Nov 11 2012

Separation of Duties and ISO 27001

Category: ISO 27kDISC @ 11:49 pm
Organization clears your path

Organization clears your path

 Separation of Duties (SoD) is not only an important principle of security but SoD control  A10.1.3 of ISO 27001  wants organizations to implement this control.

For separation of duties we don’t want to give any individual so much control that they become a security risk without proper check and balance inplace. SoD is utilized to avoid unauthorized modification of data and to make sure critical data is available when needed by authorized personals, which includes but not limited to the availability of the services.

SoD has been used very frequently in financial organizations, but use of SoD control for other organizations should be risk based approach. If Risk assessment concludes that there’s a risk of collusion to commit a fraud and the risk is above the level of an organization risk threshold which will require an organization to minimize the risk of collusion by implementing SoD control and by usually splitting a process or a job to be completed by more than one individual. One person will have a management authorization to make a decision and other will execute or implement it.

Depending on the risk there is an urgent need to maintain and monitor this control which includes but not limited to audit trails. SoD control need to be audited on regular basis by independent party.

Tags: Information Security Management System, Internal control, ISO/IEC 27001