When it comes to fraud prevention and error reduction, one of the most effective tools in your security toolkit is the concept of “never letting one person hold all the keys.” In the world of ISO 27001, this is formally known as Segregation of Duties (SoD). If you are moving from the 2013 version of the standard to the 2022 update, you might be wondering if this fundamental principle has changed.
While the logic behind the control remains robust, the 2022 revision brings a new structure and more prescriptive guidance to help you implement it effectively. Let’s break down exactly what changed between the 2013 and 2022 versions for Annex A 5.3.
Table of contents
The Structural Shift: From A.6.1.2 to A.5.3
In the ISO 27001:2013 version, Segregation of Duties was listed as control A.6.1.2. As part of the massive consolidation in the 2022 update, this control has been renumbered to Annex A 5.3. It now sits within the “Organisational” theme, one of the four new categories that replaced the old 14 domains.
According to Hightable.io, this move into the Organisational category underscores that SoD is not just a technical “permissions” issue; it is a management and governance requirement. It’s about how your business is structured to prevent any single individual from being able to commit and then conceal an error or an act of fraud.
What Has Actually Changed in the Requirement?
The core objective of the control is unchanged: to reduce the risk of misuse of assets, fraud, or error. However, the 2022 version provides much clearer examples of where this segregation is most critical. In the 2013 version, the guidance was somewhat high-level. The 2022 update (aligned with the new ISO 27002:2022 guidance) explicitly points to activities that should be separated, such as:
- Change Management: The person who initiates or writes a change should not be the same person who approves it or deploys it to production.
- Access Rights: The person requesting access to a system should not be the one granting that access.
- Security Auditing: The person responsible for a security control should not be the one auditing its effectiveness.
This added detail makes it easier for organisations to identify “toxic combinations” of permissions that could lead to a security breakdown.
Addressing the “Small Team” Challenge
One of the most common questions regarding Annex A 5.3 is: “What if we are too small to have different people for every role?” The 2022 version acknowledges this reality more gracefully than its predecessor.
If your organisation is small and full segregation isn’t possible, the standard now places a stronger emphasis on compensating controls. As noted by Hightable.io, if you can’t separate the duties, you must implement alternative measures like increased logging, independent management reviews, or automated monitoring. The goal is to ensure that even if one person has the power to perform a task, there is a “second set of eyes” (even if digital) watching the activity.
Implementation: How to Update Your ISMS
If you are transitioning to the 2022 version, you shouldn’t just change the number on your Statement of Applicability (SoA). You should take the opportunity to refine your processes:
- Identify Critical Activities: Map out your business processes (like payroll, system changes, or user provisioning) and identify where a single person has “end-to-end” control.
- Update Your RACI Matrix: Ensure your Responsibility Assignment Matrix clearly shows different people for the “Request” and “Approve” stages of sensitive tasks.
- Automate Where Possible: Use your software tools to enforce these rules. For example, configure your code repository so that a developer cannot merge their own pull request without a peer review.
- Document Your Exceptions: If you cannot segregate a duty, document why and show what extra monitoring you have put in place to manage the risk.
The Bottom Line
The transition from ISO 27001:2013 A.6.1.2 to ISO 27001:2022 Annex A 5.3 represents a shift from a “good idea” to a “structured requirement.” By providing more specific guidance on what to segregate and how to handle smaller teams, the 2022 version makes it easier for you to build a system that is resilient to both accidents and intentional insider threats.