Segregation of duties in ISO 27001 refers to — in addition to Annex A control 6.1.2 — all practices where information and/or privileges required to carry out a certain process are broken into fragments. The fragments are then distributed among multiple persons or roles in such a way that a single person alone cannot perform or fully control that particular process. The point of segregation is especially to reduce risk associated with unintentional or intentional misuse of the organisation’s assets.
Segregation of duties can be implemented by applying certain principles. The applied principle depends on the task qualification, expected outcome and various conditions that may affect performance.
There are four principles.
Applying the principles
These principles can additionally be applied e.g. on business unit or organizational level. There is no absolute requirement to divide tasks between natural persons only; on an upper level, teams or companies (e.g. within a concern) can be included as well.
Per ISO 27002 guidance it should be taken care of at all times that “no single person can access, modify or use assets without authorization or detection. The initiation of an event should be separated from its authorization.”
If segregation cannot be applied, compensating controls must be put in place to prevent abuse – such as sufficiently accurate audit logging with integrity verification.
How it is done in practice
The first step is to identify important functions and dangerous work combinations. All those, in which an individual could by acting alone cause significant harm to the organization. The functions are then divided into phases and identified who is responsible for which phase.
Overlapping responsibilities and conflicts of interest over the stages of a certain activity must be identified. Such conflicts should be avoided. In addition, it must be checked whether a particular person has full control over a process or its execution.
The segregation of duties is documented, applying the principles mentioned earlier. Responsibilities will be communicated to those involved in performing the work and appropriate training provided to perform the tasks.
Consistency and support functions
Access rights and authorizations should support the implementation of segregation of duties. This means that in addition to not being allowed to perform certain steps, a person should not be able to do so. It is therefore necessary to ensure that granted access rights are not overly extensive.
The produced documentation must be consistent with other ISMS documentation. Particular attention should be paid on everything that is recorded about security roles and responsibilities. In addition, risk assessment also influences segregation of duties; its timeliness and accuracy should be strictly taken care of.
The average life expectancy of an ISO standard is about five years, at a time. When the hourglass has run out of sand, a voting will take place to decide whether to maintain the ISO standard as-is, revise it or withdraw the standard altogether.
All organizations are unique in their security needs and capabilities, and ISO 27001 does not seek to change that fact. The standard guides the adoption of appropriate processes and practices to improve, clarify, and maintain information security as an integral part of day-to-day operations.