Segregation of Duties

Segregation of duties (SoD) is an organizational control (A.5.3) requiring that conflicting responsibilities are separated to reduce the risk of fraud or error. It ensures that no single person can initiate, approve, and execute a critical process (like a financial transaction or code deployment) without oversight.

Start by identifying conflicting duties in your processes (e.g., development vs. deployment). Create an SoD matrix mapping these conflicts. Use Role-Based Access Control (RBAC) to technically enforce these separations. Where headcount is limited, implement compensating controls like detailed activity logging and independent management reviews. In practice, teams often use a system of record to assign owners, schedule access reviews, and store evidence; WatchDog Security's Compliance Center can map A.5.3 to tasks and collect artifacts like RBAC screenshots, access-review records, and log review sign-offs.

Common examples include: Requesting vs. approving payments; Developing code vs. deploying code to production; Managing user access vs. auditing user access logs; and Initiating a purchase order vs. authorizing the receipt of goods.

Small organizations often cannot have different people for every task. In these cases, use 'compensating controls'. This includes robust logging of all privileged activities, mandatory peer reviews for code or configuration changes, and regular retrospective reviews of sensitive actions by management or an external party. Document the exception, rationale, and review frequency so auditors can see the control is still operating; WatchDog Security's Risk Register can capture these SoD exceptions with owners and treatment plans, while WatchDog Security's Compliance Center can link them to A.5.3 evidence.

Effective compensating controls include: Enabling immutable audit logs for all critical actions; requiring multi-party authorization (e.g., dual-sign-off) for high-risk tasks; conducting frequent managerial reviews of access logs; and using automated alerts for anomalous activities. WatchDog Security's Compliance Center can help structure these as recurring review tasks and store log-review attestations and approvals as audit-ready evidence.

Provide an Access Control Policy that mandates SoD. Show your RBAC configuration or an SoD matrix that defines conflicting roles. Provide organization charts showing reporting lines. Crucially, show evidence of access reviews and audit logs demonstrating that these rules are actually enforced in practice. Using WatchDog Security's Compliance Center, you can centralize the SoD matrix, access-review outcomes, and log-review attestations as evidence items, and share auditor-ready exports via WatchDog Security's Secure File Sharing when needed.

In ISO 27001:2022, A.5.3 is the control for 'Segregation of duties', focusing on splitting conflicting tasks. Clause 6.1.2 refers to the 'Information security risk assessment' process itself. (Note: In the older 2013 version, A.6.1.2 was the code for Segregation of Duties, but this has moved to A.5.3 in the 2022 revision).

Role-Based Access Control (RBAC) allows you to define specific permissions for roles (e.g., 'Developer', 'Admin') rather than individuals. By ensuring that the 'Developer' role does not have the permissions of the 'Admin' role, and preventing one user from holding both roles simultaneously, RBAC technically enforces the segregation defined in your policy. Tools like WatchDog Security's Asset Inventory can support this by mapping identities and privileged roles across cloud and SaaS so conflicting assignments are easier to detect during access reviews.

SoD often degrades over time as users accumulate permissions through job changes and emergency access. Keep an explicit SoD matrix, run scheduled access reviews against it, and track remediation until completion; WatchDog Security's Compliance Center can assign owners, collect review evidence, and highlight gaps when SoD checks are missed.

Treat SoD exceptions as time-bound risk decisions: define scope, duration, approvals, added monitoring, and a post-event review so the exception does not become permanent. WatchDog Security's Risk Register can document the exception with owner, risk score, treatment steps, and sign-off evidence tied back to A.5.3.

Third-party admin access can create hidden SoD conflicts (e.g., a vendor both changes configurations and validates the change). Start by documenting which vendors have privileged access, what systems they touch, and who internally approves and reviews their actions. WatchDog Security's Vendor Risk Management can track vendor access and review cadence, while WatchDog Security's Asset Inventory can help map external identities and privileged roles across cloud and SaaS to support periodic access reviews.

SoD breaks down when identity and permission sprawl makes it hard to see who can do what across systems. Automating configuration checks helps you detect risky permission patterns (like overly broad roles or shared administrative access) and prioritize remediation before audits. WatchDog Security's Posture Management can surface misconfiguration signals and provide remediation guidance that supports access reviews and SoD enforcement.