ISO27001 Segregation of Duties Audit Procedures
Objectives
- The organization establishes appropriate divisions of responsibility and separates duties as needed to eliminate conflicts of interest in the responsibilities and duties of individuals; and
- The information system enforces separation of duties through assigned access authorizations
Procedures
- Examine list of divisions of responsibility and separation of duties, or other relevant documents; reviewing for the intended divisions of responsibility and separation of duties determined by the organization as being needed to eliminate conflicts of interest in the responsibilities and duties of individuals.
- Examine an agreed-upon representative sample of relevant job descriptions; studying for evidence that documented job descriptions accurately reflect the intended separation of duties and responsibilities
- Interview an agreed-upon specific sample of organization personnel responsible for defining appropriate divisions of responsibility and separation of duties; conducting focused discussions for evidence that the divisions of responsibility and separation of duties
- Examine the security plan, information system design documentation, or other relevant documents; reviewing for the automated mechanisms and their configuration settings to be employed by the information system to enforce separation of duties through assigned access authorizations.
| Attachment | Size |
|---|---|
| iso27001-segregation-of-duties-audit-procedures.jpg | 27.67 KB |
| iso27001-segregation-of-duties-audit-procedures.xls | 14 KB |
| iso27001-segregation-of-duties-audit-procedures.pdf | 10.69 KB |
