Auditing ISO 27001 Annex A 6.5 Responsibilities After Termination or Change of Employment is a rigorous evaluation of the procedural safeguards governing personnel transitions. The Primary Implementation Requirement demands that security duties are legally formalised and communicated, ensuring the Business Benefit of sustained asset protection and reduced insider threat risks.
ISO 27001 Annex A 6.5 Responsibilities After Termination or Change of Employment Audit Checklist
This technical verification tool is designed for lead auditors to establish the legal and operational continuity of security obligations when personnel exit or move roles. Use this checklist to validate compliance with ISO 27001 Annex A 6.5.
1. Post-Employment Security Obligations Formalised
Verification Criteria: Enforceable legal clauses exist within employment contracts or termination agreements that specify security responsibilities remain in force after the cessation of employment.
Required Evidence: Sampled employment contracts or signed separation agreements containing “survival of obligations” or confidentiality clauses.
Pass/Fail Test: If a contract implies that confidentiality or data protection duties expire on the final day of employment, mark as Non-Compliant.
2. Communication of Ongoing Responsibilities Verified
Verification Criteria: Personnel are formally notified of their continuing security duties during the exit process or when changing roles within the organisation.
Required Evidence: Exit interview records or formal “Post-Employment Responsibility” acknowledgement forms signed by the leaver.
Pass/Fail Test: If the organisation cannot produce evidence of a formal briefing or written notification of post-exit duties, mark as Non-Compliant.
3. Role-Change Security Responsibility Update Confirmed
Verification Criteria: When an individual moves to a new internal role, their previous security responsibilities are formally superseded by the requirements of the new position.
Required Evidence: Internal transfer letters or updated Job Descriptions (JDs) with specific security accountability sections.
Pass/Fail Test: If an individual retains high-level security accountability for a former department after moving to a non-related role, mark as Non-Compliant.
4. Asset Return Verification Records Present
Verification Criteria: A documented record exists confirming the successful return of all physical and logical assets (laptops, tokens, keys) upon termination or change.
Required Evidence: Signed Asset Return Checklist cross-referenced against the Master Asset Register.
Pass/Fail Test: If the asset register shows equipment assigned to a leaver without a corresponding “Returned” log entry, mark as Non-Compliant.
5. Logical Access Revocation Timeliness Validated
Verification Criteria: Access to all information systems and facilities is revoked or modified immediately upon the effective date of termination or role change.
Required Evidence: IAM (Identity and Access Management) logs or Active Directory “Account Disabled” timestamps compared against HR exit dates.
Pass/Fail Test: If a leaver’s account remains active or has successful logins after their official termination date, mark as Non-Compliant.
6. Knowledge Transfer Security Oversight Confirmed
Verification Criteria: The transfer of critical security-related knowledge (e.g. system configurations, cryptographic keys) is performed in a controlled manner that prevents unauthorised disclosure.
Required Evidence: Handover documentation or manager-signed verification of secure knowledge transfer.
Pass/Fail Test: If an admin exits without a recorded handover of master credentials or secondary-factor backups to an authorised successor, mark as Non-Compliant.
7. Contractor and Third-Party Obligation Alignment Verified
Verification Criteria: Termination obligations for contractors and external parties are aligned with internal standards and are contractually enforceable.
Required Evidence: Master Service Agreements (MSAs) or Non-Disclosure Agreements (NDAs) for external parties showing post-contractual survival clauses.
Pass/Fail Test: If third-party contracts lack specific language regarding the return of data or confidentiality after contract completion, mark as Non-Compliant.
8. Physical Access Media Collection Evidence Identified
Verification Criteria: Physical access tokens, ID cards, and keys are physically collected and their associated access rights are deactivated in the control system.
Required Evidence: Physical security system logs showing “Deactivated” status for leavers’ badges or key return logs.
Pass/Fail Test: If a sampled leaver’s badge still shows as “Active” in the building access control system, mark as Non-Compliant.
9. Intellectual Property Ownership Confirmation Validated
Verification Criteria: The organisation reinforces its ownership of intellectual property created during employment to prevent the unauthorised removal of proprietary data.
Pass/Fail Test: If the exit process does not include a formal reminder or signed confirmation regarding IP ownership and data exfiltration, mark as Non-Compliant.
Required Evidence: “Assignment of IP” clauses in the initial contract supplemented by an Exit Acknowledgement form.
10. Monitoring of Post-Termination Activity Verified
Verification Criteria: Heightened monitoring or DLP (Data Loss Prevention) checks are performed on leavers’ accounts during the notice period to detect unauthorised data movement.
Required Evidence: DLP alert logs or manager review records for the final 30 days of the leaver’s system activity.
Pass/Fail Test: If an individual in a sensitive role has no recorded audit trail of their data activity during their notice period, mark as Non-Compliant.
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Legal Obligations | Tool confirms a “Contract” exists in the HR folder. | Auditor must verify the Confidentiality Survival clause. Generic templates often omit post-termination enforceability. |
| Access Revocation | SaaS tool shows “Account Disabled” in the GRC dashboard. | Verify Cross-System Revocation. Is the user still logged into un-synced SaaS tools or local on-prem legacy databases? |
| Asset Recovery | Tool shows a “Laptop Returned” task marked as complete. | Demand the Serial Number Match. GRC tasks are often ticked “done” before the hardware is actually inspected for data tampering. |
| Role Changes | Tool assumes “Employment” is a static state until termination. | Internal movers are the biggest risk. Auditor must see a Permission Reset log when an employee moves from IT to Sales. |
| Handover Security | Platform records that “Handover Notes” were uploaded. | Inspect the notes for Clear-text Passwords. GRC tools often miss that the handover itself might breach security policies. |
| Post-Exit Monitoring | Tool relies on HR to trigger the exit workflow. | Verify the Time-Delta. If HR notifies IT 48 hours after the person has left, the GRC “Green Tick” is masking a significant breach. |
| Contractor Parity | Tool only monitors staff in the main HR database (e.g. HiBob/Workday). | Contractors and temporary staff usually bypass HR systems. Demand the manual termination logs for agency workers. |
About the author
