Implementing ISO 27001 Annex A 6.5 is a vital exit management protocol requiring the immediate revocation of access rights and recovery of assets upon an employee’s departure or role change. This control eliminates “ghost user” risks and data leakage, providing the business benefit of secure offboarding and preserved intellectual property.
ISO 27001 Annex A Responsibilities after termination or change of employment Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 6.5. This control requires a rigid, technically verified process to revoke access and recover assets immediately upon an employee’s departure or role change, eliminating the “ghost user” risks that automated dashboards frequently ignore.
1. Establish a Mandatory ‘Leaver Trigger’ Workflow
Control Requirement: Ensure security processes are initiated immediately upon notification of termination. Required Implementation Step: Implement an automated hook between your HR system (e.g., BambooHR, Workday) and your IT Service Management (ITSM) tool. The moment a termination date is entered in HR, a “Critical Offboarding” ticket must automatically generate for IT. Relying on an email from HR to IT is a single point of failure that leads to delayed revocations.
Minimum Requirement: Automated ticket generation for all leavers with timestamped audit trails.
2. Execute Timed Access Revocation
Control Requirement: Remove access rights upon termination. Required Implementation Step: Script the account disablement process. Use PowerShell or Python to simultaneously disable the Active Directory account, revoke M365/Google Workspace sessions, and invalidate active VPN certificates at a specific time (e.g., 17:00 on the final day). Do not delete the account immediately; disable it to retain audit logs.
Minimum Requirement: Logs proving account disablement occurred within 60 minutes of the employment contract ending.
3. Recover and Sanitise Physical Assets
Control Requirement: Retrieve all organisational equipment. Required Implementation Step: Maintain a serialised asset register. Physically verify the return of laptops, mobile phones, and security keys (YubiKeys). Upon return, immediately boot the device to verify it hasn’t been swapped, then execute a cryptographic wipe (e.g., NIST 800-88 Purge) before re-imaging.
Minimum Requirement: A signed “Asset Return Form” reconciled against the hardware inventory.
4. Revoke Physical Access Tokens
Control Requirement: Prevent physical re-entry to the premises. Required Implementation Step: Log into the physical access control system (PACS) and permanently deactivate the leaver’s ID badge/fob. If physical keys were issued, they must be returned or the locks changed. Do not toss the badge in a drawer; destroy it or reformat it immediately.
Minimum Requirement: System logs showing the specific date and time the access card was deactivated.
5. Rotate Shared Credentials
Control Requirement: Mitigate the risk of knowledge retention. Required Implementation Step: If the leaver was a SysAdmin or Developer who had access to shared root passwords, service account keys, or “break-glass” credentials, these secrets must be rotated immediately. Use a Secrets Manager to automate this rotation; if you rely on a spreadsheet, assume the leaver has a copy.
Minimum Requirement: Audit logs showing password rotation for shared accounts within 24 hours of a privileged user’s exit.
6. Enforce Post-Employment Confidentiality
Control Requirement: Remind the leaver of their ongoing legal obligations. Required Implementation Step: Conduct a formal Exit Interview where the leaver signs a “Post-Employment Declaration”. This document must explicitly reiterate the NDA, confirming they have returned all data and hold no copies of source code or client lists on personal devices.
Minimum Requirement: A signed declaration acknowledging ongoing confidentiality duties.
7. Securely Transfer Business Data
Control Requirement: Ensure business continuity without compromising privacy. Required Implementation Step: Before wiping the user’s endpoint or cloud drive, have the line manager identify business-critical data. Transfer these specific files to a shared repository. Do not simply grant the manager full access to the leaver’s email inbox, as this often violates employee privacy laws (GDPR).
Minimum Requirement: A documented data handover process that respects privacy boundaries.
8. Cleanse Public Facings and Distribution Lists
Control Requirement: Prevent social engineering and communication errors. Required Implementation Step: Remove the leaver from the company website “Team” page and external client distribution lists immediately. Attackers often use the names of recently departed staff (who still appear on the website) to launch social engineering attacks against the finance team.
Minimum Requirement: Verification that the leaver’s profile is removed from public domains and internal email groups.
9. Notify External Partners
Control Requirement: Inform third parties that the individual no longer represents the company. Required Implementation Step: Identify if the leaver was the primary point of contact for key suppliers or clients. Proactively email these partners to state: “X is no longer with the business; please direct future correspondence to Y.” This prevents the leaver from “poaching” clients or authorising fraudulent orders.
Minimum Requirement: Communication records notifying key external stakeholders of the role change.
10. Conduct a Post-Exit Access Audit
Control Requirement: Verify that the offboarding process was successful. Required Implementation Step: 7 days after the exit, a Security Analyst must run a “Ghost User” report. Check AD, SaaS portals, and VPN logs to ensure zero activity and zero active accounts remain for that identity. This is the safety net for human error.
Minimum Requirement: A “Clean Sheet” audit report generated one week post-exit confirming no lingering access.
ISO 27001 Annex A 6.5 SaaS / GRC Platform Implementation Failure Checklist
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Access Revocation | Clicking “Offboard” in the GRC tool. | The GRC tool updates its own list, but did it log into AWS and delete the IAM user? Unlikely. The user still has access. |
| Asset Recovery | Marking “Laptop Returned” in a spreadsheet. | Did you power it on? Did you check the serial number? Leavers often return older, broken personal laptops and keep the company Mac. |
| Shared Secrets | Ignoring this because “we have a policy”. | If the leaver knows the Wi-Fi password and it hasn’t changed, they can park outside and access your network. |
| MFA Tokens | Disabling the password but forgetting the MFA token. | If the session token is still valid (cached), the user can access O365/Slack for weeks without re-authenticating. You must revoke sessions. |
| Data Theft | Assuming “they signed the NDA”. | They signed it, but they also downloaded the client database to a USB drive 10 minutes before leaving. Check the DLP logs. |
| Shadow IT | Revoking corporate SSO only. | The leaver created a Trello board with their personal email for “work”. They still own that data. SSO revocation misses this. |
| Legal Closure | No exit interview because “it was an amicable split”. | Amicable splits turn sour. Without a signed exit declaration, your legal standing to reclaim IP is significantly weaker. |
Stop Guessing. Start Passing.
AI-generated policies are generic and fail audits. Our Lead-Auditor templates have a 100% success rate. Don’t risk your certification on a prompt
About the author
