Plain-language meaning
Segregation of duties means sensitive work should be split so one person cannot request, approve, perform, and review the same activity without independent control.
For ISO/IEC 27001 study, link this concept back to A.5.3 Segregation of Duties. That control note explains the Annex A requirement, implementation patterns, audit evidence, failures, and exam traps.
Practical use
Use this concept when reviewing access approval, change management, supplier management, financial approval, privileged administration, logging, and internal audit independence.
Exam cue
The exam may test whether a compensating control is acceptable when full segregation is not practical. Small organizations can use documented review, approval, logging, and monitoring, but they cannot simply ignore the conflict.
Related notes
- Iso27001
- Isms
- Fundamentals
- Segregation of duties
Note Metadata
Aliases: SoD
Source: 01 Fundamentals/Segregation of Duties.md