISO 27001 Ninja and this is the ISO 27001 Segregation of Duty. 

What is ISO 27001 Segregation of Duty?

ISO 27001 Segregation of Duty is the act of dividing up critical tasks and responsibilities so that no one person has complete control over a process.

By doing this you can:

  • Prevent fraud: the single biggest reason to implement segregation of duty is to eliminate the opportunity for fraud and to make it more difficult for a single individual to manipulate a process for personal gain.
  • Enhance security: by implementing role based access (RBAC) and dividing roles and responsibilities based on business need and the experience of individuals will protect against unauthorised access and use.
  • Reduce errors: by involving more than one person mistakes and inconsistencies can be caught that a single person may not catch or see.

ISO 27001 Segregation of Duties, through functional separation, aims to:

  • Reduce the risk of fraud and errors: By preventing a single individual from having excessive control over critical processes.
  • Enhance information security: By establishing checks and balances within the organisation.

This control is crucial for implementing and maintaining an effective Information Security Management System (ISMS) within a company.

Purpose

The purpose of ISO 27001 Segregation of Duty is to reduce the risk of fraud, error and bypassing of information security controls.

Definition

The ISO 27001 standard defines ISO 27001 Segregation of Duty as:

Conflicting duties and conflicting areas of responsibility should be segregated.

ISO 27001:2022 Annex A 5.3 Segregation of Duties

ISO 27001 Toolkit

ISO 27001 Segregation of Duty Explained

Most organisations rely on a set of policies and procedures to guide their internal operations. While these are crucial, their effectiveness hinges on proper documentation and clear communication.

When policies and procedures are unclear or poorly disseminated, employees can become confused about their roles and responsibilities. This confusion is further exacerbated when responsibilities overlap or conflict.

These conflicting responsibilities can lead to:

  • Redundant efforts: Employees may unknowingly duplicate work, wasting valuable time and resources.
  • Conflicting actions: Different individuals may undertake actions that counteract each other, hindering progress and productivity.
  • Reduced morale: Confusion and frustration among employees can negatively impact team morale and overall company performance.

To prevent these issues, organisations must proactively identify and address potential conflicts in responsibilities. This often involves implementing clear segregation of duties, ensuring that different individuals handle distinct organisational roles.

Why is ISO 27001 Segregation of Duty important?

Inadequate segregation of duties and responsibilities within an organisation can create significant security vulnerabilities. This lack of separation can increase the risk of fraud, misuse of resources, unauthorised access, and other security incidents.

Furthermore, when individuals can easily collude, the risk of these security breaches increases. Insufficient controls to prevent or detect such collusion exacerbate this problem.

To comply with the requirements outlined in ISO 27001 Segregation of Duty, organisations must:

  • Identify critical duties and areas of responsibility that require segregation.
  • Implement and maintain effective controls to enforce this segregation.

ISO 27001 Segregation of Duty Examples

The following are some common real world examples of Segregation of Duty:

Change Control: the change control process usually has several key steps that include the request for change, the approval of the change and the implementation of the change. There would clearly be a conflict of interest if the person requesting was the same person that approved and then actioned the change. In fact it would make the purpose of having a change control process redundant.

Human Resources: there are many processes in HR that require fairness and objectivity. Take the key processes of hiring, performance management and financial rewards such as pay rise reviews and bonus allocation. If the same individual is responsible for all of these key processes then there is a conflict of interest and a lack of impartiality.

Information Technology (IT): as most processes and business operations rely on the use of information technology this presents the biggest risk to information security and the confidentiality, integrity and availability of data. Most fraud occurs via a compromise of IT. Having one individual with total control can lead to changes being made that cannot be caught with tracks being covered via the manipulation or removal of monitoring and logging.

ISO 27001 Segregation of Duty Templates

ISO 27001 Access Control Policy

The ISO 27001 access control policy enables you to perform segregation of duty and access control management. Built into a powerful ISO 27001 access control policy template that is pre built and ready to go.

ISO 27001 Access Control Policy Template

ISO 27001 Roles and Responsibilities Template

The ISO 27001 Roles and Responsibilities document enables you to document your information security roles and identify and manage conflicts. Built into a powerful ISO 27001 Roles and Responsibilities template that is pre built and ready to go.

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities Template

Watch the Tutorial

Watch the ISO 27001 tutorial How to implement ISO 27001 Segregation of Duty

How to implement Segregation of Duty

Approaches to Segregation of Duty

There are many standard approaches with the most common being:

  • Sequential separation: the two signature principle
  • Individual separation: the four eyes principle
  • Spatial separation: the principle of separate actions in separate locations
  • Factorial separation: process completion requires several factors to be true

Implement Role Based Access Control

Role based access is one of the most common and practical approaches to implementing segregation of duty. By taking the time to identify the roles that you require and removing conflicts in those roles and then assigning individuals to roles rather that allocating access on a case by case basis will significantly help you to remove conflicts in a consistent way.

Divide Responsibilities

Understanding and documenting your processes and systems will allow you to identify the key roles and responsibilities which can then be allocated to more than one individual and ensure no one person has complete control for a process or system. This is part of role based access control.

Prevent Collusion

The way that teams are structured and where they are located and how they interact can have an impact on introducing the opportunity for collusion. Collusion is the working together to commit fraud or circumvent controls.

Monitor and Review

It may be the case that segregation of duty does not work as intended or requires continual improvement. By implementing logging, monitoring and review on a regular basis allows for the identification and management of when it goes wrong and the ongoing and continual improvements to ensure that it remains effective.

Further Reading

For a detailed guide on how to implement Segregation of Duty, read the implementation guide ISO 27001 Annex A 5.3 Segregation of Duties

ISO 27001 Requirement for Segregation of Duty

The ISO 27001 standard specifically addresses Segregation of Duty in ISO 27001 Annex A 5.3 Segregation of Duties

Share to...