ISO 27001:2022 Annex A Control 5.3

Segregation of Duties

Book a demo

teamwork,together,professional,occupation,concept

The purpose of ISO 27001:2022 Annex A 5.3 – segregation of duties in the form of functional separation is to establish a management framework that will be used to initiate and control the implementation and operation of information security within a company.

According to ISO 27001:2022 Annex A control 5.3, previously known as 6.1.2 in ISO 27001:2013, conflicting duties and conflicting areas of responsibility are separated.

An organisation should consider and implement appropriate segregation of duties as part of the risk evaluation and treatment process. While smaller organisations may have difficulty with this, the principle should be applied as much as possible and proper governance and controls put in place for information assets with a higher risk/higher value.

To reduce the likelihood of unauthorised or unintentional modification or misuse of the organisation’s assets, conflicting duties and areas of responsibility need to be segregated.

Conflicting Duties and Areas of Responsibilities Explained

Almost every organisation has a set of policies and procedures that govern its internal operations. These policies and procedures are supposed to be documented, but this is not always the case.

There exists a danger that employees will become confused about their areas of responsibility if the P&Ps are not transparent or well-communicated. This becomes even more problematic when employees have overlapping or conflicting areas of responsibility.

Occasionally, conflicts can arise when employees have responsibilities related to a particular task that are similar or differing. As a result, employees may do the same thing twice or perform different functions that cancel out the efforts of others. This wastes corporate resources and reduces productivity, adversely affecting the company’s bottom line and morale.

This problem can be avoided by ensuring that your organisation does not experience conflicting areas of responsibility and knowing why and what you can do to prevent them. For the most part, this means separating duties so that different people handle different organisational roles.

Updated for ISO 27001 2022
  • 81% of the work done for you
  • Assured Results Method for certification success
  • Save time, money and hassle
Book your demo
img

What Is The Purpose of ISO 27001:2022 Annex A 5.3?

In ISO 27001, Control 5.3 Segregation of Duties aims to separate conflicting duties. This reduces the risk of fraud and error and bypasses information security controls.

Annex A Control 5.3 Explained

In accordance with ISO 27001, Annex A Control 5.3 describes the implementation guidelines for segregating organisational tasks and duties.

By delegating sub-tasks to different individuals, this principle creates a system of checks and balances that can reduce the likelihood of errors and fraud occurring.

The control is designed to prevent a single person from being able to commit, conceal, and justify improper actions, thereby reducing the risk of fraud and error. It also prevents a single person from overriding information security controls.

In cases where one employee has all the rights required for the task, fraud and errors are more likely to occur. This is because one person can perform everything without any checks and balances. There is, however, a reduced risk of significant harm or financial loss from an employee when no single person has all the access rights required for a particular task.

What’s Involved and Requirements of Annex A 5.3

In the absence of proper separation of duties and responsibilities, fraud, misuse, unauthorised access, and other security issues may arise.

Additionally, segregation of duties is required to mitigate the risks of collaboration between individuals. These risks are increased when insufficient controls prevent or detect collusion.

As part of ISO 27001:2022, the organisation should determine which duties and responsibilities need to be separated and implement actionable separation controls.

Whenever such controls are not possible, particularly for small organisations with a limited number of employees, activity monitoring, audit trails, and management supervision can be used. Using automated tools, larger organisations can identify and segregate roles to prevent conflicting roles from being assigned.

What Are the Changes and Differences From ISO 27001:2013?

ISO 27001:2022’s Annex A control 5.3 Segregation of Duties is a revised version of ISO 27001:2013’s Annex A control 6.1.2 Segregation of Duties.

Annex A 5.3 ISO 27001:2022 and Annex A 6.1.2 ISO 27001:2013 describe the same basic characteristics of the control “Segregation of duties”. However, the most recent version defines a number of activities that require segregation during implementation.

Among these activities are:

a) initiating, approving and executing a change;

b) requesting, approving and implementing access rights;

c) designing, implementing and reviewing code;

d) developing software and administering production systems;

e) using and administering applications;

f) using applications and administering databases;

g) designing, auditing and assuring information security controls.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

Who Has Ownership of Annex A 5.3?

Several individuals are responsible for the segregation of duties in ISO 27001, beginning with a senior management team member. This individual is responsible for ensuring that the initial risk assessment has taken place.

As a result, other groups of qualified employees should be assigned processes that apply to different parts of the organisation. Order to prevent rogue employees from undermining company security is usually done by assigning tasks to other work units and departmentalising IT-related operations and maintenance activities.

The separation of duties cannot be established correctly without an effective risk management strategy, an appropriate control environment, and an appropriate IT audit programme.

Use ISMS.online to Your Advantage

ISO 27001:2022 only requires you to update your ISMS processes to reflect the improved Annex A controls, and if your team can’t manage this, ISMS.online can.

In addition to DPIA and other related personal data assessments, like LIAs, ISMS.online provides simple, practical frameworks and templates for information security.

With ISMS.online, you can document information security management system procedures and checklists to ensure compliance with ISO 27001, automating the implementation process.

ISMS.online lets you:

  • Create an ISMS that is compatible with ISO 27001 standards.
  • Perform tasks and submit proof indicating they have met the standard’s requirements.
  • Allocate tasks and track progress toward compliance with the law.
  • Get access to a specialised team of advisors to assist you throughout your path towards compliance.

By using our cloud-based platform, you can centrally manage checklists, interact with colleagues, and use a comprehensive set of tools to help your organisation create and maintain an ISMS.

Get in touch today to book a demo.

See our platform
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Say hello to ISO 27001 success

Get 81% of the work done for you and get certified faster with ISMS.online

Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.