Segregation of duties
1. Regarding Segregation of duties I believe some jobs can’t be combined (like the SO can’t be the DPO?)
2. Are there specific combinations that are not done? We have these roles in the company? To divide under 4 people:
Security officer (is also Risk manager & Authorization officer)
Internal auditor (external consultant)
Service manager (is also Change manager & Incident manager)
Security tester (outsourced)
Compliance officer
Solutions Director
DPO
3. Do you also have standard lists of the Responsibilities & Requirements of these roles?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. Regarding Segregation of duties I believe some jobs can’t be combined (like the SO can’t be the DPO?)
I'm assuming that by SO you mean Security Officer. Considering that, and ISO 27001 and EU GDPR, there are no requirements in these references preventing a single person to be both SO and DPO. Of course, you should also consider other laws, regulations or contracts you have to comply with to define if these jobs can be performed by a single person.
GDPR requires an independent DPO who needs to relate with the data controller, data subjects and surveillance authorities.
For larger companies it is a good practice to have these two positions separated; for smaller companies, this is not feasible.
GDPR requires also to have a close look at dimensions of the company so that in SMEs if the circumstances do not create risk of conflicts Security Officer and DPO can be the same person. Of course, the reasons for such choices and policies to avoid conflicts must be set in order to comply with the accountability principle.
2. Are there specific combinations that are not done? We have these roles in the company? To divide under 4 people:
Security officer (is also Risk manager & Authorization officer)
Internal auditor (external consultant)
Service manager (is also Change manager & Incident manager)
Security tester (outsourced)
Compliance officer
Solutions Director
DPO
The most common criteria to be considered for segregation of duties of critical activities are:
- the person who elaborates something does not approve it
- the person how performs a task does not review it
Considering that, for example, the internal auditor/security tester should not be the same person as the service manager. The service manager defines and handles changes/incidents, while internal auditor/security tester verifies if these are effective. So, you should verify exactly which activities will be performed by each role to identify potential conflicts of interest.
For further information, see:
- Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/
3. Do you also have standard lists of the Responsibilities & Requirements of these roles?
ISO 27001 does not prescribe the security officer role, only that relevant information security responsibilities are defined and designated.
Articles 37 to 39 GDPR describe the designation, the position and the tasks of DPO according to the GDPR. Article 39 GDPR lists the tasks of DPO stating that DPO shall ensure:
- to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions
- to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits
- to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35
- to cooperate with the supervisory authority
- to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter
These articles will provide you further explanation about responsibilities for information security:
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
- How an ISO 27001 expert can become a GDPR data protection officer https://advisera.com/27001academy/blog/20/01/20/iso-27001-practitioner-becoming-a-gdpr-data-protection-officer/
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- The role of the DPO in light of the General Data Protection Regulation: https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/
You can also find some useful information on our free training online course The role of DPO according to GDPR: https://advisera.com/eugdpracademy/webinar/role-of-the-dpo-according-to-eu-gdpr-free-webinar-on-demand/
Comment as guest or Sign in
Mar 09, 2020