ISO 27001 A.5.3: Segregation of duties
What This Control Requires
Conflicting duties and conflicting areas of responsibility shall be segregated.
In Plain Language
No single person should have end-to-end control over any critical process. If one individual can both make a change and approve it, you have a fraud risk, an error risk, and an audit finding waiting to happen. In practice, this means the developer who writes the code should not be the one deploying it to production. The person requesting access should not be the one approving it. The admin managing access rights should not also be the one auditing them. This principle applies across IT operations, financial processes, and anywhere a single point of failure could cause real damage. Small teams often struggle with this because there simply are not enough people. That is fine - but you must have compensating controls in place. Enhanced monitoring, detailed audit trails, management oversight, or periodic reviews can all fill the gap. The key is documenting where segregation is not possible and showing your auditor that you have thought it through.
How to Implement
Identify your critical business processes and IT operations where a conflict of interest could arise. Map out the process flows and look for spots where one person could abuse their access or authority. Focus on the high-risk areas first: financial transactions, access management, change management, and data handling. Build a segregation of duties matrix that lists incompatible roles. Common separations include development vs. production operations, access request vs. access approval, transaction initiation vs. transaction authorisation, security admin vs. security audit, and backup operations vs. restoration testing. Enforce segregation technically wherever you can. Use role-based access control in your systems to block users from holding conflicting roles. Configure your change management and ticketing tools to require a different approver than the requestor. Set up dual-control mechanisms for sensitive operations like cryptographic key management. For smaller teams where full segregation is not realistic, document your compensating controls. Think mandatory holiday policies, job rotation, detailed activity logging with regular review, management spot-checks, and independent periodic audits. Make sure these controls are proportionate to the risk. Review access rights and role assignments regularly to ensure segregation holds as people move around. Include segregation of duties checks in your internal audit programme. Train managers to spot and flag potential conflicts when assigning tasks.
Evidence Your Auditor Will Request
- Segregation of duties matrix identifying incompatible roles and functions
- RBAC configuration showing enforcement of role separation in key systems
- Documentation of compensating controls where full segregation is not feasible
- Access review records demonstrating no conflicts in role assignments
- Change management records showing separate requestors and approvers
Common Mistakes
- Developers have direct access to production environments without controls
- Same person requests and approves their own access changes
- No formal analysis of which duties need to be segregated
- Compensating controls are not documented or regularly tested when segregation is impractical
- Admin accounts are shared among multiple personnel eliminating individual accountability
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| SOC 2 | CC6.1 | Related |
| SOC 2 | CC5.1 | Related |
| GDPR | Art.32 | Partial overlap |
| NIS2 | Art.21(2)(a) | Related |
Frequently Asked Questions
How do small organizations implement segregation of duties with limited staff?
What are the most critical duties that should be segregated?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment