Segregation of Duties
A governance control that divides critical functions and responsibilities among different individuals to prevent any single person from having the ability to authorize, execute, and conceal errors or fraud. Also known as separation of duties (SoD).
Segregation of duties (SoD) is a fundamental internal control principle that reduces the risk of error, fraud, and unauthorized actions by ensuring that no single individual has end-to-end control over a critical process. The concept originates from financial controls but applies broadly to information security. Classic examples include separating the ability to approve purchases from the ability to make payments, ensuring that developers cannot deploy their own code to production without independent review, and requiring that access provisioning requests are approved by someone other than the requester.
ISO 27001 Annex A control A.5.3 specifically requires segregation of duties, stating that conflicting duties and conflicting areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets. SOC 2's requirements for logical access controls and change management inherently require appropriate segregation. NIS2's governance requirements for cybersecurity risk management measures benefit from SoD principles in ensuring that security decisions receive appropriate oversight. In technology due diligence, assessors evaluate whether development, testing, and production environments are appropriately separated and whether change management includes independent review and approval.
Implementing SoD in practice requires identifying critical processes and the key functions within them (authorization, execution, custody, recording, reconciliation), designing roles that distribute these functions among different individuals, and implementing technical controls (such as role-based access control) that enforce the segregation. In smaller organizations where personnel constraints make full segregation challenging, compensating controls such as detailed logging, regular management review of activities, and automated monitoring can partially mitigate the risk. SoD conflicts should be documented in the risk register, with compensating controls clearly identified. CI/CD pipelines, version control systems with branch protection rules, and approval workflows in ticketing systems are practical technical implementations of SoD in modern software organizations.
Related frameworks
Related terms
Access Control
The set of policies, procedures, and technical mechanisms that govern who can access which information assets, systems, and resources. Access control ensures that only authorized individuals can view, modify, or interact with sensitive data and systems.
Change Management
A structured process for evaluating, approving, implementing, and documenting changes to information systems, infrastructure, and processes in a controlled manner that minimizes the risk of unintended disruptions or security vulnerabilities.
Risk Assessment
A structured process for identifying, analyzing, and evaluating information security risks. Risk assessments determine the likelihood and potential impact of threats to an organization's information assets, guiding decisions about which controls to implement.
Role-Based Access Control
An authorization model that assigns permissions to users based on their organizational roles rather than individual identities. RBAC simplifies access management by grouping permissions into roles such as administrator, editor, or viewer, and assigning users to the appropriate roles.
Assess your compliance posture
Run a free self-assessment for ISO 27001, SOC 2, GDPR, NIS2, or Tech DD and see exactly where you stand.
Start free assessment