Framework - ISO 27001 (Cyber)

A.5.3 addresses segregation of duties (SoD), a foundational control that reduces fraud and error by distributing tasks and authorities among different people. For the exam, understand that SoD applies beyond finance to domains like privileged system administration, code deployment, and change approvals. Organizations must design processes so that no single individual can both initiate and approve a high-risk action, and that monitoring detects and documents any justified exceptions. A.5.4 focuses on management responsibilities for information security across the organization, requiring leaders to assign responsibilities, ensure resources, and promote adherence to policies and procedures.

Real-world SoD uses role-based access control, workflow approvals, and technical enforcement such as just-in-time privilege, peer review, and separate CI/CD pipelines for build versus deploy. Challenges arise in small teams where strict separation is hard; compensating controls like increased logging, frequent reviews, and independent spot checks become crucial. Management responsibilities surface in setting objectives, removing roadblocks, and modeling compliance behavior. Auditors will look for evidence that conflicts are identified via access reviews, that exceptions are time-boxed and approved, and that management regularly evaluates control health. Candidates should be ready to propose pragmatic SoD patterns for cloud and DevOps environments and to explain how visible management engagement sustains policy compliance and reduces operational risk. Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.