Guest
Implementation of the function segregation matrix in a small company
(I need a help/tip, what is the best way to formalize a matrix of function segregation, in a small company.
Assign topic to the user
Expert
Rhand Leal
Aug 18, 2020
First is important to note that ISO 27001 does not prescribe how to document responsibilities in an ISMS, so organizations are free to document them the best they fit their needs.
Considering that, there are two common ways:
- you can document the segregated functions directly in the document they are used (e.g., documenting the responsibilities to create and test backup in the Backup Policy). In this approach, users have easy access to the information, but it is more complicated to have a systemic view
- you can create a single function segregation matrix, documenting all segregated functions you have. In this approach, it is easier to have a general view of functions, but users may find it difficult to use the documents when needed.
These articles will provide you a further explanation about documenting responsibilities and segregation of functions:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
- Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/
Comment as guest or Sign in
Aug 18, 2020
Aug 18, 2020
Aug 18, 2020