The four-eyes principle requires that critical actions be independently reviewed or approved by at least two people. Common applications include payment approvals, changes to production systems, and the assignment of privileged access rights. In an ISMS, the four-eyes principle is an organizational control that reduces the risk of errors and abuse by individuals. It complements the principle of segregation of duties. Implementation can be technical (e.g., approval workflows) or procedural.