The basics
ISO 27001 control A.5.3 Segregation of duties requires companies to separate conflicting functions so that a single person is not allowed to perform and control the same activity. This is important to mitigate the risk of fraud, waste, and error.
Documentation
ISO 27001 control A.5.3 Segregation of duties can be documented by separating responsibilities for critical activities:
- in smaller and mid-sized companies – by specifying separate responsibilities through all internal security policies and procedures
- in larger companies by writing a Policy for Segregation of Duties
It is not mandatory to document segregation of duties, but is recommended for all companies.
Implementation
In order to comply with control A.5.3 Segregation of duties you might implement the following:
- Technology — the technology to enable segregation of duties could include software (e.g., access control lists and authentication) and hardware (e.g., different devices for performing each duty). Companies of all sizes need to plan the segregation of duties based on risk assessment, and segregation requirements of the company, suppliers, customers, and other interested parties.
- Organization/processes — you should set up a process for defining criteria for segregation of duties, and how to implement them. You can document those processes through several security policies and procedures or through a Policy for Segregation of Duties.
- People — make employees aware of why segregation of duties is needed, and train management staff on how to identify which duties need to be segregated and how to segregate them.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.5.3 Segregation of duties: if sensitive activities cannot be performed by a single person.
If such evidence is not found, the auditor must raise a nonconformity.
