A.5.2 / A.5.3 — Are IS roles, responsibilities and segregation of duties defined and assigned?
Demonstrate that information security roles and responsibilities are formally defined, documented, communicated to personnel, and that segregation of duties is enforced to prevent unauthorized actions and reduce fraud or error risk.
Description
What this control does
This control requires organizations to formally define, document, and assign information security roles and responsibilities across all relevant personnel, including both internal staff and external parties. It mandates implementing segregation of duties (SoD) to prevent any single individual from controlling critical security functions end-to-end—such as one person both requesting and approving access, or developing and deploying code without review. The control ensures accountability is clear, conflicts of interest are minimized, and no single point of failure exists in security-critical processes. Role definitions must cover operational security tasks, incident response, asset management, and governance oversight.
Control objective
What auditing this proves
Demonstrate that information security roles and responsibilities are formally defined, documented, communicated to personnel, and that segregation of duties is enforced to prevent unauthorized actions and reduce fraud or error risk.
Associated risks
Risks this control addresses
- Insider threat: a single employee with combined privileges executes unauthorized changes, data exfiltration, or sabotage without detection
- Fraud or embezzlement: lack of separation allows one person to initiate, approve, and conceal financial or access transactions
- Accidental misconfiguration or deletion: inadequate role boundaries result in unintentional destructive actions by overprivileged users
- Accountability gaps: when security incidents occur, unclear ownership delays response and hinders forensic investigation
- Privilege creep: roles accumulate excessive permissions over time without review, violating least privilege and enabling lateral movement by attackers
- External party risk: third-party contractors or vendors operate without documented security responsibilities, leading to unmanaged access or data handling
- Regulatory non-compliance: failure to demonstrate SoD and role accountability results in audit findings, fines, or sanctions under GDPR, SOX, PCI DSS, or HIPAA
Testing procedure
How an auditor verifies this control
- Obtain the organization's information security policy, RACI matrix, role definition documents, job descriptions, and organizational charts that describe IS roles and responsibilities.
- Review documentation to verify that security-specific roles (e.g., CISO, Security Operations Manager, Data Protection Officer, Incident Response Lead, Access Administrator) are explicitly defined with assigned personnel.
- Interview a sample of role holders to confirm they understand their assigned security responsibilities and can articulate their duties.
- Identify critical security processes (e.g., access provisioning, firewall rule changes, patch deployment, backup restoration, privileged account management) and map the personnel involved in each step.
- Examine whether segregation of duties is enforced by verifying that no single individual can both initiate and approve high-risk transactions; review access control matrices, approval workflows, and system role assignments.
- Select a sample of recent security-relevant transactions (e.g., user access requests, system changes, privileged account usage) and trace the requestor, approver, and executor to confirm they are different individuals.
- Review HR records and onboarding/offboarding procedures to verify that security roles are assigned upon hiring and revoked or reassigned upon termination or role change.
- Test technical controls supporting SoD, such as application-layer workflow approvals, ticketing system audit logs, and identity governance platforms, to confirm they enforce role separation and log all actions.