ISO 27002:2022 control 5.3 — Segregation of Duties, formerly known as control 6.1.2 in ISO 27002:2013 defines the system by which conflicting duties and conflicting areas of responsibility are separated.
Every organisation has a set of policies and procedures (P&Ps) that govern its internal workings. P&Ps are supposed to be documented, but often they’re not.
If these P&Ps are not clear or well-communicated, the result is confusion among employees about their areas of responsibilities. This can get even worse when employees have overlapping responsibilities, or conflicting areas of responsibility.
Conflicts can occur when two or more employees have similar or different responsibilities towards a particular task. When this happens, the employees may end up doing the same thing twice, or doing different things that cancel out each other’s efforts. This wastes corporate resources and reduces productivity, which affects both the company’s bottom line and morale.
In order to make sure that your organisation does not suffer from this problem, it is important to understand what conflicting areas of responsibilities are, why they happen and how you can prevent them from occurring in your organisation. For the most part, this means separating duties so that different people handle different roles in the organisation.
Controls are classified according to their attributes. Attributes help you align your control selection with industry standards and language. In control 5.3 these are:
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Governance #Identity and access management | #Governance and Ecosystem |
The purpose of control 5.3 Segregation of Duties in ISO 27002 is to reduce the risk of fraud, error and bypassing of information security controls by ensuring that conflicting duties are separated.
Control 5.3 covers the implementation guidance for segregation tasks and duties in an organisation in line with the framework of ISO 27001.
The principle involves breaking down key tasks into subtasks and assigning them to different people. This creates a system of checks and balances that can reduce the risk of errors or fraud.
The control is designed to prevent a single person from being able to commit, conceal and justify improper actions, thus decreasing the risk of fraud or error. It also prevents a single person from being able to override information security controls.
If one employee has all rights required for a particular task then there is a higher risk of fraud or error since one person can do everything without any checks and balances. However if no single person has all access rights required for a particular task, this reduces the risk that an employee can cause significant harm or financial loss.
Duties and areas of responsibilities that are not segregated could lead to fraud, misuse, inappropriate access and other security incidents.
In addition, segregation of duties is needed to mitigate the risks associated with the potential for collusion between individuals. These risks are increased when there are insufficient controls to prevent or detect collusion.
In order to meet the requirements for control 5.3 in ISO 27002:2022, the organisation should determine which duties and areas of responsibility need to be segregated and actionable segregation controls put in place.
Where such controls are not possible, particularly for small organisations with minimal staff strength, activities monitoring, audit trails and management supervision can be used. For larger organisations, automated tools can be used to identify and segregate roles so that conflicting roles are not assigned to people.
We’ll give you an 81% headstart
from the moment you log in
Book your demo
The control number 5.3 Segregation of Duties in ISO 27002:2022 is not a new control. It is simply an improved version of control 6.1.2 Segregation of duties found in ISO 27002:2013.
The basics of Segregation of duties is the same in both control 5.3 ISO 27002:2022 and control 6.1.2 ISO 27002:2013. However, the new version describes a set of activities that require segregation when implementing this control.
These activities are:
a) initiating, approving and executing a change;
b) requesting, approving and implementing access rights;
c) designing, implementing and reviewing code;
d) developing software and administering production systems;
e) using and administering applications;
f) using applications and administering databases;
g) designing, auditing and assuring information security controls.
There are multiple people who are responsible for segregation of duties in ISO 27002. First, a senior member of the management team should be involved to make sure that the initial risk assessment has been completed.
Then the processes that cover different parts of the organisation should be allocated to different groups of qualified employees. To prevent rogue employees from undermining company security this is usually done by assigning tasks to different work units and departmentalise the IT-related operations and maintenance activities.
Finally, segregation of duties cannot be established correctly without an appropriate IT audit programme, an effective risk-management strategy, as well as by an appropriate control environment.
The new ISO 27002:2022 standard does not require you to do much other than upgrade your ISMS processes to reflect the improved controls. And if your team cannot manage this, ISMS.online can help you.
ISMS.online streamlines the ISO 27002 implementation process by providing a sophisticated cloud-based framework for documenting information security management system procedures and checklists to assure compliance with recognised standards.
When you use ISMS.online, you will be able to:
Thanks to our cloud-based platform, it is now possible to centrally manage your checklists, interact with colleagues, and use a comprehensive set of tools to help your organisation create and operate an ISMS in accordance with worldwide best practices.
Get in touch today to book a demo.
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | New | Threat intelligence |
| 5.23 | New | Information security for use of cloud services |
| 5.30 | New | ICT readiness for business continuity |
| 7.4 | New | Physical security monitoring |
| 8.9 | New | Configuration management |
| 8.10 | New | Information deletion |
| 8.11 | New | Data masking |
| 8.12 | New | Data leakage prevention |
| 8.16 | New | Monitoring activities |
| 8.23 | New | Web filtering |
| 8.28 | New | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | New | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
