This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.5.3 segregation of duties
ISO 27001: 2022 Control Description
Conflicting duties and areas of responsibility shall be segregated.
Purpose
To reduce the risk of fraud, errors, and bypassing information security controls.
Guidance on Implementation
The aim of segregating duties and areas of responsibility is to ensure that conflicting tasks are handled by different individuals, preventing any single person from performing conflicting duties alone. The organisation should identify which duties and responsibilities require segregation. Examples of activities that may need segregation include:
a) Initiating, approving, and executing a change;
b) Requesting, approving, and implementing access rights;
c) Designing, implementing, and reviewing code;
d) Developing software and administering production systems;
e) Using and administering applications;
f) Using applications and administering databases;
g) Designing, auditing, and assuring information security controls.
When designing segregation controls, the possibility of collusion should be taken into account. Although small organisations may find it challenging to segregate duties, the principle should be applied as much as possible. If segregation is difficult, other controls, such as monitoring activities, maintaining audit trails, and implementing management supervision, should be considered.
Care is necessary when using role-based access control systems to prevent assigning conflicting roles to individuals. With a large number of roles, organisations should consider using automated tools to identify and resolve conflicts. Roles must be carefully defined and managed to minimise access issues if a role is removed or reassigned.