ISO27001 – Control 5.3 – Segregation of Duties


Conflicting duties and conflicting areas of responsibility should be segregated.

What this means

The purpose of this control is to ensure appropriate segregation of duties is in place to reduce the risks of fraudulent activities, human errors, and intentional bypassing of security controls that could compromise an organisation’s information assets.

In any organisation, there are certain roles and responsibilities that should never be combined under a single individual. This is because concentrating too many roles or privileges to one person can create a situation ripe for abuse or mistakes that can lead to data breaches, financial losses, and other damaging incidents.

The ISO 27001 standard provides guidance on the types of duties that typically require segregation, such as:

  • Initiating, approving, and executing changes to systems or infrastructure
  • Requesting, approving, and implementing user access rights
  • Developing software code and administering production systems
  • Using applications and managing the underlying databases
  • Designing security controls and auditing/assuring those controls

The key principle is to separate duties in a way that prevents a single person from having excessive power to carry out risky activities without oversight. By splitting up responsibilities, you create a system of checks and balances.

For example, the person who places an order for supplies, should not be the person making payment. This way someone is not able to order excessive, irrelevant or personal supplies and just pay for them. It’s a means of reducing the risk of fraud.

The person who develops a new software application should not be the same person administering the production servers that application runs on. Otherwise, that individual could potentially introduce malicious code without detection. As another example, user access setups should require separate individuals to request, approve, and implement new access privileges to minimise privilege creep.

The ISO 27001 standard acknowledges that smaller organisations may find it very challenging to fully segregate all conflicting duties due to limited staffing. In those cases, compensating controls such as monitoring, audit trails, and managerial supervision become critical.

Effective segregation of duties is a vital fraud prevention measure for protecting information security. While it requires careful design and maintenance, it is an essential safeguard that no organisation can afford to neglect.

If you want to talk about information security in your organisation then please book a free call here or email us here