Segregation of Duties - ISO 27001 Annex A Control

ISO 27001 Annex A 5.3

One person doing everything is a control failure waiting to happen.

ISO 27001 Annex A 5.3 - Segregation of Duties

Segregation of duties is one of the oldest internal controls. The principle is that activities which together create a risk - approving and processing a payment, requesting and granting access, writing and approving code - should not be carried out by the same person without independent oversight.

In information security the typical examples are around access control, change management and audit. The person who requests system access should not be the same person who approves it. The person who writes and deploys a configuration change should not be the same person who reviews it. The person who administers the audit logs should not be able to alter their own activity in those logs.

Where strict segregation is not practical because of the size of the organisation or the nature of the role, the control allows for compensating measures. These typically include monitoring of activity, dual approval for high-risk actions, regular review of logs by an independent party, or rotation of duties. The point is that the residual risk is recognised and managed, not ignored.

When I audit segregation of duties I look at three areas in particular. Privileged access - who can grant it, who has it, who reviews it. Change management - who approves, who deploys, who tests. And audit logs - whether the people whose actions are being logged have any way to alter the logs.

In small organisations strict segregation is often impossible. That is fine as long as it is recognised, documented in the risk register, and there are compensating controls in place.

Practical Compliance Guidance

Segregation of duties arrangements are described in the IMS1 manual at section 2.2 alongside the named responsibilities. Where duties cannot be fully segregated, this is recorded with the compensating controls.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
P24 Access Control Policy	Sets out the rules for granting, reviewing and removing access. The segregation principles for access requests, approvals and privileged use sit within this policy.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

What if we are too small to segregate properly?

The standard allows for this. Document the constraint in the risk register, identify the residual risk, and put compensating controls in place. Examples include independent review of high-risk transactions, dual approval for privileged access, or external audit of activities the same person performs.

Does this only apply to financial activities?

No. The control applies to any combination of activities where one person performing both creates a risk to information security. Common examples include access requests and approvals, code commits and deployments, system administration and audit log review.

How do we evidence segregation?

Through documented procedures that show the separation of duties, access logs that show different people performing the related activities, and approval records that show separate requestor and approver. The audit will sample these to confirm separation in practice.

Further Resources