UnixTime

Research Note

ISO 27001 A.5.3 - Segregation of Duties

No single person should be able to perform a sensitive activity from beginning to end without independent oversight, approval, review, or control.

On this page

Requirement

Requirement lens

Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.

Conflicting duties and conflicting areas of responsibility must be segregated.

Plain-language meaning

No single person should be able to perform a sensitive activity from beginning to end without independent oversight, approval, review, or control.

Segregation of duties reduces the risk of:

  • fraud;
  • abuse of privilege;
  • unauthorized changes;
  • human error;
  • concealment of mistakes;
  • conflicts of interest;
  • loss of confidentiality, integrity, or availability.

Core idea

A person should not be able to both perform and independently approve, review, or hide the results of their own sensitive activity.

Conflict Why it is risky
Request and approve their own access Excessive or unauthorized privileges
Develop and deploy code to production without review Malicious or faulty code can enter production
Configure security controls and independently audit them Weak controls can be hidden
Create a vendor and approve payment Fraud risk
Administer logs and delete or alter those logs Evidence can be destroyed
Approve and implement a change without review Unauthorized or risky changes may go live
Initiate and approve financial transactions Fraud or error may go undetected
Own a risk and verify control effectiveness alone Weak independent assurance

Memory phrase:

Separate request, approval, execution, and review.

Why segregation matters

Segregation is a traditional business control. It assumes:

  • most people are honest, but controls still matter;
  • honest people can make mistakes;
  • honest people can act differently under pressure or duress;
  • unchecked privileges create temptation and opportunity;
  • negligent behavior can increase when nobody reviews activity.

The Barings Bank case is a classic example of serious control and management failures where one person had too much unchecked authority. The lesson for ISMS work is that critical processes need checks and balances.

How segregation works

Segregation divides a sensitive process across roles.

Example: access management.

Activity Better owner
Request access User’s manager
Approve access System owner or data owner
Implement access IT administrator
Review access Business/system owner
Monitor exceptions Security or compliance team
Remove access IT, triggered by HR or manager

This prevents one person from requesting, approving, implementing, and reviewing their own access.

Common segregation patterns

1. Maker-checker control

One person performs an action and another reviews or approves it.

Example:

  • Admin prepares a firewall rule change.
  • Network manager or security reviewer approves it.
  • Change is implemented.
  • Logs or change records are reviewed afterward.

2. Dual authorization

Two people must approve or perform an action.

Examples:

  • two authorized people approve emergency privileged access;
  • two people approve deletion of critical backups;
  • two signatures required for high-value transactions.

3. Independent review

One person performs work and another independent person reviews records afterward.

Example:

  • Administrator performs privileged activity.
  • Security team reviews privileged activity logs weekly.

4. Role separation

Different responsibilities are assigned to different roles.

Example:

  • Developers write code.
  • DevOps deploys code.
  • CAB or change owner approves high-risk changes.
  • Security reviews critical security changes.

5. Technical enforcement

Systems prevent incompatible access combinations.

Examples:

  • identity governance tool blocks incompatible roles;
  • CI/CD pipeline requires peer approval;
  • privileged activity is sent to immutable logs;
  • system administrators cannot modify SIEM audit logs.

Information security examples

Area Segregation expectation
Access control Request, approval, implementation, and review should not all be performed by one person
Privileged access Admin access should be approved, logged, monitored, and independently reviewed
Change management Developers should not deploy unreviewed changes directly to production
Security monitoring People being monitored should not be able to alter monitoring logs
Audit Auditors should not audit their own work
Incident management Evidence handling should be controlled and reviewed
Backup and recovery Backup administrators should not silently delete or disable backups
Supplier management Vendor owner, procurement, legal, and security should have separate review roles
Risk management Risk owner may own treatment, but independent assurance should validate effectiveness

Small organizations

Small organizations may not have enough staff to fully segregate duties.

That does not mean they can ignore the control.

The practical approach:

  1. identify where segregation is needed;
  2. assess the risk of not segregating;
  3. segregate where practical;
  4. implement compensating controls where segregation is not possible;
  5. document the decision and evidence;
  6. review the exception periodically.

Compensating controls

Compensating control Purpose
Immutable logging Prevents alteration or deletion of activity records
Independent log review Detects suspicious or unauthorized activity
Management review Adds oversight where staffing is limited
External review Uses accountant, consultant, auditor, or MSP reviewer
Alerts for high-risk actions Detects sensitive activity quickly
Periodic access review Identifies excessive or conflicting access
Mandatory vacation Helps reveal hidden fraud or dependency
Rotation of duties Reduces long-term unchecked control
Exception approval Documents why segregation is not possible
Increased monitoring Deters and detects misuse

Key exam point:

Lack of resources is not an excuse to do nothing. It requires risk-based compensating controls.

Audit guidance

Auditor focus

Look for evidence that the process operates in practice, not just that a document exists.

Auditors should check whether the organization has identified conflicting duties and whether critical processes have checks and balances.

For small organizations, auditors should expect at least compensating controls for critical roles.

Audit tests

Audit test Evidence to request What good looks like
Identify conflicting duties SoD matrix, risk assessment, process documentation Key conflicts documented
Segregate critical duties Access workflows, change process, approval records Sensitive tasks require separate approval/review
Control privileged activities PAM records, admin logs, SIEM alerts Admin activity logged and reviewed
Protect logs SIEM settings, retention settings, permissions Users cannot alter their own logs
Use compensating controls Exception records, monitoring evidence Lack of segregation is risk-assessed and monitored
Ensure independent review Review records, reviewer role Reviewer is not the person being reviewed
Check holiday/sickness coverage Backup coverage plans Temporary cover does not break independence
Review critical processes Finance, access, change, supplier, backup High-risk processes have checks and balances

Audit focus areas

Security administration and audit are particularly critical. If the same person administers controls and audits the controls, independence is weak.

Auditors should also examine:

  • access provisioning;
  • privileged access;
  • production change;
  • log administration;
  • backup deletion;
  • incident evidence handling;
  • supplier approval and payment;
  • risk acceptance and control validation.

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control or process operated for real cases.

  • Documented SoD matrix.
  • Incompatible roles identified in access governance.
  • Workflow separates request, approval, implementation, and review.
  • Admin activities are logged to a system admins cannot alter.
  • Independent log reviews are performed and recorded.
  • High-risk transactions require dual approval.
  • Exceptions are risk-assessed, approved, time-bound, and monitored.
  • Internal audit tests missing log entries or unauthorized activity.
  • Holiday coverage does not remove independence.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation, consistency, or effectiveness.

  • “We trust our staff.”
  • One person can create, approve, and review their own access.
  • Admins can delete logs of their own activity.
  • Developers can push directly to production without review.
  • No SoD conflict analysis exists.
  • Small organization uses lack of staff as a reason for no controls.
  • Logs exist but are never reviewed.
  • Reviews are performed by the same person whose activity is reviewed.
  • Temporary holiday cover bypasses independence.

Common failures

Implementation watchouts

These are the fastest ways this topic fails in real ISMS work.

Failure Why it matters
No SoD matrix Conflicting roles may not be known
Over-permissioned administrators One person can misuse or hide activity
No independent review Errors and misuse may persist undetected
Logs not protected Evidence can be changed or deleted
No exception documentation Management cannot show risk-based decision
Production access not controlled Unauthorized changes can go live
Audit lacks independence Assurance is unreliable

Exam traps

Exam focus

Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.

  • SoD applies only to finance — wrong.
  • Small organizations can ignore SoD — wrong.
  • Logging alone is enough — wrong unless logs are tamper-resistant and reviewed.
  • Two people automatically means segregation exists — wrong if independence is weak.
  • SoD eliminates collusion — wrong; it reduces risk but does not eliminate it.
  • One person can have conflicting duties if they are senior — wrong unless risk-assessed and compensated.

KB-ready summary

Quick refresher

Use this section for last-day review and for explaining the topic to a control owner.

A.5.3 reduces the risk of fraud, misuse, error, and concealment by separating conflicting duties. Sensitive processes should separate request, approval, execution, review, and monitoring. Where full segregation is not possible, the organization should use documented compensating controls such as immutable logging, independent review, dual authorization, and periodic management oversight.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Organizational controls
  • Segregation of duties
  • Audit

Note Metadata

Aliases: A.5.3, SoD, Segregation of Duties

Source: 02 Annex A Organizational Controls/A.5.3 Segregation of Duties.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

3

links

01

Implementation artifacts

Templates and working records that help operate the control.

02

Audit checks

Audit questions, checklists, or review material connected to the control.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.