Segregation of Duties (ISO 27001 Annex A 5.3)

The lifecycle of a request generally involves 4 key roles: The beneficiaries, the submitter, the approvers and the executors/implementers of the request. For example, an employee may request a raise for himself. It would be very risky to have that same person be the sole approver of the request and then also perform the actual salary update. Operating in this manner would invite fraud and insider threats to the business.

To avoid such conflicts of interest, these roles should be fulfilled by different people. This provides a system of checks and balances where requests need to be reasonable in order to become implemented. This is called Segregation of Duties and is one of the key ISO 27001 controls (Annex A 5.3). The control requires “Conflicting duties and conflicting areas of responsibility should be segregated” (backlink). This is relevant in Information Security as well. The concept applies to every request for a software, hardware, data, vendor, contractor, and system access in your business.

Beyond non-conflicting interests, your business needs may require multiple individuals to approve or implement the request. For example, when onboarding a new software, it is likely important to your business that IT investigates security matters regarding the software, while the legal department is concerned about the terms of service.

Such controls will certainly add friction to your operations and lengthen the time until requests are approved and implemented. Utilizing an automation tool for your controls and processes will greatly reduce this friction. With AxoTrax, you can customize and automate the request lifecycles for each type of request according to your business needs. There are even some out-of-the box defaults which are a good starting point, but the control is in your hands. The software does not expect you to adhere to an opinion of how you should operate. Full paper trails are recorded for easy auditing later on when needed.