ISO 27001:2022 Annex A 6.5 Responsibilities after termination or change of employment

In this guide, I will show you exactly how to implement ISO 27001 Annex A 6.5 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 6.5 Responsibilities After Termination or Change of Employment

ISO 27001 Annex A 6.5 requires organizations to define, communicate, and enforce information security responsibilities that remain valid after an employee or contractor leaves the organization or changes their role. The goal is to ensure that “Confidentiality” doesn’t end when the contract does. Whether a person is retiring, being terminated, or just switching departments, their access must be revoked, assets returned, and their ongoing duty to protect sensitive data reaffirmed.

Core requirements for compliance include:

Contractual Post-Termination Clauses: Employment contracts must include legally enforceable clauses that bind the individual to confidentiality even after they leave. This is often validated by HR and Legal professionals.
Immediate Revocation of Access: For leavers, access to all systems, physical sites, and networks must be cut immediately. A common audit failure is leaving an email account active for “auto-replies.”
Asset Retrieval: All company-owned hardware (laptops, phones, ID badges, keys) must be returned. This should be tracked against an asset register to ensure nothing is missed.
The “Mover” Management: When an employee changes roles, you must revoke their old access before granting the new access. This prevents “Privilege Creep,” where users accumulate excessive rights over time.
Exit Interviews: A formal exit process should include a reminder of their ongoing legal and security obligations regarding non-disclosure and intellectual property.

Audit Focus: Auditors will look for “The JML Paper Trail”:

Contract Review: “Show me the confidentiality clause in your standard employment contract. Does it specify that it remains in effect after termination?”
Timeliness of Revocation: “Show me the record for the last person who left. What time did they leave, and what time was their system access disabled?”
Movers Audit: “Show me an employee who changed roles last year. Can you prove their old permissions were removed?”

Joiners Movers Leavers (JML) Workflow (Audit Prep):

Scenario	Critical Security Action	Common Audit Failure
Leaver (Termination)	Revoke ALL access immediately; return all assets.	Leaving an account active for “handover” purposes.
Mover (Change Role)	Revoke OLD access + Grant NEW access.	Privilege Creep: Keeping old rights “just in case.”
Joiner (New Hire)	Grant minimal access (Least Privilege).	Copying access from a “similar user” (it’s lazy and risky).

What is ISO 27001 Annex A 6.5?
Watch the ISO 27001 Annex A 6.5 Tutorial
ISO 27001 Annex A 6.5 Explainer Video
ISO 27001 Annex A 6.5 Podcast
How to implement ISO 27001 Annex A 6.5
Joiners Movers Leavers (JML) Workflow Table
How to comply
How to pass the audit of ISO 27001 Annex A 6.5
What the auditor will check
Top 3 ISO 27001 Annex A 6.5 mistakes and how to avoid them
Fast Track ISO 27001 Annex A 6.5 Compliance with the ISO 27001 Toolkit
ISO 27001 Annex A 6.5 FAQ
Related ISO 27001 Controls
Further Reading
ISO 27001 Annex A 6.5 Attribute Table

What is ISO 27001 Annex A 6.5?

ISO 27001 Annex A 6.5 is about the information security responsibilities people should have after someone leaves the organisation or changes role and having a process to manage it.

ISO 27001 Annex A 6.5 Responsibilities After Termination Or Change Of Employment is an ISO 27001 control that wants you to ensure that information security responsibilities remain valid even after someone leaves your organisation. It wants this to be defined, communicated and enforced. Which usually means having a relevant clause in your contracts of employment.

Usually a contractual requirement placed on employees that covers what is expected of an employee when they leave the organisation or change role.

ISO 27001 Annex A 6.5 Purpose

The purpose of ISO 27001 Annex A 6.5 Responsibilities After Termination Or Change Of Employment is to ensure that you are protecting the organisation even after someone leaves.

ISO 27001 Annex A 6.5 Definition

ISO 27001 defines ISO 27001 Responsibilities After Termination Or Change Of Employment as:

Information security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced and communicated to relevant personnel and other interested parties.
ISO 27001:2022 Annex A 6.5 Responsibilities after termination or change of employment

Watch the ISO 27001 Annex A 6.5 Tutorial

In the video ISO 27001 Disciplinary Process Explained – ISO27001:2022 Annex A 6.4 I show you how to implement it and how to pass the audit.

ISO 27001 Annex A 6.5 Explainer Video

In this beginner’s guide to ISO 27001 Annex A 6.5 Responsibilities After Termination Or Change Of Employment, ISO 27001 Lead Auditor Stuart Barker and his team talk you through what it is, how to implement in and how to pass the audit. Free ISO 27001 training.

ISO 27001 Annex A 6.5 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 6.5 Responsibilities After Termination Or Change Of Employment. The podcast explores what it is, why it is important and the path to compliance.

How to implement ISO 27001 Annex A 6.5

General Guidance

You are going to have to ensure that:

contracts of employment include clauses for information security
that those clauses cover what happens after someone leaves the organisation
you have engaged with a HR professional
you have engaged with a legal professional
contracts are in place and signed and legally enforceable

Examples of the information security responsibilities that remain valid after termination or change of employment

The information security responsibilities that remain valid after termination or change of employment vary depending on the organisation and the employee’s role. However, some common responsibilities include:

Maintaining confidentiality of information
Returning all company-owned assets
Not disclosing confidential information to unauthorised third parties

How to manage the termination or change of employment of employees who have access to confidential information?

Organisations should take the following steps to manage the termination or change of employment of employees who have access to confidential information:

Revoke the employee’s access to all organisation systems, networks, and data.
Collect any organisation-owned assets in the employee’s possession.
Conduct an exit interview with the employee to discuss any concerns about the employee’s access to confidential information.
Review audit logs for any suspicious activity or data breaches that may have occurred during the employee’s tenure.
Change passwords and encryption keys that were shared with the employee.
Review third-party access to ensure that the employee no longer has access to confidential information.

Who is responsible for administering the termination process?

The termination process is usually administered by the organisation’s human resources department. However, in some cases, the process may be administered by the employee’s manager or supervisor.

Transferring Roles and Responsibilities

When someone leaves the organisation their roles and responsibilities should be effectively handed over to someone else. Getting this wrong and not doing a hand over is one of the biggest mistakes we see organisation make meaning that vital activities get missed or fall by the wayside.

It applies to suppliers and external personnel

The same requirement is placed on suppliers and external personnel and is managed under contract.

Joiners Movers Leavers (JML) Workflow Table

Scenario	Action Required	Common Mistake
Leaver (Termination)	Revoke ALL access immediately. Return all assets.	Leaving email active for “auto-reply.”
Mover (Change Role)	Revoke OLD access + Grant NEW access.	Accumulating rights (Privilege Creep).
Joiner (New Hire)	Grant minimal access (Least Privilege).	Copying access from a “similar user.”

How to comply

To comply with ISO 27001 Annex A 6.5 Responsibilities After Termination Or Change Of Employment you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:

Write, sign off, implement and communicate your topic specific policies on Human Resources
Engage legal and HR professionals to draft contracts that include information security clauses and clauses for what happens after an employee leaves the orgnaisation
Implement the contracts as part of the on-boarding process
Have signed contracts for all employees
As part of the off boarding process communicate the ongoing information security requirements that are in place

How to pass the audit of ISO 27001 Annex A 6.5

To pass an audit of ISO 27001 Annex A 6.5 you are going to make sure that you have followed the steps above in how to comply.

What the auditor will check

The audit is going to check a number of areas for compliance with Annex A 6.5 Responsibilities After Termination Or Change Of Employment. Lets go through them

1. That you have contracts that meet the requirements of the clause

They will check your contract template to ensure that it has the appropriate clauses for information security and what happens when the person leaves. If the template meets the standard then they meet ask to see examples of active contracts to check that they follow the template and meet the standard.

2. That you engaged professionals

They may check the validity of the contracts and clauses that you have. This is a low likelihood but the potential to see that what you have is legally enforceable and not just something that you made up.

3. That people are aware of their responsibilities

The audit is going to check for documented processes, documented topic specific policy and these have been communicated and people have been trained on what is required of them. They will check that communicating responsibility is part of the HR off boarding process.

Top 3 ISO 27001 Annex A 6.5 mistakes and how to avoid them

In my experience, the top 3 mistakes people make for ISO 27001 Responsibilities After Termination Or Change Of Employment are

1. You have no contracts in place

This is usually in a start up, small business or one where people have known each other for a long time. The cost of formal contracts may be something that has been avoided and a feeling that everyone knows and trusts each other. This can be fine and appropriate but it isn’t for the requirements of the standard. There are laws and regulations that require contracts to protect people and the organisation. Have contracts in place.

2. One or more members of your team haven’t done what they should have done

Prior to the audit check that all members of the team have done what they should have. Do they know where the process documents are in relation to on boarding and off boarding people? Do they know where the contracts are? Do a pre audit as close to the audit as you can. Assuming is a recipe for disaster. Check!

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Fast Track ISO 27001 Annex A 6.5 Compliance with the ISO 27001 Toolkit

Own Your ISMS, Don’t Rent It

Do it Yourself ISO 27001 with the Ultimate ISO 27001 Toolkit

Get the Ultimate ISO 27001 Toolkit

For ISO 27001 Annex A 6.6 (Confidentiality or non-disclosure agreements), the requirement is to ensure that confidentiality or non-disclosure requirements are identified, reviewed, and documented. This applies to employees, contractors, and third-party partners.

While SaaS compliance platforms often try to sell you “automated NDA trackers” or complex contract management modules, they cannot actually draft a legally binding agreement that fits your specific business context, they are merely a place to host your records. The High Table ISO 27001 Toolkit is the logical choice because it provides the legal governance framework you need, allowing you to manage NDAs effectively without a recurring subscription fee.

1. Ownership: You Own Your Legal Templates Forever

SaaS platforms act as a middleman for your legal evidence. If you host your NDAs and confidentiality clauses inside their proprietary system, you are essentially renting your own legal protection.

The Toolkit Advantage: You receive the Confidentiality and Non-Disclosure Agreement (NDA) Templates and Confidentiality Policy in standard Word/Excel formats. These files are yours forever. You maintain permanent ownership of your legal standards, ensuring you are always ready for an audit without an ongoing “rental” fee.

2. Simplicity: Governance for the Tools You Already Have

Annex A 6.6 is about having and reviewing agreements. You don’t need a complex new software interface to manage what an existing e-signature tool (like DocuSign or HelloSign) or a simple shared folder already does perfectly.

The Toolkit Advantage: Your team already knows how to get a document signed. What they need is the governance layer to prove to an auditor that these agreements are identified and reviewed at least annually. The Toolkit provides the pre-written policies and checklists that formalize your existing contract workflow into an auditor-ready framework, without forcing your team to learn a new software platform.

3. Cost: A One-Off Fee vs. The “Contract Volume” Tax

Many compliance SaaS platforms charge based on the number of “vendors” or “signed agreements” you track. For a control that must be applied to every single employee and third party, these monthly costs can scale aggressively.

The Toolkit Advantage: You pay a single, one-off fee for the entire toolkit. Whether you have 5 signed NDAs or 500, the cost of your Confidentiality Documentation remains the same. You save your budget for actual legal counsel or business growth rather than an expensive compliance dashboard.

4. Freedom: No Vendor Lock-In for Your Legal Strategy

SaaS tools often mandate that agreements must follow their specific metadata or review workflows. If your legal team wants to use their own specialized language or a different review cycle, the SaaS tool can become a barrier to compliance.

The Toolkit Advantage: The High Table Toolkit is 100% technology-agnostic and fully editable. You can tailor the Confidentiality Procedures to match exactly how your legal and HR teams operate. You maintain total freedom to evolve your legal strategy without being constrained by the technical limitations of a rented SaaS platform.

Summary: For Annex A 6.6, the auditor wants to see that you have a formal process for identifying confidentiality requirements and proof that agreements are in place (e.g., signed NDAs and employee contracts). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

ISO 27001 Annex A 6.5 FAQ

Will I need the help of a HR professional for ISO 27001 Responsibilities After Termination Or Change Of Employment?

Yes. You will need the help of a HR professional and a legal professional.

How hard is ISO 27001 Annex A 6.5 Responsibilities After Termination Or Change Of Employment?

ISO 27001 Annex A 6.5 Responsibilities After Termination Or Change Of Employment is not hard to implement. This is a standard HR process that is conducted in all organisations.

What are the Benefits of ISO 27001 Annex A 6.5 Responsibilities After Termination Or Change Of Employment?

Other than your ISO 27001 certification requiring it, the following are the top 7 benefits of ISO 27001 Annex A 6.5 Responsibilities after termination or change of employment:
You cannot get ISO 27001 certification without it.
Reduced risk of data breaches. By ensuring that departing employees do not retain access to confidential information, organisations can significantly reduce their risk of a data breach.
Increased employee productivity. When employees are confident that their confidential information is secure, they can be more productive and less likely to make mistakes that could lead to a data breach.
Improved compliance with regulations. Many regulations, such as the General Data Protection Regulation (GDPR), require organizations to implement information security measures. By implementing ISO 27001 6.5 Responsibilities after termination or change of employment, organisations can demonstrate compliance with these regulations.
Enhanced customer confidence. Customers are increasingly concerned about the security of their personal data. By demonstrating that your organisation is committed to information security, you can build customer confidence and loyalty.
Reduced costs. The cost of a data breach can be significant, including the cost of notifying affected individuals, fines, and legal fees. By implementing ISO 27001 6.5 Responsibilities after termination or change of employment, organisations can reduce the risk of a data breach and the associated costs.
Reputation Protection: In the event of a breach having a responsibilities after termination procedure in place will reduce the potential for fines and reduce the PR impact of an event

Why are responsibilities after termination or change of employment important?

Overall, responsibilities after termination or change of employment are important for a number of reasons. By taking the necessary steps, organisations can help to protect confidential information, comply with regulations, protect their reputation, and protect employees.
Here are some of the reasons why responsibilities after termination or change of employment are important:
To protect confidential information. When an employee leaves an organisation, they may still have access to confidential information. This information could be used for malicious purposes, such as selling it to competitors or using it to commit identity theft. By revoking the employee’s access to confidential information and collecting any company-owned assets, organisations can help to protect this information.
To comply with regulations. Many regulations, such as the General Data Protection Regulation (GDPR), require organisations to protect the confidentiality of personal data. By implementing appropriate controls after termination or change of employment, organisations can demonstrate compliance with these regulations.
To protect the organisation’s reputation. A data breach can damage an organisation’s reputation. By taking steps to protect confidential information after termination or change of employment, organisations can help to reduce the risk of a data breach and the associated damage to their reputation.
To protect employees. Employees who are terminated or have their employment changed may be angry or upset. By taking steps to manage these emotions, organisations can help to protect employees from making rash decisions that could harm themselves or others.

ISO 27001 Clause 7.4 Communication

ISO 27001 Annex A 6.2 Terms and Conditions of Employment

ISO 27001 Annex A 5.2 Roles and Responsibilities

ISO 27001 Annex A 5.4 Management Responsibilities

ISO 27001 Annex A 6.5 Attribute Table

Control type	Information security properties	Cybersecurity concepts	Operational capabilities	Security domains
Preventive	Availability Confidentiality Integrity	Protect	Human resource security Asset Management	Governance and ecosystem

Asset Management, Availability, Confidentiality, Governance and Ecosystem, Human Resource Security, Integrity, Preventive, Protect

About the author

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.

Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.

As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.

His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

Table of contents