In this ultimate how to implement guide to ISO 27001 Annex A 6.5 Responsibilities After Termination or Change of Employment, you will learn directly from an ISO 27001 Lead Auditor:
- The requirement of the control
- The required implementation steps
- The minimum requirement
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Establish a Mandatory ‘Leaver Trigger’ Workflow
- 2. Execute Timed Access Revocation
- 3. Recover and Sanitise Physical Assets
- 4. Revoke Physical Access Tokens
- 5. Rotate Shared Credentials
- 6. Enforce Post-Employment Confidentiality
- 7. Securely Transfer Business Data
- 8. Cleanse Public Facings and Distribution Lists
- 9. Notify External Partners
- 10. Conduct a Post-Exit Access Audit
- ISO 27001 Annex A 6.5 SaaS / GRC Platform Implementation Failure Checklist
Implementing ISO 27001 Annex A 6.5 is a vital exit management protocol requiring the immediate revocation of access rights and recovery of assets upon an employee’s departure or role change. This control eliminates “ghost user” risks and data leakage, providing the business benefit of secure offboarding and preserved intellectual property.
ISO 27001 Annex A Responsibilities after termination or change of employment Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 6.5. This control requires a rigid, technically verified process to revoke access and recover assets immediately upon an employee’s departure or role change, eliminating the “ghost user” risks that automated dashboards frequently ignore.
1. Establish a Mandatory ‘Leaver Trigger’ Workflow
Control Requirement: Ensure security processes are initiated immediately upon notification of termination. Required Implementation Step: Implement an automated hook between your HR system (e.g., BambooHR, Workday) and your IT Service Management (ITSM) tool. The moment a termination date is entered in HR, a “Critical Offboarding” ticket must automatically generate for IT. Relying on an email from HR to IT is a single point of failure that leads to delayed revocations.
Minimum Requirement: Automated ticket generation for all leavers with timestamped audit trails.
2. Execute Timed Access Revocation
Control Requirement: Remove access rights upon termination. Required Implementation Step: Script the account disablement process. Use PowerShell or Python to simultaneously disable the Active Directory account, revoke M365/Google Workspace sessions, and invalidate active VPN certificates at a specific time (e.g., 17:00 on the final day). Do not delete the account immediately; disable it to retain audit logs.
Minimum Requirement: Logs proving account disablement occurred within 60 minutes of the employment contract ending.
3. Recover and Sanitise Physical Assets
Control Requirement: Retrieve all organisational equipment. Required Implementation Step: Maintain a serialised asset register. Physically verify the return of laptops, mobile phones, and security keys (YubiKeys). Upon return, immediately boot the device to verify it hasn’t been swapped, then execute a cryptographic wipe (e.g., NIST 800-88 Purge) before re-imaging.
Minimum Requirement: A signed “Asset Return Form” reconciled against the hardware inventory.
