Addressing Segregation of Duties in ISO 27001

Addressing Segregation of Duties in ISO 27001

This post continues the series of posts covering Annex A of ISO 27001. Annex A is what truly differentiates ISO 27001 from other ISO standards.  The third control in Annex A covers the segregation of duties. This post will define what this phrase means and identify ways to meet this objective in your organization. Remember, the first and most important step in ISO 27001 compliance is to download the official documentation.

Segregation of Duties: Definition

Segregating duties appears in risk management plans across many industries. The general idea is to ensure no single person or department carries all responsibility for securing data or key processes (including sensitive data like CUI in the case of CMMC).  The idea is that each person involved in the protection of data or policies will have the opportunity to check the work of others. This eliminates risks tied to accidental errors as well as attempts to intentionally interfere with information security.

Two Methods for Segregating Duties

How does an organization ensure the segregation of duties in the context of ISO 27001? Here are a couple of ideas.

  1. Break a single process into multiple steps, with a different person or department responsible for completing each of the steps.

  2. Create a multi-person approval process. For example, once the team has completed all of the steps tied to a process, the end result or report travels to two separate people for review and approval. Two reviewers again facilitate cross-checking and adding levels of security.

Plan and Document

Segregating duties for information security does not equate to drawing department names or individual names out of a hat. Part of the process is to determine whose skills best match the required activities.  A responsibility matrix helps not only clarify these roles but also helps remind all team members to document who oversees what and how each process needs to work.

My Company is Too Small to Divide Tasks

Small companies may find the segregation of duties difficult because there are fewer people. There may not even be separate departments. If this is the case in your organization, strive to break down tasks to the best of your ability. For example, management supervision of a process helps ensure the review process as well as the approval process occurs between two different people. The standard requests you adhere to this principle to the best of your ability.

What Questions Do You Have About ISO 27001?

If ISO 27001 compliance now sits on a front burner for your company, contact us today to schedule a meeting. We can discuss your company’s specific concerns and also serve as your ISO 27001 accredited auditor.

Cancel
Show Policy

Download the Comparison Guide

Latest Resources

See all resources