ISO 27001 Annex A 5.3 is about separating duties. This means you divide up tasks and jobs so no one person has total control over a key process. This helps keep things safe by adding checks and balances.
Why Separate Duties?
The main reason to separate duties is to reduce the chance of fraud, mistakes, and people getting around security rules. If one person has all the power to do something from start to finish, it’s easier for them to hide bad actions or make mistakes that no one else can catch.
How to Do It
- Look for Conflicts: Find jobs where one person could have too much control. For example, a person who asks for a change should not be the same person who approves it.
- Divide Tasks: Break up important jobs and give parts of them to different people.
- Use Role-Based Access: A good way to do this is to give people access to systems based on their job role, not by giving them rights one by one. This helps you manage conflicts in a simple way.
- Monitor When You Can’t Separate: In small companies, you may not have enough people to separate duties. If this happens, you must have other ways to watch what’s happening. This includes looking at audit logs and having managers check on things.
Frequently Asked Questions
If you can’t separate jobs because you have a small team, you must have other ways to check on things. You can use logging, monitoring, and manager checks. You should also write down this risk in your company’s risk register.
An auditor will check that you have found and written down any job conflicts. They will also look for a process for role-based access control. They will want to see that you are managing any conflicts you can’t get rid of.
Yes. Even a one-person company should think about where problems could happen and manage those risks. It is all about being smart about risk.
Here’s a video that explains more about this topic: ISO 27001 Annex A 5.3 Segregation of Duty Explained.