← Glossary·Controls

Segregation of Duties (SoD)

SOC 2ISO 27001SOXPCI DSS

Splitting critical tasks across multiple individuals so no single person can execute fraud or untraceable error.

Segregation of Duties requires that no single individual hold sufficient access to execute, authorise, and conceal a sensitive action (e.g. deploy code AND access production data AND modify audit logs). Compensating controls (logging, dual approval) are accepted where headcount makes strict SoD impractical.

Why it matters
SoD violations dominate SOX ITGC findings. Common gap: developer with prod-deploy and prod-DB write access.

Related terms

Least Privilege (Principle of)
Users and services receive only the minimum access required to perform their function.
RBAC (Role-Based Access Control)
Access control model granting permissions to roles, and assigning users to roles.
IT General Controls (ITGC)
Pervasive IT controls supporting reliable processing — access, change management, operations, development.

Does your program actually cover Segregation of Duties (SoD)?

Run a free ComplianceIQ audit against SOC 2 and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free SOC 2 auditBack to glossary