Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Segregation of information security related duties

Critical
High
Normal
Low

Organisation should have processes for ensuring that conflicting responsibilities are segregated to reduce opportunities for misuse of the organization’s assets.

Care should be taken e.g. in relation to a single person being able to process data without detection. Often also separating the initiation of an event from its authorization is a good practice.

When direct segregation of duties is hard to achieve, the following principles can be utilized:

  • High-level segregation of information security responsibilities
  • Supporting segregation with good monitoring, audit trails and management supervision
Connected other frameworks and requirements:
6.1.2: Segregation of duties
ISO 27001
ID.RA-3: Threat identification
NIST CSF
PR.AC-4: Access permissions and authorizations
NIST CSF
PR.DS-5: Data leak protection
NIST CSF
5.3: Segregation of duties
ISO 27001
No items found.