A.5.3 — Segregation of Duties

A system administrator who can create user accounts, assign permissions and delete audit logs holds a combination of privileges that undermines every access control in the organisation. A.5.3 addresses this risk by requiring that conflicting duties and areas of responsibility are separated.

The principle is straightforward: no single person should control all phases of a critical process. Separation creates mutual oversight and reduces the opportunity for both fraud and honest mistakes.

What does the standard require?

Identify conflicting duties. The organisation must analyse its processes and determine which tasks, if combined in one person, would create unacceptable risk.
Separate conflicting roles. Where feasible, assign conflicting duties to different individuals. No single person should be able to initiate, approve and execute a sensitive transaction end-to-end.
Implement compensating controls. Where full separation is impractical (common in smaller organisations), implement monitoring, audit trails or supervisory review to mitigate the residual risk.
Enforce separation technically. Access control systems should reflect the duty separation — role-based access control (RBAC) and conflict rules in identity management systems are the primary enforcement mechanisms.

In practice

Start with high-risk processes. Prioritise areas where the damage potential is greatest: financial transactions, privileged system access, software deployment, data deletion. Map each process step and identify where single-person control would be dangerous.

Embed separation in access management. Configure identity and access management systems to enforce mutual exclusion rules. If a developer requests production deployment rights, the system should flag the conflict before the access is granted.

Address the small-team challenge. In organisations with fewer than 20 employees, true role separation is often impossible. Compensating controls become essential: detailed logging, regular log reviews, dual-approval workflows and periodic management spot-checks. Document the rationale for each compensating control.

Review separation annually. Organisational changes — restructuring, hiring, departures — can quietly erode established separations. Include duty segregation as a standing item in access reviews and internal audits.

Typical audit evidence

Auditors typically expect the following evidence for A.5.3:

Conflict matrix — documented mapping of incompatible duties
Role-based access control configuration — showing mutual exclusion rules in the IAM system
Access review reports — confirming that conflicting rights were checked and resolved
Compensating control documentation — for cases where full separation is not feasible
Emergency access logs — showing that break-glass usage was time-limited and reviewed

KPI

% of critical processes with documented and enforced segregation of duties

This KPI measures how comprehensively the organisation has analysed and addressed duty conflicts. Target: 100% of identified critical processes. A low score indicates blind spots where fraud or error could go undetected.

Supplementary KPIs:

Number of duty-segregation conflicts detected during access reviews
Percentage of compensating controls with documented effectiveness review
Time to resolve newly identified segregation conflicts

BSI IT-Grundschutz

A.5.3 maps to the following BSI requirements:

ORP.1.A4 (Segregation of functions) — requires that incompatible tasks are distributed among different roles to prevent abuse and errors.
ORP.4.A4 (Separation of administrative roles) — mandates that privileged IT administration roles are separated so that no single administrator can compromise the entire system landscape.

A.5.3 reinforces the integrity of the entire ISMS:

A.5.1 — Policies for information security: Policies should document where segregation is required.
A.5.2 — Roles and responsibilities: Role definitions are the starting point for identifying conflicts.
A.5.4 — Management responsibilities: Management must ensure that segregation is enforced and resourced.
A.5.5 — Contact with authorities: Fraud discovered through segregation failures may require authority notification.

Sources

ISO/IEC 27001:2022 Annex A, Control A.5.3 — Segregation of duties
ISO/IEC 27002:2022 Section 5.3 — Implementation guidance
BSI IT-Grundschutz, ORP.1 — Organisation and personnel

Frequently asked questions

Is segregation of duties always possible in small organisations?

Full separation is often impractical when there are only a few employees. ISO 27002 explicitly acknowledges this and recommends compensating controls -- such as activity monitoring, audit trails and management oversight -- wherever duties cannot be split between different people.

Which duties must be separated?

Any combination where a single person could both initiate and approve a critical action. Typical examples: requesting and granting access rights, developing and deploying code, initiating and authorising payments, performing and reviewing their own work.

How do auditors verify segregation of duties?

Auditors compare role definitions and access rights against a conflict matrix. They look for users who hold permissions that should be mutually exclusive -- for example a developer who also has production deployment rights.

Responsible	IT Administrator
Accountable	Top Management
Consulted	Asset Owner, HR Manager, Head of IT, IT Administrator, IT Security Officer, Internal Auditor, Risk Owner, Software Development Lead
Informed	IT Administrator, IT Security Officer, Software Developer / Architect