In this guide, I will show you exactly how to implement ISO 27001 Annex A 6.5 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 6.5 Responsibilities After Termination or Change of Employment
ISO 27001 Annex A 6.5 requires organizations to define, communicate, and enforce information security responsibilities that remain valid after an employee or contractor leaves the organization or changes their role. The goal is to ensure that “Confidentiality” doesn’t end when the contract does. Whether a person is retiring, being terminated, or just switching departments, their access must be revoked, assets returned, and their ongoing duty to protect sensitive data reaffirmed.
Core requirements for compliance include:
- Contractual Post-Termination Clauses: Employment contracts must include legally enforceable clauses that bind the individual to confidentiality even after they leave. This is often validated by HR and Legal professionals.
- Immediate Revocation of Access: For leavers, access to all systems, physical sites, and networks must be cut immediately. A common audit failure is leaving an email account active for “auto-replies.”
- Asset Retrieval: All company-owned hardware (laptops, phones, ID badges, keys) must be returned. This should be tracked against an asset register to ensure nothing is missed.
- The “Mover” Management: When an employee changes roles, you must revoke their old access before granting the new access. This prevents “Privilege Creep,” where users accumulate excessive rights over time.
- Exit Interviews: A formal exit process should include a reminder of their ongoing legal and security obligations regarding non-disclosure and intellectual property.
Audit Focus: Auditors will look for “The JML Paper Trail”:
- Contract Review: “Show me the confidentiality clause in your standard employment contract. Does it specify that it remains in effect after termination?”
- Timeliness of Revocation: “Show me the record for the last person who left. What time did they leave, and what time was their system access disabled?”
- Movers Audit: “Show me an employee who changed roles last year. Can you prove their old permissions were removed?”
Joiners Movers Leavers (JML) Workflow (Audit Prep):
| Employment Scenario | Critical Security Action | Common Audit Failure | ISO 27001:2022 Control |
|---|---|---|---|
| Leaver (Termination) | Revoke ALL access immediately; return all assets. | Leaving an account active for “handover” purposes. | 6.5 (Termination responsibilities) |
| Mover (Change Role) | Revoke OLD access + Grant NEW access. | Privilege Creep: Keeping old rights “just in case.” | 5.18 (Access rights) |
| Joiner (New Hire) | Grant minimal access (Least Privilege). | Copying access from a “similar user” (it’s lazy and risky). | 5.18 (Access rights) |
Table of contents
- What is ISO 27001 Annex A 6.5?
- Watch the ISO 27001 Annex A 6.5 Tutorial
- ISO 27001 Annex A 6.5 Explainer Video
- ISO 27001 Annex A 6.5 Podcast
- ISO 27001 Annex A 6.5 Implementation Guidance
- How to implement ISO 27001 Annex A 6.5
- Joiners Movers Leavers (JML) Workflow Table
- How to comply
- How to pass the audit of ISO 27001 Annex A 6.5
- What the auditor will check
- Top 3 ISO 27001 Annex A 6.5 mistakes and how to avoid them
- Applicability of ISO 27001 Annex A 6.5 across different business models.
- Fast Track ISO 27001 Annex A 6.5 Compliance with the ISO 27001 Toolkit
- ISO 27001 Annex A 6.5 FAQ
- Related ISO 27001 Controls
- Further Reading
- ISO 27001 Annex A 6.5 Attribute Table
What is ISO 27001 Annex A 6.5?
ISO 27001 Annex A 6.5 is about the information security responsibilities people should have after someone leaves the organisation or changes role and having a process to manage it.
ISO 27001 Annex A 6.5 Responsibilities After Termination Or Change Of Employment is an ISO 27001 control that wants you to ensure that information security responsibilities remain valid even after someone leaves your organisation. It wants this to be defined, communicated and enforced. Which usually means having a relevant clause in your contracts of employment.
Usually a contractual requirement placed on employees that covers what is expected of an employee when they leave the organisation or change role.
ISO 27001 Annex A 6.5 Purpose
The purpose of ISO 27001 Annex A 6.5 Responsibilities After Termination Or Change Of Employment is to ensure that you are protecting the organisation even after someone leaves.
ISO 27001 Annex A 6.5 Definition
ISO 27001 defines ISO 27001 Responsibilities After Termination Or Change Of Employment as:
Information security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced and communicated to relevant personnel and other interested parties.
ISO 27001:2022 Annex A 6.5 Responsibilities after termination or change of employment
Watch the ISO 27001 Annex A 6.5 Tutorial
In the video ISO 27001 Disciplinary Process Explained – ISO27001:2022 Annex A 6.4 I show you how to implement it and how to pass the audit.
ISO 27001 Annex A 6.5 Explainer Video
In this beginner’s guide to ISO 27001 Annex A 6.5 Responsibilities After Termination Or Change Of Employment, ISO 27001 Lead Auditor Stuart Barker and his team talk you through what it is, how to implement in and how to pass the audit. Free ISO 27001 training.
ISO 27001 Annex A 6.5 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 6.5 Responsibilities After Termination Or Change Of Employment. The podcast explores what it is, why it is important and the path to compliance.
ISO 27001 Annex A 6.5 Implementation Guidance
General Guidance
You are going to have to ensure that:
- contracts of employment include clauses for information security
- that those clauses cover what happens after someone leaves the organisation
- you have engaged with a HR professional
- you have engaged with a legal professional
- contracts are in place and signed and legally enforceable
Examples of the information security responsibilities that remain valid after termination or change of employment
The information security responsibilities that remain valid after termination or change of employment vary depending on the organisation and the employee’s role. However, some common responsibilities include:
- Maintaining confidentiality of information
- Returning all company-owned assets
- Not disclosing confidential information to unauthorised third parties
How to manage the termination or change of employment of employees who have access to confidential information?
Organisations should take the following steps to manage the termination or change of employment of employees who have access to confidential information:
- Revoke the employee’s access to all organisation systems, networks, and data.
- Collect any organisation-owned assets in the employee’s possession.
- Conduct an exit interview with the employee to discuss any concerns about the employee’s access to confidential information.
- Review audit logs for any suspicious activity or data breaches that may have occurred during the employee’s tenure.
- Change passwords and encryption keys that were shared with the employee.
- Review third-party access to ensure that the employee no longer has access to confidential information.
Who is responsible for administering the termination process?
The termination process is usually administered by the organisation’s human resources department. However, in some cases, the process may be administered by the employee’s manager or supervisor.
Transferring Roles and Responsibilities
When someone leaves the organisation their roles and responsibilities should be effectively handed over to someone else. Getting this wrong and not doing a hand over is one of the biggest mistakes we see organisation make meaning that vital activities get missed or fall by the wayside.
It applies to suppliers and external personnel
The same requirement is placed on suppliers and external personnel and is managed under contract.
How to implement ISO 27001 Annex A 6.5
Implementing ISO 27001 Annex A 6.5 requires a systematic approach to ensuring that security obligations remain enforceable and access is terminated when an individual leaves the organisation or changes roles. By following this technical workflow, organisations can prevent “privilege creep”, mitigate the risk of data exfiltration by former personnel, and maintain a robust audit trail for Information Security Management System (ISMS) compliance.
1. Formalise Post-Termination Responsibilities within Contracts
Establish the legal foundation for security obligations by ensuring all employment contracts and third-party agreements include enforceable surviving clauses.
- Incorporate non-disclosure agreement (NDA) clauses that explicitly remain in force after the termination of the business relationship.
- Define the specific legal and regulatory consequences for unauthorised disclosure of intellectual property or sensitive data.
- Formalise the requirement for personnel to acknowledge these responsibilities during their initial onboarding induction.
2. Revoke Logical and Physical Access Rights Immediately
Ensure that all access to organisational systems and facilities is withdrawn at the exact moment of termination to prevent unauthorised entry.
- Utilise an Identity and Access Management (IAM) system to disable Active Directory accounts, VPN access, and Multi-Factor Authentication (MFA) tokens in real-time.
- Revoke logical access to all cloud-based Software as a Service (SaaS) applications and internal databases.
- Collect physical ID badges, security fobs, and keys to ensure the individual can no longer bypass physical perimeters.
3. Retrieve and Decommission Organisational Assets
Recover all hardware and data storage devices provided to the individual to protect data at rest and maintain asset integrity.
- Collect company laptops, mobile phones, and encrypted external drives, verifying their serial numbers against the central Asset Register.
- Perform a secure wipe or decommissioning of hardware if it is to be reissued to a new user, ensuring no residual data remains.
- Update the Asset Register to reflect the change in status from “In Use” to “Returned” or “Stock”.
4. Conduct Mandatory Security Exit Interviews
Hold a formalised meeting to remind the departing individual of their ongoing legal duties and to document the return of all resources.
- Provide a written summary of the specific surviving confidentiality and non-disclosure obligations.
- Require the individual to sign a formal Register of Entrants (ROE) or leaver’s declaration confirming they have returned all proprietary information.
- Document the exit interview as primary audit evidence to demonstrate the control is operating effectively.
5. Realign Access Rights for Internal Role Changes
Modify permissions whenever an employee transitions to a new role within the organisation to enforce the principle of least privilege.
- Revoke access rights associated with the previous role that are no longer required for the new position to prevent privilege creep.
- Provision new access based on the “Need-to-Know” principle and current business requirements.
- Update the IAM roles and internal department registers to ensure the user’s digital identity reflects their current status.
Joiners Movers Leavers (JML) Workflow Table
| Scenario | Action Required | Common Mistake |
| Leaver (Termination) | Revoke ALL access immediately. Return all assets. | Leaving email active for “auto-reply.” |
| Mover (Change Role) | Revoke OLD access + Grant NEW access. | Accumulating rights (Privilege Creep). |
| Joiner (New Hire) | Grant minimal access (Least Privilege). | Copying access from a “similar user.” |
How to comply
To comply with ISO 27001 Annex A 6.5 Responsibilities After Termination Or Change Of Employment you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:
- Write, sign off, implement and communicate your topic specific policies on Human Resources
- Engage legal and HR professionals to draft contracts that include information security clauses and clauses for what happens after an employee leaves the orgnaisation
- Implement the contracts as part of the on-boarding process
- Have signed contracts for all employees
- As part of the off boarding process communicate the ongoing information security requirements that are in place
How to pass the audit of ISO 27001 Annex A 6.5
To pass an audit of ISO 27001 Annex A 6.5 you are going to make sure that you have followed the steps above in how to comply.
What the auditor will check
The audit is going to check a number of areas for compliance with Annex A 6.5 Responsibilities After Termination Or Change Of Employment. Lets go through them
1. That you have contracts that meet the requirements of the clause
They will check your contract template to ensure that it has the appropriate clauses for information security and what happens when the person leaves. If the template meets the standard then they meet ask to see examples of active contracts to check that they follow the template and meet the standard.
2. That you engaged professionals
They may check the validity of the contracts and clauses that you have. This is a low likelihood but the potential to see that what you have is legally enforceable and not just something that you made up.
3. That people are aware of their responsibilities
The audit is going to check for documented processes, documented topic specific policy and these have been communicated and people have been trained on what is required of them. They will check that communicating responsibility is part of the HR off boarding process.
Top 3 ISO 27001 Annex A 6.5 mistakes and how to avoid them
In my experience, the top 3 mistakes people make for ISO 27001 Responsibilities After Termination Or Change Of Employment are
1. You have no contracts in place
This is usually in a start up, small business or one where people have known each other for a long time. The cost of formal contracts may be something that has been avoided and a feeling that everyone knows and trusts each other. This can be fine and appropriate but it isn’t for the requirements of the standard. There are laws and regulations that require contracts to protect people and the organisation. Have contracts in place.
2. One or more members of your team haven’t done what they should have done
Prior to the audit check that all members of the team have done what they should have. Do they know where the process documents are in relation to on boarding and off boarding people? Do they know where the contracts are? Do a pre audit as close to the audit as you can. Assuming is a recipe for disaster. Check!
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
Applicability of ISO 27001 Annex A 6.5 across different business models.
| Business Type | Applicability | Examples of Control Implementation |
|---|---|---|
| Small Businesses | Focuses on ensuring that former staff and contractors don’t retain access to company data or physical keys. The goal is to provide a clean break and ensure that confidentiality obligations are legally binding even after the relationship ends. |
|
| Tech Startups | Critical for managing high-trust access to proprietary source code and customer databases. Compliance involves automating the Joiners-Movers-Leavers (JML) process to prevent “orphan accounts” and privilege creep. |
|
| AI Companies | Vital for protecting unique model IP and sensitive training data. Focus is on preventing data exfiltration by departing researchers and ensuring research-specific assets are recovered. |
|
Fast Track ISO 27001 Annex A 6.5 Compliance with the ISO 27001 Toolkit
For ISO 27001 Annex A 6.6 (Confidentiality or non-disclosure agreements), the requirement is to ensure that confidentiality or non-disclosure requirements are identified, reviewed, and documented. This applies to employees, contractors, and third-party partners.
| Compliance Factor | SaaS Compliance Platforms | High Table ISO 27001 Toolkit | Audit Evidence Example |
|---|---|---|---|
| Methodology Ownership | Rents access to rigid project workflows; if you cancel, your documented security-by-design standards vanish. | Permanent Assets: Fully editable Word/Excel Project Security Policies and templates you own forever. | A localized “Project Security Policy” defining mandatory Risk Assessments for all new business initiatives. |
| Workflow Integration | Forces you to manage projects inside their proprietary “compliance task” modules rather than your actual tools. | Governance-First: Seamlessly integrates into the tools you already use like Jira, Trello, or Asana. | A completed Project Security Checklist integrated as a mandatory “Definition of Done” in your sprint cycle. |
| Cost Structure | Charges a “Project Growth Tax” based on the number of active projects or “integrated” workspaces tracked. | One-Off Fee: A single payment covers your project governance for 5 small tasks or 500 enterprise projects. | Allocating budget to actual project resources and security testing rather than a monthly paperwork dashboard. |
| Operational Freedom | Mandates specific project structures that often conflict with Agile, Waterfall, or hybrid delivery models. | 100% Agnostic: Procedures adapt to any delivery method—DevOps, Prince2, or Kanban—without technical limits. | The ability to evolve your delivery methodology without needing to reconfigure a rigid SaaS compliance module. |
Summary: For Annex A 6.6, the auditor wants to see that you have a formal process for identifying confidentiality requirements and proof that agreements are in place (e.g., signed NDAs and employee contracts). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.
ISO 27001 Annex A 6.5 FAQ
What is ISO 27001 Annex A 6.5?
ISO 27001 Annex A 6.5 is a security control that mandates organisations define and communicate information security responsibilities that remain valid after an individual’s employment or contract ends.
- It ensures that confidentiality and non-disclosure obligations survive termination.
- It requires a formalised process for the return of organisational assets.
- It covers both permanent employees and third-party contractors.
- It aims to prevent data leakage and unauthorised access by former personnel.
Are confidentiality obligations mandatory after leaving a company?
Yes, ISO 27001 requires that confidentiality and non-disclosure agreements (NDAs) contain clauses that survive the termination of the employment or contract.
- Employees must be reminded of these “surviving obligations” during an exit interview.
- Obligations typically cover trade secrets, client data, and internal IP.
- Breaching these post-employment duties can result in legal action.
- Organisations must maintain evidence that the individual was reminded of these duties.
How quickly must access be revoked after termination?
Access rights to all information systems and physical facilities must be revoked immediately upon the termination of employment or the end of a contract.
- Logical access (emails, VPNs, SaaS) should be disabled in real-time.
- Physical access (badges, keys) must be collected on or before the final working day.
- Automated IAM (Identity and Access Management) workflows are recommended to prevent “orphan accounts.”
- The revocation must be documented in a leaver’s checklist for audit purposes.
What assets must be returned during the offboarding process?
All organisational assets, including physical hardware and proprietary information, must be returned to the company before the departure is finalised.
- Physical Hardware: Laptops, mobile phones, tablets, and encrypted USB drives.
- Access Tokens: Security fobs, ID badges, and physical keys.
- Information Assets: Printed documents, manuals, and customer lists.
- Company credit cards and fuel cards.
Does Annex A 6.5 apply to internal role changes?
Yes, the control applies to changes in employment, meaning access rights must be adjusted when an employee moves to a new internal department.
- Access rights that are no longer required for the new role must be revoked.
- New “Need-to-Know” requirements must be established for the new position.
- This prevents “privilege creep,” where staff accumulate excessive permissions over time.
- The internal transfer should trigger an asset and access review.
How do you prove compliance for Annex A 6.5 during an audit?
Auditors seek a verifiable trail of evidence showing that offboarding procedures were followed consistently for all recent leavers.
- Signed leaver checklists showing the date access was revoked and assets returned.
- Evidence of exit interviews where security responsibilities were discussed.
- Comparison of HR termination dates against system log-off/disablement timestamps.
- Contracts or NDAs showing enforceable post-termination confidentiality clauses.
Related ISO 27001 Controls
ISO 27001 Clause 7.4 Communication
ISO 27001 Annex A 6.2 Terms and Conditions of Employment
ISO 27001 Annex A 5.2 Roles and Responsibilities
ISO 27001 Annex A 5.4 Management Responsibilities
Further Reading
ISO 27001 Information Security Roles and Responsibilities Template
ISO 27001 Annex A 6.5 Attribute Table
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Availability Confidentiality Integrity | Protect | Human resource security Asset Management | Governance and ecosystem |
