ISO 27001 Annex A 5.3 – Segregation of Duties

ISO 27001 Annex A 5.3 Segregation of Duties

ISO 27001 Annex A 5.3 is about separating duties. This means you divide up tasks and jobs so no one person has total control over a key process. This helps keep things safe by adding checks and balances.

Table of contents

What is Segregation of Duties?

The main reason to separate duties is to reduce the chance of fraudmistakes, and people getting around security rules. If one person has all the power to do something from start to finish, it’s easier for them to hide bad actions or make mistakes that no one else can catch.

What is ISO 27001 Annex A 5.3?

The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).

In the ISO/IEC 27001:2022 Standard the control is titled “Segregation of Duties”.

What is the ISO 27001 Annex A 5.3 control objective?

The formal definition and control objective in the standard is: “Conflicting duties and conflicting areas of responsibility should be segregated.

What is the purpose of ISO 27001 Annex A 5.3?

The purpose of ISO 27001 Annex A 5.3 is “To reduce the risk of fraud, error and bypassing of information security controls.

Is ISO 27001 Annex A 5.3 Mandatory?

ISO 27001 Annex A control 5.3 (Segregation of Duties in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.

The mandatory part of the standard requires you to consider ISO 27001 Annex A 5.3 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.

Key Parts of the Rule

To follow this rule, you should have clear plans and policies. Here are some important steps:

  • Look for Conflicts: Find jobs where one person could have too much control. For example, a person who asks for a change should not be the same person who approves it.
  • Divide Tasks: Break up important jobs and give parts of them to different people.
  • Use Role-Based Access: A good way to do this is to give people access to systems based on their job role, not by giving them rights one by one. This helps you manage conflicts in a simple way.
  • Monitor When You Can’t Separate: In small companies, you may not have enough people to separate duties. If this happens, you must have other ways to watch what’s happening. This includes looking at audit logs and having managers check on things.

What an Auditor Will Check

An auditor will want to see proof that you are following these rules. They will look for:

  • That you have found and written down any job conflicts.
  • A process for role-based access control.
  • Evidence that you are managing any conflicts you can’t get rid of.

You can learn more about Segregation of Duties and ISO 27001 by watching this video: ISO 27001 Annex A 5.3 Segregation of Duty Explained.

Related Posts