ISO27001:2022 - Annex A 5.3 - What’s changed?

Threats to your organisation’s privacy and security are continuously on the rise, and it's more vital than ever to ensure your organisation implements measures to combat these threats. ISO27001 as a standard lays out the requirements to implement an efficient information security system within your organisation and with the introduction of the 2022 version of the ISO27001 standard, these requirements have been recategorised and further clarified. Annex A 5.3 is about segregation of duties.

What does segregation of duties mean?

Segregation of duties refers to the practice of dividing tasks and responsibilities among different roles or individuals in your organisation to prevent any singular person from having sole control over a process or system. For example, the person initiating a transaction should not be the same person approving that transaction. By distributing such tasks and responsibilities, your organisation can reduce the risk of any errors, fraud, or unauthorised access and activities. Spreading out these different duties enhances your security by limiting the potential damage or errors that could occur as a result of an individual’s actions, whether this is accidental or intentional.

Making sure that responsibilities are appropriately distributed ties into other various standards such as the NHS DSP (Data Security and Protection Toolkit), a self-assessment tool that must be completed by any organisation that wishes to access NHS data or systems. In terms of the NHS DSP, this does not tie into a direct control, but is mentioned in various pieces of guidance for implementing controls. For example, NHS guidance on control 6.1.1 on incident security management states that in an incident investigation, the lead investigator should not be the one in charge of the relevant process that is being investigated.

What is Annex A 5.3?

Annex A 5.3 is all about segregation of duties in your organisation, and is an essential step in securing your operations. With this control, your organisation should aim to establish a structured framework for implementing and overseeing information security within your organisation in a way where conflicting duties and responsibilities are separated. The objective here is to minimise the risk of unauthorised or accidental alterations, or misuse of your organisation’s assets by ensuring no one person has sole responsibility for an entire process. While this may be a difficult task for smaller organisations, it is nonetheless important to apply the principle where feasible to protect your organisation and its assets.

Without a control like this, fraud and errors are more likely to occur. It is much easier for someone to commit and conceal mistakes and intentionally harmful actions. This can lead to other catastrophic consequences in terms of your organisation’s security, leading to significant losses in areas such as finance and reputation. Segregating duties and responsibilities combined with other measures to ensure an effective audit trail of activities and actions can help prevent the worst case scenarios.

So what’s changed?

In terms of the 2013 standard, this control maps directly to A.6.1.2, Segregation of Duties. ISO27002 is a standard closely aligned to ISO27001, and is essentially guidance on how to effectively implement an ISMS to ISO27001 standards. We can compare the changes in ISO27002 guidelines for each control to concretely ascertain what has changed with the ISO27001 version of the control.

The basics of the controls remain fundamentally the same, however a new list of duties which should be separated to ensure the control is sufficiently implemented has been added in the 2022 update. These duties are as follows:

• Proposing, authorising, and implementing a change.
• Requesting, authorising, and implementing access rights.
• Designing, implementing, and reviewing code.
• Developing software and administering production systems.
• Utilising and administering applications.
• Using applications and administering databases.
• Designing, auditing, and assuring information security controls.

How Harpe can help you implement Annex A 5.3

Our security professionals have developed Harpe, a revolutionary tool to cover all your organisation’s security needs. Harpe is the best tool on the market to make compliance with important standards like Cyber Essentials and ISO27001 quick and hassle-free. Harpe features guidance for implementing ISO27001 to the updated 2022 standard with everything you need. Our in-app checklist takes you through every step to implement a robust and secure ISMS within the new requirements.

Harpe helps you by ensuring your organisation’s responsibilities and duties are recorded and your policies defined, helping you easily meet the requirements of Annex A 5.3 straight out of the box. We also provide you with an audit trail of changes to ensure the right actions are being taken for your asset security.

With constant updates and fast support, there has never been a better time to chase an ISO27001:2022 certification with Harpe.

‍

‍

_{Image designed by Freepik}