What is the bottom line of Annex A 5.3?

Identify conflicting duties. Use internal tools to separate them. No single person should control a full process from start to end. This prevents fraud and errors.

How does Jira support segregation of duties?

Jira enforces workflows. You can set mandatory approvals by different users. This prevents a user from approving their own requests. It creates a verifiable digital audit trail.

Why avoid SaaS compliance tools for this control?

SaaS tools decouple security from real work. They offer generic ticks but lack operational context. Auditors prefer seeing rules in your native systems like SharePoint. This proves management ownership.

ISO 27001 Annex A 5.3: Segregation of Duties Guidance & Implementation

What is ISO 27001 Annex A 5.3 Segregation of Duties in ISO 27001?

Annex A 5.3 requires separating conflicting duties to prevent fraud and error. Organisations must document these divisions within internal tools like SharePoint and Jira. This control ensures no single person has end-to-end control over a sensitive process. Integrated document systems provide verifiable proof of these functional splits.

Auditor’s Eye: The Shortcut Trap

SaaS compliance platforms often manage permissions through a central dashboard. This creates a “Black Box” effect. Auditors cannot see the real-world operational workflows. We prefer seeing segregation rules in your native Confluence wiki. We check your Jira workflow transitions to confirm independent approvals. Generic platform ticks do not prove management oversight. They often hide risky overlaps in duties. Evidence must exist where the work happens.

Feature	ISO 27001:2013 Reference	ISO 27001:2022 Reference
Control Name	A.6.1.2 Segregation of duties	Annex A 5.3 Segregation of duties
Primary Objective	Prevent fraud and error.	Prevent unauthorised access or modification.
Logic	Manual separation.	System-enforced workflows.

How to Implement ISO 27001 Annex A 5.3 Segregation of Duties (Step-by-Step)

Organisations must reduce the risk of accidental or deliberate system misuse. Separate the initiation of an action from its approval. Use your existing SharePoint permissions and Jira workflows to enforce these splits. This approach makes security a cultural habit. Follow these steps for an integrated system.

Step 1: Identify Conflicting Functions

Map out sensitive business processes. Document these in a matrix on Confluence. Identify steps where a single person could cause significant harm. This provides a clear baseline for the auditor.

Step 2: Assign Independent Roles

Define roles that must remain separate. Record these in SharePoint job descriptions. Ensure that the person who requests a payment cannot approve it. Clearly state these boundaries to all personnel.

Step 3: Enforce through Jira Workflows

Use Jira to automate the split. Configure transition rules that require a second user to approve code or changes. This provides an unalterable log of independent oversight. It proves the process is active every day.

ISO 27001 Annex A 5.3 Segregation of Duties Audit Evidence Checklist

Auditors require manual records that prove human oversight and intent. They want to see the “why” behind your functional splits. Prepare these items:

A matrix on Confluence listing all conflicting responsibilities.
Meeting minutes discussing high-risk role assignments.
Jira workflow diagrams showing mandatory multi-person approvals.
Quarterly SharePoint permission audits signed by management.
Internal document versions showing role changes over time.

Relational Mapping

Annex A 5.3 supports A 5.2 Roles and Responsibilities. It links directly to A 8.2 Privileged Access Rights. It also informs A 8.3 Information Access Restriction. Segregation is a fundamental layer of the wider internal control system. It prevents the bypass of technical security gates.

Auditor Interview

Question: How do you prevent a developer from approving their own code?

Answer: We enforce a mandatory peer review transition in Jira.

Question: Where are the segregation rules recorded?

Answer: Our internal wiki hosts the segregation of duties matrix.

Question: How do you monitor access for overlapping duties?

Answer: We review SharePoint user permissions every three months.

Common Non-Conformities

Failure Mode	Cause	Auditor Finding
Automated Complacency	Relying on a SaaS platform green tick.	Major NC: No evidence of internal procedural oversight.
Overlapping Access	Admins have both operational and audit rights.	Major NC: Direct violation of segregation principles.
Informal Approvals	Approvals occur in chat apps without logging.	Minor NC: Failure to maintain documented information.

Frequently Asked Questions

How does the organisation define a conflict of interest?

The organisation defines conflicts where one person initiates and completes a sensitive task. We document these risks in a SharePoint list. Senior management reviews this list annually. This ensures the ISMS stays aligned with business goals. It prevents staff from hiding errors or fraud.

Can small teams comply with Annex A 5.3?

Small teams must use compensatory controls. If duties cannot be split: use increased logging. Management must review these logs in SharePoint. Document this decision in your risk treatment plan. This proves that you understand the risk profile. It shows a risk-based approach to compliance.

Why use a matrix in Confluence for segregation?

A matrix provides a visual map of role boundaries. Confluence allows all staff to see their specific limits. It links roles to Jira groups. This keeps security integrated with daily operations. It is more effective than an external SaaS dashboard. Staff remain aware of their obligations.

LA CASA DE CERTIFICACIÓN