Segregation of Duties
Ensure no one person can perform conflicting duties alone to prevent misuse.
Plain language
Segregation of duties means dividing tasks and responsibilities among different people to prevent any one person from having too much control or power. This matters because if one person can approve and execute their own actions, there's a higher risk of mistakes or even fraud, like someone paying fake invoices to themselves or approving their own access changes.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Organisational controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Conflicting duties and conflicting areas of responsibility shall be segregated.
Why it matters
Without segregation of duties, fraud, unauthorised transactions or data tampering may occur and go undetected due to reduced independent oversight.
Operational notes
Review role/duty assignments for conflicts, enforce dual approval for high-risk actions, and monitor audit logs for signs of unauthorised activity.
Implementation tips
- The IT Manager should identify areas where conflicting duties exist. This involves listing tasks that, if done by one person, could lead to problems, like one person both designing and deploying software changes. Use guidance from ISO 27002:2022 to categorise duties that need separation.
- HR should ensure role descriptions clearly separate conflicting duties. Write job roles so that tasks like 'approving' and 'executing' are done by different people. This can also involve training managers to understand the importance of keeping duties separate.
- The Board should set policies for segregation of duties. Policy should state that conflicting roles must be separated and explain why this is important, referring to the Privacy Act 1988 and other relevant regulations. Review these policies annually.
- Procurement should use checks and balances in the purchasing process. For instance, separate someone requesting an order from someone approving the payment. This ensures that no single person has full control over purchasing decisions.
- IT should implement software tools to monitor role assignments. Use tools that alert managers if one person is assigned tasks that conflict, ensuring they only provide access to roles that should not overlap, in line with CPS 234 and the ASD Essential Eight.
Audit / evidence tips
-
AskAsk for the organisation chart and job descriptions.
GoodGood is when descriptions show clear, separate duties and the organisation chart supports these separations.
-
AskAsk for the records of access rights approvals.
GoodGood evidence is when approvals have a clear separation between requestor and approver.
-
AskAsk for the latest policy on segregation of duties.
GoodGood looks like a policy with clear rules about separating duties and mention of relevant standards or laws.
-
AskAsk for a sample of change management logs.
GoodGood is a clear log showing different names under initiator and approver.
-
AskAsk for the training materials used to educate staff on their roles and responsibilities.
GoodGood materials explain the risks and real-world examples of why duties must be segregated.
Cross-framework mappings
How Annex A 5.3 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (3) expand_less | ||
| E8-RA-ML1.2 | Annex A 5.3 requires segregation of conflicting duties and responsibilities to reduce misuse, including separating high-risk administrati... | |
| E8-RB-ML2.1 | E8-RB-ML2.1 requires separating duties so privileged accounts (other than backup administrators) cannot access other accounts’ backups | |
| E8-RA-ML3.1 | Annex A 5.3 requires organisations to segregate conflicting duties and responsibilities so no single person can complete an end-to-end hi... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (5) expand_less | ||
| ISM-0047 | Annex A 5.3 requires segregation of conflicting responsibilities to reduce the risk of unauthorised or inappropriate actions going unchecked | |
| ISM-0445 | Annex A 5.3 requires segregation of conflicting duties so a person cannot perform incompatible activities without detection or independen... | |
| ISM-1705 | Annex A 5.3 requires segregation of duties to prevent a single role from having conflicting capabilities that enable concealment or misuse | |
| ISM-1706 | Annex A 5.3 requires segregation of conflicting duties to reduce the risk of misuse and cover-up by a single individual | |
| ISM-1958 | Annex A 5.3 requires conflicting duties and responsibilities to be segregated so that no single person can misuse end-to-end capability | |
| handshake Supports (5) expand_less | ||
| ISM-1255 | Annex A 5.3 requires conflicting duties and areas of responsibility to be segregated to prevent misuse of authority | |
| ISM-1833 | Annex A 5.3 requires segregation of conflicting duties and areas of responsibility to prevent a single individual from misusing access or... | |
| ISM-1835 | Annex A 5.3 requires segregation of conflicting duties so that powerful capabilities are not concentrated in a way that allows self-autho... | |
| ISM-2048 | Annex A 5.3 requires segregation of conflicting duties so users cannot combine roles that enable misuse or bypass of oversight | |
| ISM-2093 | Annex A 5.3 requires organisations to segregate conflicting responsibilities to reduce opportunities for misuse, fraud or error | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.