How to implement Segregation of Duties in ISO 27001

What is segregation of duties in ISO 27001?

The purpose of segregation of duties in ISO 27001 is to ensure that a single point of compromise does not have significant impacts on the business. The risk being that if a single post is responsible for highly privileged actions and is not monitored or controlled, then compromise of that role could result in disastrous impacts to the organisation. For example, malicious system or network admins managing the network could greatly disrupt or leak highly sensitive data if not controlled and monitored through controls.

To be compliant with this requirement, the organisation must be able to demonstrate that highly privileged role functions and conflicting duties/areas of responsibility are sufficiently segregated. For example, this may be achieved by providing additional layers of authorization for privileged tasks such as issuing or revoking user accounts, or system management functions. A two-man rule might be appropriate in certain circumstances, in others it may be appropriate to provide an extra layer of authorization before a task can be carried out supported by enhanced monitoring of user operations. This provides a defense in depth approach and means that any unauthorized activity can be tracked, monitored and alerted upon.

segregation of duties in iso 27001

How can segregation of duties be achieved for small organisations?

Segregation of duties can be difficult to achieve for smaller organisations with limited staff members, but controls should be put into place as much as possible to reduce the risk of a single point of compromise. You should risk assess the likelihood of a privileged activity causing a major impact to the business and build controls to reduce this likelihood or minimize the impact. For example, alerting privileged activities conducted outside of business hours or only permitting privileged activities from a specific terminal once approved by senior management.

However your organisation aims to achieve compliance with this control, it is imperative that as fewer single individuals can access, modify or cause impact to assets as possible. It is worth considering how much of an impact a single individual could cause given the right motivation, and then designing compensating controls to prevent that. Segregation of duties forms just one of these controls, but is equally as important as other technical controls.

Filed in: A.6.1 Internal Organization Tags: , ,

Get Updates

Recent Posts

Leave a Reply

Submit Comment

© ISO27001 Guide. All rights reserved.