Split sensitive tasks so no single person can abuse a process end-to-end.
What it actually means
Separation of duties reduces the risk of fraud or error by ensuring no one person controls an entire sensitive process. For small teams with few people this is hard, so the common compensating control is detective: strong logging and independent review so single-person actions stay visible. Document how you separate duties where you can, and how you compensate where you can't.
Pass or fail — an assessor needs a "yes" to each
- Have you identified sensitive functions and separated them across people where feasible?
- Where separation isn't possible, do you compensate with logging and independent review?
What to have ready
- Documented role / duty-separation matrix
- Review logs or oversight evidence for compensating controls
Where teams trip up
- One admin with unchecked control over everything and no review
- Assuming a small team makes the control N/A without any compensating control
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →