UnixTime

Research Note

Segregation of Duties

Segregation of duties means sensitive work should be split so one person cannot request, approve, perform, and review the same activity without independent control.

On this page

Plain-language meaning

Segregation of duties means sensitive work should be split so one person cannot request, approve, perform, and review the same activity without independent control.

For ISO/IEC 27001 study, link this concept back to A.5.3 Segregation of Duties. That control note explains the Annex A requirement, implementation patterns, audit evidence, failures, and exam traps.

Practical use

Use this concept when reviewing access approval, change management, supplier management, financial approval, privileged administration, logging, and internal audit independence.

Exam cue

The exam may test whether a compensating control is acceptable when full segregation is not practical. Small organizations can use documented review, approval, logging, and monitoring, but they cannot simply ignore the conflict.

  • Iso27001
  • Isms
  • Fundamentals
  • Segregation of duties

Note Metadata

Aliases: SoD

Source: 01 Fundamentals/Segregation of Duties.md