Introduction

I am going to show you what ISO 27001 Annex A 6.5 Responsibilities After Termination or Change of Employment is, what’s new, give you ISO 27001 templates, an ISO 27001 toolkit, show you examples, do a walkthrough and show you how to implement it.

I am Stuart Barker the ISO 27001 Ninja and using over two decades of experience on hundreds of ISO 27001 audits and ISO 27001 certifications I show you exactly what changed in the ISO 27001:2022 update and exactly what you need to do for ISO 27001 certification.

What is ISO 27001 Annex A 6.5 Responsibilities After Termination Or Change Of Employment?

ISO 27001 Annex A 6.5 Responsibilities after termination or change of employment is an ISO 27001 control that wants you to ensure that information security responsibilities remain valid even after someone leaves your organisation. It wants this to be defined, communicated and enforced. Which usually means having a relevant clause in your contracts of employment.

ISO 27001 Annex A 6.5 Purpose

A 6.5 is a preventive control that ensures that you are protecting the organisation even after someone leaves.

ISO 27001 Annex A 6.5 Definition

The ISO 27001 standard defines ISO 27001 Annex A 6.5 as:

Information security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced and communicated to relevant personnel and other interested parties.

ISO 27001:2022 Annex A 6.5 Responsibilities after termination or change of employment

DO IT YOURSELF ISO27001

STOP SPANKING £10,000s

ISO 27001 Annex A 6.5 Implementation Guide

You are going to have to ensure that:

  • contracts of employment include clauses for information security
  • that those clauses cover what happens after someone leaves the organisation
  • you have engaged with a HR professional
  • you have engaged with a legal professional
  • contracts are in place and signed and legally enforceable

What are examples of the information security responsibilities that remain valid after termination or change of employment?

The information security responsibilities that remain valid after termination or change of employment vary depending on the organisation and the employee’s role. However, some common responsibilities include:

  • Maintaining confidentiality of information
  • Returning all company-owned assets
  • Not disclosing confidential information to unauthorized third parties

How should organisations manage the termination or change of employment of employees who have access to confidential information?

Organisations should take the following steps to manage the termination or change of employment of employees who have access to confidential information:

  • Revoke the employee’s access to all organisation systems, networks, and data.
  • Collect any organisation-owned assets in the employee’s possession.
  • Conduct an exit interview with the employee to discuss any concerns about the employee’s access to confidential information.
  • Review audit logs for any suspicious activity or data breaches that may have occurred during the employee’s tenure.
  • Change passwords and encryption keys that were shared with the employee.
  • Review third-party access to ensure that the employee no longer has access to confidential information.

Who is responsible for administering the termination process?

The termination process is usually administered by the organisation’s human resources department. However, in some cases, the process may be administered by the employee’s manager or supervisor.

Transfer Roles and Responsibilities

When someone leaves the organisation their roles and responsibilities should be effectively handed over to someone else. Getting this wrong and not doing a hand over is one of the biggest mistakes we see organisation make meaning that vital activities get missed or fall by the wayside.

It applies to suppliers and external personnel

The same requirement is placed on suppliers and external personnel and is managed under contract.

ISO 27001 Annex A 6.5 Templates

Having an ISO 27001 template for control 6.5 can help fast track your implementation. The ISO 27001 Toolkit is a the ultimate resource for your ISO 27001 implementation. Having a topic specific policy for information security awareness training template and an ISO 27001 communication plan template can really help if you don’t want the entire ISO 27001 toolkit.

How to comply with ISO 27001 Annex A 6.5

To comply with ISO 27001 Annex A 6.5 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:

  • Write, sign off, implement and communicate your topic specific policies on Human Resources
  • Engage legal and HR professionals to draft contracts that include information security clauses and clauses for what happens after an employee leaves the orgnaisation
  • Implement the contracts as part of the on-boarding process
  • Have signed contracts for all employees
  • As part of the off boarding process communicate the ongoing information security requirements that are in place

How to pass an audit of ISO 27001 Annex A 6.5

To pass an audit of ISO 27001 Annex A 6.5 you are going to make sure that you have followed the steps above in how to comply.

You are going to do that by first conducting an internal audit, following the How to Conduct an ISO 27001 Internal Audit Guide.

What will an audit check?

The audit is going to check a number of areas for compliance with Annex A 6.5. Lets go through them

1. That you have contracts that meet the requirements of the clause

They will check your contract template to ensure that it has the appropriate clauses for information security and what happens when the person leaves. If the template meets the standard then they meet ask to see examples of active contracts to check that they follow the template and meet the standard.

2. That you engaged professionals

They may check the validity of the contracts and clauses that you have. This is a low likelihood but the potential to see that what you have is legally enforceable and not just something that you made up.

3. That people are aware of their responsibilities

The audit is going to check for documented processes, documented topic specific policy and these have been communicated and people have been trained on what is required of them. They will check that communicating responsibility is part of the HR off boarding process.

Top 3 Mistakes People Make for ISO 27001 Annex A 6.5

In my experience, the top 3 mistakes people make for ISO 27001 Annex A 6.5 are

1. You have no contracts in place

This is usually in a start up, small business or one where people have known each other for a long time. The cost of formal contracts may be something that has been avoided and a feeling that everyone knows and trusts each other. This can be fine and appropriate but it isn’t for the requirements of the standard. There are laws and regulations that require contracts to protect people and the organisation. Have contracts in place.

2. One or more members of your team haven’t done what they should have done

Prior to the audit check that all members of the team have done what they should have. Do they know where the process documents are in relation to on boarding and off boarding people? Do they know where the contracts are? Do a pre audit as close to the audit as you can. Assuming is a recipe for disaster. Check!

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

What are the Benefits of ISO 27001 Annex A 6.5 Responsibilities After Termination Or Change Of Employment?

Other than your ISO 27001 certification requiring it, the following are the top 7 benefits of ISO 27001 Annex A 6.5 Responsibilities after termination or change of employment: 

  • You cannot get ISO 27001 certification without it.
  • Reduced risk of data breaches. By ensuring that departing employees do not retain access to confidential information, organisations can significantly reduce their risk of a data breach.
  • Increased employee productivity. When employees are confident that their confidential information is secure, they can be more productive and less likely to make mistakes that could lead to a data breach.
  • Improved compliance with regulations. Many regulations, such as the General Data Protection Regulation (GDPR), require organizations to implement information security measures. By implementing ISO 27001 6.5 Responsibilities after termination or change of employment, organisations can demonstrate compliance with these regulations.
  • Enhanced customer confidence. Customers are increasingly concerned about the security of their personal data. By demonstrating that your organisation is committed to information security, you can build customer confidence and loyalty.
  • Reduced costs. The cost of a data breach can be significant, including the cost of notifying affected individuals, fines, and legal fees. By implementing ISO 27001 6.5 Responsibilities after termination or change of employment, organisations can reduce the risk of a data breach and the associated costs.
  • Reputation Protection: In the event of a breach having a responsibilities after termination procedure in place will reduce the potential for fines and reduce the PR impact of an event

Why is responsibilities after termination or change of employment important?

Overall, responsibilities after termination or change of employment are important for a number of reasons. By taking the necessary steps, organisations can help to protect confidential information, comply with regulations, protect their reputation, and protect employees.

Here are some of the reasons why responsibilities after termination or change of employment are important:

  • To protect confidential information. When an employee leaves an organisation, they may still have access to confidential information. This information could be used for malicious purposes, such as selling it to competitors or using it to commit identity theft. By revoking the employee’s access to confidential information and collecting any company-owned assets, organizations can help to protect this information.
  • To comply with regulations. Many regulations, such as the General Data Protection Regulation (GDPR), require organizations to protect the confidentiality of personal data. By implementing appropriate controls after termination or change of employment, organisations can demonstrate compliance with these regulations.
  • To protect the organisation’s reputation. A data breach can damage an organisation’s reputation. By taking steps to protect confidential information after termination or change of employment, organisations can help to reduce the risk of a data breach and the associated damage to their reputation.
  • To protect employees. Employees who are terminated or have their employment changed may be angry or upset. By taking steps to manage these emotions, organisations can help to protect employees from making rash decisions that could harm themselves or others.

Get the Help of the ISO 27001 Ninja

Book your FREE 30 Minute ISO 27001 Strategy Call and let me show you how you can do it 30x cheaper and 10x faster that you ever thought possible.

Matrix of ISO 27001 Controls and Attribute values

Control typeInformation
security properties
Cybersecurity
concepts
Operational
capabilities
Security domains
PreventiveAvailability
Confidentiality
Integrity
ProtectHuman resource security
Asset Management
Governance and ecosystem