In this ultimate how to audit guide to ISO 27001 Annex A 6.5 Responsibilities After Termination or Change of Employment, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- ISO 27001 Annex A 6.5 Responsibilities After Termination or Change of Employment Audit Checklist
- 1. Post-Employment Security Obligations Formalised
- 2. Communication of Ongoing Responsibilities Verified
- 3. Role-Change Security Responsibility Update Confirmed
- 4. Asset Return Verification Records Present
- 5. Logical Access Revocation Timeliness Validated
- 6. Knowledge Transfer Security Oversight Confirmed
- 7. Contractor and Third-Party Obligation Alignment Verified
- 8. Physical Access Media Collection Evidence Identified
- 9. Intellectual Property Ownership Confirmation Validated
- 10. Monitoring of Post-Termination Activity Verified
ISO 27001 Annex A 6.5 Responsibilities After Termination or Change of Employment Audit Checklist
Auditing ISO 27001 Annex A 6.5 Responsibilities After Termination or Change of Employment is a rigorous evaluation of the procedural safeguards governing personnel transitions. The Primary Implementation Requirement demands that security duties are legally formalised and communicated, ensuring the Business Benefit of sustained asset protection and reduced insider threat risks.
This technical verification tool is designed for lead auditors to establish the legal and operational continuity of security obligations when personnel exit or move roles. Use this checklist to validate compliance with ISO 27001 Annex A 6.5.
1. Post-Employment Security Obligations Formalised
Verification Criteria: Enforceable legal clauses exist within employment contracts or termination agreements that specify security responsibilities remain in force after the cessation of employment.
Required Evidence: Sampled employment contracts or signed separation agreements containing “survival of obligations” or confidentiality clauses.
Pass/Fail Test: If a contract implies that confidentiality or data protection duties expire on the final day of employment, mark as Non-Compliant.
2. Communication of Ongoing Responsibilities Verified
Verification Criteria: Personnel are formally notified of their continuing security duties during the exit process or when changing roles within the organisation.
Required Evidence: Exit interview records or formal “Post-Employment Responsibility” acknowledgement forms signed by the leaver.
Pass/Fail Test: If the organisation cannot produce evidence of a formal briefing or written notification of post-exit duties, mark as Non-Compliant.
3. Role-Change Security Responsibility Update Confirmed
Verification Criteria: When an individual moves to a new internal role, their previous security responsibilities are formally superseded by the requirements of the new position.
Required Evidence: Internal transfer letters or updated Job Descriptions (JDs) with specific security accountability sections.
Pass/Fail Test: If an individual retains high-level security accountability for a former department after moving to a non-related role, mark as Non-Compliant.
