Table of contents
- ISO 27001 Segregation of Duty
- What is ISO 27001 Segregation of Duty?
- Purpose
- Definition
- ISO 27001 Segregation of Duty Explained
- Why is ISO 27001 Segregation of Duty important?
- ISO 27001 Segregation of Duty Examples
- ISO 27001 Segregation of Duty Templates
- Watch the Tutorial
- How to implement Segregation of Duty
- ISO 27001 Requirement for Segregation of Duty
ISO 27001 Segregation of Duty
In this ISO 27001 ultimate guide to ISO 27001 Segregation of Duty you will learn
- What ISO 27001 Segregation of Duty is
- How to implement Segregation of Duty for ISO 27001
I am Stuart Barker the ISO 27001 Ninja and this is the ISO 27001 Segregation of Duty.
What is ISO 27001 Segregation of Duty?
ISO 27001 Segregation of Duty is the act of dividing up critical tasks and responsibilities so that no one person has complete control over a process.
By doing this you can:
- Prevent fraud: the single biggest reason to implement segregation of duty is to eliminate the opportunity for fraud and to make it more difficult for a single individual to manipulate a process for personal gain.
- Enhance security: by implementing role based access (RBAC) and dividing roles and responsibilities based on business need and the experience of individuals will protect against unauthorised access and use.
- Reduce errors: by involving more than one person mistakes and inconsistencies can be caught that a single person may not catch or see.
ISO 27001 Segregation of Duties, through functional separation, aims to:
- Reduce the risk of fraud and errors: By preventing a single individual from having excessive control over critical processes.
- Enhance information security: By establishing checks and balances within the organisation.
This control is crucial for implementing and maintaining an effective Information Security Management System (ISMS) within a company.
Purpose
The purpose of ISO 27001 Segregation of Duty is to reduce the risk of fraud, error and bypassing of information security controls.
Definition
The ISO 27001 standard defines ISO 27001 Segregation of Duty as:
Conflicting duties and conflicting areas of responsibility should be segregated.
ISO 27001:2022 Annex A 5.3 Segregation of Duties
ISO 27001 Segregation of Duty Explained
Most organisations rely on a set of policies and procedures to guide their internal operations. While these are crucial, their effectiveness hinges on proper documentation and clear communication.
When policies and procedures are unclear or poorly disseminated, employees can become confused about their roles and responsibilities. This confusion is further exacerbated when responsibilities overlap or conflict.
These conflicting responsibilities can lead to:
- Redundant efforts: Employees may unknowingly duplicate work, wasting valuable time and resources.
- Conflicting actions: Different individuals may undertake actions that counteract each other, hindering progress and productivity.
- Reduced morale: Confusion and frustration among employees can negatively impact team morale and overall company performance.
To prevent these issues, organisations must proactively identify and address potential conflicts in responsibilities. This often involves implementing clear segregation of duties, ensuring that different individuals handle distinct organisational roles.
Why is ISO 27001 Segregation of Duty important?
Inadequate segregation of duties and responsibilities within an organisation can create significant security vulnerabilities. This lack of separation can increase the risk of fraud, misuse of resources, unauthorised access, and other security incidents.
Furthermore, when individuals can easily collude, the risk of these security breaches increases. Insufficient controls to prevent or detect such collusion exacerbate this problem.
To comply with the requirements outlined in ISO 27001 Segregation of Duty, organisations must:
- Identify critical duties and areas of responsibility that require segregation.
- Implement and maintain effective controls to enforce this segregation.
ISO 27001 Segregation of Duty Examples
The following are some common real world examples of Segregation of Duty:
Change Control: the change control process usually has several key steps that include the request for change, the approval of the change and the implementation of the change. There would clearly be a conflict of interest if the person requesting was the same person that approved and then actioned the change. In fact it would make the purpose of having a change control process redundant.
Human Resources: there are many processes in HR that require fairness and objectivity. Take the key processes of hiring, performance management and financial rewards such as pay rise reviews and bonus allocation. If the same individual is responsible for all of these key processes then there is a conflict of interest and a lack of impartiality.
Information Technology (IT): as most processes and business operations rely on the use of information technology this presents the biggest risk to information security and the confidentiality, integrity and availability of data. Most fraud occurs via a compromise of IT. Having one individual with total control can lead to changes being made that cannot be caught with tracks being covered via the manipulation or removal of monitoring and logging.
ISO 27001 Segregation of Duty Templates
ISO 27001 Access Control Policy
The ISO 27001 access control policy enables you to perform segregation of duty and access control management. Built into a powerful ISO 27001 access control policy template that is pre built and ready to go.
ISO 27001 Roles and Responsibilities Template
The ISO 27001 Roles and Responsibilities document enables you to document your information security roles and identify and manage conflicts. Built into a powerful ISO 27001 Roles and Responsibilities template that is pre built and ready to go.
Watch the Tutorial
Watch the ISO 27001 tutorial How to implement ISO 27001 Segregation of Duty
How to implement Segregation of Duty
Approaches to Segregation of Duty
There are many standard approaches with the most common being:
- Sequential separation: the two signature principle
- Individual separation: the four eyes principle
- Spatial separation: the principle of separate actions in separate locations
- Factorial separation: process completion requires several factors to be true
Implement Role Based Access Control
Role based access is one of the most common and practical approaches to implementing segregation of duty. By taking the time to identify the roles that you require and removing conflicts in those roles and then assigning individuals to roles rather that allocating access on a case by case basis will significantly help you to remove conflicts in a consistent way.
Divide Responsibilities
Understanding and documenting your processes and systems will allow you to identify the key roles and responsibilities which can then be allocated to more than one individual and ensure no one person has complete control for a process or system. This is part of role based access control.
Prevent Collusion
The way that teams are structured and where they are located and how they interact can have an impact on introducing the opportunity for collusion. Collusion is the working together to commit fraud or circumvent controls.
Monitor and Review
It may be the case that segregation of duty does not work as intended or requires continual improvement. By implementing logging, monitoring and review on a regular basis allows for the identification and management of when it goes wrong and the ongoing and continual improvements to ensure that it remains effective.
Further Reading
For a detailed guide on how to implement Segregation of Duty, read the implementation guide ISO 27001 Annex A 5.3 Segregation of Duties
ISO 27001 Requirement for Segregation of Duty
The ISO 27001 standard specifically addresses Segregation of Duty in ISO 27001 Annex A 5.3 Segregation of Duties