The Annex 5.3 Segregation of duties quickly follows our last control which talks about Roles and Responsibilities (A5.2). This is a big part of what you need to identify, but it’s not the whole story.
Let’s take a close look at what segregation of duties is actually looking for.
What does the standard require?
The standard states that “Conflicting duties and conflicting areas of responsibility should be segregated. (A5.3 Segregation of duties)
Why is this required?
According to the standard the purpose of this control is “to reduce the risk of fraud, error and bypassing of information security controls.”
Remember that ISO27001 is a risk-based management system, so this is about ‘reducing the risk’ of three things;
· Fraud
· Error
· And bypassing security controls
For example you don’t want the person involved in development of applications and services to also be the one involved in the testing of the application. The chance that they might miss something (leading to errors) is a risk that needs to be managed.
You also don’t want the same person involved in raising invoices, to be the same person involved in signing them off. This is because there could be a risk of fraud or error.
What the auditor is looking for
As always, don’t over complicate this. In smaller organisations this is difficult because people play multiple roles. But it’s important to identify where it’s not possible to segregate roles, and put these on your risk register.
The auditor will check to see if you’ve identified any roles which are a conflict. If there are any, and you can’t do anything about it then add them to the risk register.
The auditor will also be looking for some form of ‘Role Based Access Control’ (RBAC) process. This ensures that access to systems and services is allocated based on the kind of role someone plays in our organisation.
Here’s how to create one;
1) Create a simple word or excel document that outlines the key roles in your organisation (use the information you obtained in “A5.2 Roles and Responsibilities”)
2) List the systems and applications they need access to
3) Conduct an audit of your current team and see if they have more access than they need
4) Add a quarterly or bi-annual review to check access control
For example your RBAC sheet might look like this.
· Finance Manager
o Accounting Software package
o Admin Rights to All Bank accounts
o Finance Folders on SharePoint
· Finance Support
o Account Software package
o Finance Folders on SharePoint
· HR Manager
o HR Admin Rights to HR Software
o HR Folders on SharePoint
o Bank Accounts (for payroll)
· Senior Developer
o Design Specification
o Secure coding review
o Testing
o Quality Assurance
· Developer
o Coding
o Testing
You can use the Word or Excel document you created, for all new members of the team, when someone moves or they leave. This ensures those people are removed off your system in a structured way.
Q & A for A5.3 Segregation of duties
What’s the biggest mistake people make with this control?
Not having any process for RBAC and not identifying roles which might be a conflict of interest or could result in a security incident or issue.
What happens if more than one person performs a role?
That’s fine. You’ve identified this is the case, and you should note it on the Risk register. It might be that you put in additional controls to ensure that the risk is reduced and managed effectively.
Should we include this as ‘Applicable’ control?
Yes. Even if you are a sole trader, it is still important to identify where there might be conflicts of interest and therefore you might need to segregate roles. Remember this is all about risk, and it’s about being pragmatic.
Difficulty rating
We rate this a 2 out of 5 difficulty rating. This means that it requires minimum technical skills to satisfy the requirement.
More questions?
Just remember that nothing in ISO27001 sits in isolation, so you should review our ISO27001 FAQ to gain answers to other aspects of the standard, but if you’re still confused by how to implement n RBAC process or identify the key roles in your organisation, just get in touch and we’ll be happy to help.
For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001” which is available on Amazon.