Requirement
Requirement lens
This control covers what must continue after a person leaves or changes role, and what must be removed, returned, or communicated during that change.
“Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, enforced and communicated to relevant personnel and other interested parties.”
Plain-language meaning
When someone leaves the organization or changes role, their old access, assets, and responsibilities must be handled deliberately. Some rights should stop immediately. Some duties, such as confidentiality, may continue after the relationship ends.
A role change should be treated as ending one role and starting another. Keeping old access after a transfer is a common access-control and segregation-of-duties failure.
Why this matters
Termination and role changes create high-risk moments. Former personnel may retain access to systems, buildings, devices, customer information, HR records, shared mailboxes, repositories, or supplier portals. Movers may accumulate access from old and new roles, breaking least privilege and segregation of duties.
If continuing obligations are unclear, the organization may struggle to enforce confidentiality, return of information, or legal duties after employment or contract end.
Implementation guidance
Implementer focus
Build this into joiner-mover-leaver workflows. Treat access removal, asset return, notification, and continuing duties as one coordinated process.
1. Define termination and role-change procedures
The procedure should cover:
- voluntary resignation;
- involuntary termination;
- contract end;
- contractor or third-party user offboarding;
- internal transfer;
- promotion or demotion;
- temporary assignment ending;
- emergency or high-risk termination.
The process should define owners, timing, notification routes, evidence records, and escalation paths.
2. Remove logical and physical access
Access removal should include:
- user accounts and privileged accounts;
- VPN and remote access;
- SaaS and cloud applications;
- email and collaboration tools;
- shared mailboxes and groups;
- physical access cards, keys, badges, and visitor permissions;
- supplier or customer portals;
- administrator credentials and shared secrets where applicable.
Urgency should match risk. A high-risk termination may require immediate access suspension before or during the termination meeting.
3. Return or remove assets and information
Assets and information should be returned or securely removed according to policy.
Examples:
- laptops, phones, removable media, badges, keys, tokens;
- paper records, notebooks, customer documents;
- software licences and subscriptions;
- organization data on personal or third-party devices where policy permits recovery or deletion;
- customer-owned information and equipment.
This links to A.5.11 Return of Assets.
4. Communicate changes to all involved parties
Relevant parties need timely notification, such as:
- HR;
- line manager;
- IT and access administrators;
- facilities or physical security;
- security team;
- legal or compliance;
- procurement/vendor management;
- customer or supplier contacts where appropriate;
- payroll or finance where applicable.
Notification records should be retained. If nobody can prove the notification happened, the control is weak.
5. Enforce continuing responsibilities
Responsibilities that may continue after termination or role change include:
- confidentiality;
- non-disclosure;
- return or destruction of information;
- intellectual property obligations;
- privacy and data protection obligations;
- non-use of organization/customer information;
- incident or legal cooperation where contractually valid.
These responsibilities should be included in contracts or agreements and communicated again during exit or role change.
Audit guidance
Auditor focus
Test leavers and movers. Movers are often where hidden access accumulation and segregation failures appear.
Auditors should verify that termination and role-change procedures exist, responsibilities are assigned, and actions are executed with evidence.
Audit testing should include:
- termination and role-change procedures;
- sampled leaver and mover records;
- notification records to IT, HR, managers, facilities, and other parties;
- access removal evidence for logical and physical access;
- asset return evidence;
- urgent termination handling criteria;
- retained responsibilities in contracts or confidentiality agreements;
- evidence that role changes remove old-role access and assets;
- interviews with HR, IT, managers, facilities, and security.
The auditor should compare termination/change dates with actual access removal timestamps. Late removal is a control failure even if the account was eventually disabled.
Evidence examples
Evidence quality
Strong evidence links the termination or role-change event to notifications, access removal, asset return, continuing duties, and closure.
| Evidence | What it proves |
|---|---|
| Leaver/mover procedure | Process is documented |
| Leaver or mover checklist | Actions are tracked |
| HR termination/change record | Trigger event is recorded |
| IT access removal logs | Logical access was removed |
| Physical access revocation record | Building access was removed |
| Asset return record | Organization/customer assets were returned |
| Notification record | Relevant parties were informed |
| Contract or NDA clause | Continuing duties are defined |
| Exit acknowledgement | Continuing duties were communicated |
| Urgent termination procedure | High-risk cases are handled quickly |
Strong evidence
- Procedure covers termination and role change, not only leavers.
- Responsibilities and owners are assigned.
- Notifications are recorded and timely.
- Logical and physical access removal is completed according to urgency.
- Old-role access is removed during internal transfers.
- Assets and information are returned or securely erased.
- Continuing confidentiality and legal duties are defined in contracts and communicated.
- High-risk terminations have a faster access-removal path.
Weak evidence
- Leaver process exists but no mover process.
- Access is removed days or weeks after termination.
- Physical access is forgotten.
- Managers notify IT informally with no record.
- Contractors are offboarded outside the process.
- Old-role access remains after transfer.
- Continuing responsibilities are assumed but not documented.
- Asset return is tracked only for laptops, not information or customer assets.
Common failures
Implementation watchouts
The most common failure is treating role change as harmless. It often creates excessive access and segregation-of-duties problems.
| Failure | Why it matters |
|---|---|
| Movers keep old access | Least privilege and SoD fail silently |
| No urgent termination path | High-risk leavers may retain access too long |
| Physical access ignored | Building or records access remains active |
| Contractor offboarding omitted | Third-party users retain organization access |
| No notification record | The organization cannot prove the process ran |
| Continuing duties not in contracts | Confidentiality and legal obligations are harder to enforce |
| Asset return too narrow | Information copies and customer assets remain uncontrolled |
Exam traps
Exam focus
A.6.5 applies to termination and change of employment. Role change is not a minor HR event; it is both the end of one role and the start of another.
| Trap | Correct interpretation |
|---|---|
| This is only about leavers | It also covers role changes, contractors, and third-party users where relevant |
| Access removal is enough | Asset return, notifications, continuing duties, and communication also matter |
| Role change only adds new access | Old-role access should be removed unless still justified |
| Confidentiality ends when employment ends | Some duties can continue after termination where legally valid and agreed |
| All leavers follow the same timeline | High-risk terminations may require urgent access removal |
| Physical access is separate | Logical and physical access rights are both relevant |
Related controls and concepts
- A.6 People Controls MOC
- A.6.2 Terms and Conditions of Employment
- A.6.6 Confidentiality or Non-Disclosure Agreements
- A.5.11 Return of Assets
- A.5.15 Access Control
- A.5.18 Access Rights
- A.5.34 Privacy and Protection of PII
- Segregation of Duties
- Confidentiality Agreement Register
- Leaver and Role Change Security Checklist
- Post-Employment Security Responsibilities Register
- A.6.5 Audit Evidence Pack
- A.6.5 Audit Checklist
KB-ready summary
- A.6.5 requires security responsibilities and duties that remain after termination or role change to be defined, enforced, and communicated.
- Termination and role-change procedures should remove old logical and physical access.
- Assets and information should be returned or securely removed.
- Relevant parties must be notified and notification records retained.
- Role changes should be treated as ending one role and beginning another.
- Continuing confidentiality, legal, privacy, and IP duties should be contractually defined and communicated.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- People controls
- Termination
- Role change
- Leavers
- Audit
Note Metadata
Aliases: A.6.5, Responsibilities After Termination or Change of Employment, Termination or Change of Employment
Source: 03 Annex A People Controls/A.6.5 Responsibilities After Termination or Change of Employment.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
10
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.11 - Return of Assets
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.18 - Access Rights
- ISO 27001 A.5.3 - Segregation of Duties
- ISO 27001 A.5.34 - Privacy and Protection of PII
- ISO 27001 A.6.2 - Terms and Conditions of Employment
- ISO 27001 A.6.4 - Disciplinary Process
- ISO 27001 A.6.6 - Confidentiality or Non-Disclosure Agreements
- ISO 27001 A.6.7 - Remote Working
- A.6 People Controls MOC
- ISO 27001 A.7.2 - Physical Entry
- A.6.5 Audit Evidence Pack
- AQ-ISO27001-A.6.5 Responsibilities After Termination or Change of Employment
- A.6 People Controls Implementation Guide
- A.6 People Controls Audit Guide
- ISO27001-A.6.5 Responsibilities After Termination or Change of Employment
- A.6 People Controls Implementation Audit Risk Mapping
- EXAM-018 - Disciplinary, Termination, and Confidentiality
- ISO 27002 Annex A Control Interpretation Map
- A.6.5 Audit Checklist
- Confidentiality Agreement Register
- Leaver and Role Change Security Checklist
- Post-Employment Security Responsibilities Register
- Secure Area Access Register
- Annex A Controls MOC