Requirement
Requirement lens
Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.
Conflicting duties and conflicting areas of responsibility must be segregated.
Plain-language meaning
No single person should be able to perform a sensitive activity from beginning to end without independent oversight, approval, review, or control.
Segregation of duties reduces the risk of:
- fraud;
- abuse of privilege;
- unauthorized changes;
- human error;
- concealment of mistakes;
- conflicts of interest;
- loss of confidentiality, integrity, or availability.
Core idea
A person should not be able to both perform and independently approve, review, or hide the results of their own sensitive activity.
| Conflict | Why it is risky |
|---|---|
| Request and approve their own access | Excessive or unauthorized privileges |
| Develop and deploy code to production without review | Malicious or faulty code can enter production |
| Configure security controls and independently audit them | Weak controls can be hidden |
| Create a vendor and approve payment | Fraud risk |
| Administer logs and delete or alter those logs | Evidence can be destroyed |
| Approve and implement a change without review | Unauthorized or risky changes may go live |
| Initiate and approve financial transactions | Fraud or error may go undetected |
| Own a risk and verify control effectiveness alone | Weak independent assurance |
Memory phrase:
Separate request, approval, execution, and review.
Why segregation matters
Segregation is a traditional business control. It assumes:
- most people are honest, but controls still matter;
- honest people can make mistakes;
- honest people can act differently under pressure or duress;
- unchecked privileges create temptation and opportunity;
- negligent behavior can increase when nobody reviews activity.
The Barings Bank case is a classic example of serious control and management failures where one person had too much unchecked authority. The lesson for ISMS work is that critical processes need checks and balances.
How segregation works
Segregation divides a sensitive process across roles.
Example: access management.
| Activity | Better owner |
|---|---|
| Request access | User’s manager |
| Approve access | System owner or data owner |
| Implement access | IT administrator |
| Review access | Business/system owner |
| Monitor exceptions | Security or compliance team |
| Remove access | IT, triggered by HR or manager |
This prevents one person from requesting, approving, implementing, and reviewing their own access.
Common segregation patterns
1. Maker-checker control
One person performs an action and another reviews or approves it.
Example:
- Admin prepares a firewall rule change.
- Network manager or security reviewer approves it.
- Change is implemented.
- Logs or change records are reviewed afterward.
2. Dual authorization
Two people must approve or perform an action.
Examples:
- two authorized people approve emergency privileged access;
- two people approve deletion of critical backups;
- two signatures required for high-value transactions.
3. Independent review
One person performs work and another independent person reviews records afterward.
Example:
- Administrator performs privileged activity.
- Security team reviews privileged activity logs weekly.
4. Role separation
Different responsibilities are assigned to different roles.
Example:
- Developers write code.
- DevOps deploys code.
- CAB or change owner approves high-risk changes.
- Security reviews critical security changes.
5. Technical enforcement
Systems prevent incompatible access combinations.
Examples:
- identity governance tool blocks incompatible roles;
- CI/CD pipeline requires peer approval;
- privileged activity is sent to immutable logs;
- system administrators cannot modify SIEM audit logs.
Information security examples
| Area | Segregation expectation |
|---|---|
| Access control | Request, approval, implementation, and review should not all be performed by one person |
| Privileged access | Admin access should be approved, logged, monitored, and independently reviewed |
| Change management | Developers should not deploy unreviewed changes directly to production |
| Security monitoring | People being monitored should not be able to alter monitoring logs |
| Audit | Auditors should not audit their own work |
| Incident management | Evidence handling should be controlled and reviewed |
| Backup and recovery | Backup administrators should not silently delete or disable backups |
| Supplier management | Vendor owner, procurement, legal, and security should have separate review roles |
| Risk management | Risk owner may own treatment, but independent assurance should validate effectiveness |
Small organizations
Small organizations may not have enough staff to fully segregate duties.
That does not mean they can ignore the control.
The practical approach:
- identify where segregation is needed;
- assess the risk of not segregating;
- segregate where practical;
- implement compensating controls where segregation is not possible;
- document the decision and evidence;
- review the exception periodically.
Compensating controls
| Compensating control | Purpose |
|---|---|
| Immutable logging | Prevents alteration or deletion of activity records |
| Independent log review | Detects suspicious or unauthorized activity |
| Management review | Adds oversight where staffing is limited |
| External review | Uses accountant, consultant, auditor, or MSP reviewer |
| Alerts for high-risk actions | Detects sensitive activity quickly |
| Periodic access review | Identifies excessive or conflicting access |
| Mandatory vacation | Helps reveal hidden fraud or dependency |
| Rotation of duties | Reduces long-term unchecked control |
| Exception approval | Documents why segregation is not possible |
| Increased monitoring | Deters and detects misuse |
Key exam point:
Lack of resources is not an excuse to do nothing. It requires risk-based compensating controls.
Audit guidance
Auditor focus
Look for evidence that the process operates in practice, not just that a document exists.
Auditors should check whether the organization has identified conflicting duties and whether critical processes have checks and balances.
For small organizations, auditors should expect at least compensating controls for critical roles.
Audit tests
| Audit test | Evidence to request | What good looks like |
|---|---|---|
| Identify conflicting duties | SoD matrix, risk assessment, process documentation | Key conflicts documented |
| Segregate critical duties | Access workflows, change process, approval records | Sensitive tasks require separate approval/review |
| Control privileged activities | PAM records, admin logs, SIEM alerts | Admin activity logged and reviewed |
| Protect logs | SIEM settings, retention settings, permissions | Users cannot alter their own logs |
| Use compensating controls | Exception records, monitoring evidence | Lack of segregation is risk-assessed and monitored |
| Ensure independent review | Review records, reviewer role | Reviewer is not the person being reviewed |
| Check holiday/sickness coverage | Backup coverage plans | Temporary cover does not break independence |
| Review critical processes | Finance, access, change, supplier, backup | High-risk processes have checks and balances |
Audit focus areas
Security administration and audit are particularly critical. If the same person administers controls and audits the controls, independence is weak.
Auditors should also examine:
- access provisioning;
- privileged access;
- production change;
- log administration;
- backup deletion;
- incident evidence handling;
- supplier approval and payment;
- risk acceptance and control validation.
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control or process operated for real cases.
- Documented SoD matrix.
- Incompatible roles identified in access governance.
- Workflow separates request, approval, implementation, and review.
- Admin activities are logged to a system admins cannot alter.
- Independent log reviews are performed and recorded.
- High-risk transactions require dual approval.
- Exceptions are risk-assessed, approved, time-bound, and monitored.
- Internal audit tests missing log entries or unauthorized activity.
- Holiday coverage does not remove independence.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation, consistency, or effectiveness.
- “We trust our staff.”
- One person can create, approve, and review their own access.
- Admins can delete logs of their own activity.
- Developers can push directly to production without review.
- No SoD conflict analysis exists.
- Small organization uses lack of staff as a reason for no controls.
- Logs exist but are never reviewed.
- Reviews are performed by the same person whose activity is reviewed.
- Temporary holiday cover bypasses independence.
Common failures
Implementation watchouts
These are the fastest ways this topic fails in real ISMS work.
| Failure | Why it matters |
|---|---|
| No SoD matrix | Conflicting roles may not be known |
| Over-permissioned administrators | One person can misuse or hide activity |
| No independent review | Errors and misuse may persist undetected |
| Logs not protected | Evidence can be changed or deleted |
| No exception documentation | Management cannot show risk-based decision |
| Production access not controlled | Unauthorized changes can go live |
| Audit lacks independence | Assurance is unreliable |
Exam traps
Exam focus
Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.
- SoD applies only to finance — wrong.
- Small organizations can ignore SoD — wrong.
- Logging alone is enough — wrong unless logs are tamper-resistant and reviewed.
- Two people automatically means segregation exists — wrong if independence is weak.
- SoD eliminates collusion — wrong; it reduces risk but does not eliminate it.
- One person can have conflicting duties if they are senior — wrong unless risk-assessed and compensated.
KB-ready summary
Quick refresher
Use this section for last-day review and for explaining the topic to a control owner.
A.5.3 reduces the risk of fraud, misuse, error, and concealment by separating conflicting duties. Sensitive processes should separate request, approval, execution, review, and monitoring. Where full segregation is not possible, the organization should use documented compensating controls such as immutable logging, independent review, dual authorization, and periodic management oversight.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Organizational controls
- Segregation of duties
- Audit
Note Metadata
Aliases: A.5.3, SoD, Segregation of Duties
Source: 02 Annex A Organizational Controls/A.5.3 Segregation of Duties.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
3
links
Implementation artifacts
Templates and working records that help operate the control.
Audit checks
Audit questions, checklists, or review material connected to the control.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO27001 ISMS KB - Start Here
- Roles and Responsibilities
- Segregation of Duties
- ISO 27001 A.5.16 - Identity Management
- ISO 27001 A.5.8 - Information Security in Project Management
- A.5 Organizational Controls MOC
- ISO 27001 A.6.5 - Responsibilities After Termination or Change of Employment
- A.5.3 Audit Evidence Pack
- AQ-ISO27001-A.5.3 Segregation of Duties
- ISO 27001 A.8.19 - Installation of Software on Operational Systems
- A.5 Organizational Controls Implementation Guide
- ISO27001-A.5.3 Segregation of Duties
- A.5 Controls Implementation Audit Risk Mapping
- ISO 27002 Annex A Control Interpretation Map
- Template - A.5.3 Audit Checklist
- Leaver and Role Change Security Checklist
- Template - Segregation of Duties Matrix
- Template - Segregation of Duties Exception Record
- Annex A Controls MOC
- ISO 27001 Overview