• Segregation of duties in ISO 27001
Saku Tuominen

Saku Tuominen

Author works as information security and privacy specialist at Mint Security. He brings two decades of professional experience to the table.

Segregation of duties in ISO 27001 refers to — in addition to Annex A control 6.1.2 — all practices where information and/or privileges required to carry out a certain process are broken into fragments. The fragments are then distributed among multiple persons or roles in such a way that a single person alone cannot perform or fully control that particular process. The point of segregation is especially to reduce risk associated with unintentional or intentional misuse of the organisation’s assets.

Principles

Segregation of duties can be implemented by applying certain principles. The applied principle depends on the task qualification, expected outcome and various conditions that may affect performance.

There are four principles.

1. Sequential separation

Applies when a function or task is divided into several steps, performed by different people.

Example: requesting and granting privileges and permissions

3. Spatial separation

Applied when various steps of a function are performed in multiple locations.

2. Individual separation

Applied when the function must be approved by two persons before it can be implemented. The possibility of collusion should be taken into account.

Example: accepting and paying purchase invoices

4. Factorial separation

Applies when several factors affect the performance of a function.

Example: multi-factor authentication

Applying the principles

These principles can additionally be applied e.g. on business unit or organizational level. There is no absolute requirement to divide tasks between natural persons only; on an upper level, teams or companies (e.g. within a concern) can be included as well.

Per ISO 27002 guidance it should be taken care of at all times that “no single person can access, modify or use assets without authorization or detection. The initiation of an event should be separated from its authorization.”

If segregation cannot be applied, compensating controls must be put in place to prevent abuse – such as sufficiently accurate audit logging with integrity verification.

How it is done in practice

The first step is to identify important functions and dangerous work combinations. All those, in which an individual could by acting alone cause significant harm to the organization. The functions are then divided into phases and identified who is responsible for which phase.

Overlapping responsibilities and conflicts of interest over the stages of a certain activity must be identified. Such conflicts should be avoided. In addition, it must be checked whether a particular person has full control over a process or its execution.

The segregation of duties is documented, applying the principles mentioned earlier. Responsibilities will be communicated to those involved in performing the work and appropriate training provided to perform the tasks.

Consistency and support functions

Access rights and authorizations should support the implementation of segregation of duties. This means that in addition to not being allowed to perform certain steps, a person should not be able to do so. It is therefore necessary to ensure that granted access rights are not overly extensive.

The produced documentation must be consistent with other ISMS documentation. Particular attention should be paid on everything that is recorded about security roles and responsibilities. In addition, risk assessment also influences segregation of duties; its timeliness and accuracy should be strictly taken care of.

Saku Tuominen

Saku Tuominen

Author works as information security and privacy specialist at Mint Security. He brings two decades of professional experience to the table.

contact us

Please do contact us. We most likely respond faster than you thought,