ISO 27001:2022 Annex A Control 5.3: Segregation of Duties

In addition to establishing the information security roles for personnel within an organisation, it is necessary to identify the segregation of duties – formalising where each individual’s responsibilities begin and end.

Creating a functional management framework will enable an organisation to effectively control many aspects of information security, including the implementation and day-to-day operation of various functions.

Segregating information security duties will help to avoid any conflict of duty or duplication of effort. Documenting the management framework can also serve to identify any gaps or vulnerabilities, forming part of the risk evaluation and treatment process.

In smaller organisations it may be necessary for personnel to assume mixed roles or have overlapping roles and responsibilities. While this cannot be avoided in all instances, the principle of role segregation should be applied as much as possible to mitigate the risk of fraud and unauthorised access. In these instances, proper governance and controls should focus on information assets with the greatest risk and the highest value.

Understanding conflicting duties and responsibility segregation

The effective running of an organisation requires established processes, procedures and policies to govern internal operations. Documenting these processes and establishing a framework for employee duties is a key to best practice and maintaining business as usual.

Failure to document roles clearly and delineate between responsibilities risks inefficiency, conflicting operational activity and the potential for fraudulent behaviour. By effectively segregating duties, an organisation can help to avoid these types of issue, improving productivity and mitigating risk in the process.

The purpose and requirements of Annex 5.3

In simple terms, Annex 5.3 identifies how a person may be prevented from committing, concealing or justifying actions that negatively impact the organisation. The segregation of roles and responsibilities also prevents an individual from overriding information security controls.

Through the effective delegation of tasks, an organisation is able to implement checks and balances that mitigate the risk of errors, fraud or lost productivity.

Just as overlapping responsibilities is problematic, attributing all responsibilities to one individual is also deemed to be a significant risk to business as usual.

In order to achieve ISO 27001:2022 compliance, an organisation is required to identify which duties should be separated and document steps to action separation controls. In small organisations where this separation is not practical or feasible, measures should be implemented to monitor activity, ensure management supervision and retain audit trails.

Automated tools may play a role in identifying and segregating roles within larger organisations to prevent conflicting roles.

Who is responsible for Annex A 5.3?

Depending on the size of an organisation, a group of qualified employees should hold responsibility for the effective segregation of duties. This begins with a senior management team member who is responsible for the conducting of an initial risk assessment.

Maintaining company security requires that further tasks are assigned to functioning work units and departments.

An effective risk management strategy is essential to creating a suitable control environment for duties to be segregated.

What’s changed from ISO 27001:2013?

ISO27001:2022 Annex A control 5.3 Segregation of Duties updates Annex A control 6.1.2 from the ISO 27001:2013 standard. In the most recent version of the standard, a number of activities that require segregation during implementation are defined. This includes:

1. Initiating, approving and executing a change
2. Requesting, approving and implementing access rights
3. Designing, implementing and reviewing code
4. Developing software and administering production systems
5. Using and administering applications
6. Using applications and administering databases
7. Designing, auditing and assuring information security controls