UnixTime

Research Note

ISO 27001 A.6.5 - Responsibilities After Termination or Change of Employment

When someone leaves the organization or changes role, their old access, assets, and responsibilities must be handled deliberately. Some rights should stop immediately. Some duti...

On this page

Requirement

Requirement lens

This control covers what must continue after a person leaves or changes role, and what must be removed, returned, or communicated during that change.

“Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, enforced and communicated to relevant personnel and other interested parties.”

Plain-language meaning

When someone leaves the organization or changes role, their old access, assets, and responsibilities must be handled deliberately. Some rights should stop immediately. Some duties, such as confidentiality, may continue after the relationship ends.

A role change should be treated as ending one role and starting another. Keeping old access after a transfer is a common access-control and segregation-of-duties failure.

Why this matters

Termination and role changes create high-risk moments. Former personnel may retain access to systems, buildings, devices, customer information, HR records, shared mailboxes, repositories, or supplier portals. Movers may accumulate access from old and new roles, breaking least privilege and segregation of duties.

If continuing obligations are unclear, the organization may struggle to enforce confidentiality, return of information, or legal duties after employment or contract end.

Implementation guidance

Implementer focus

Build this into joiner-mover-leaver workflows. Treat access removal, asset return, notification, and continuing duties as one coordinated process.

1. Define termination and role-change procedures

The procedure should cover:

  • voluntary resignation;
  • involuntary termination;
  • contract end;
  • contractor or third-party user offboarding;
  • internal transfer;
  • promotion or demotion;
  • temporary assignment ending;
  • emergency or high-risk termination.

The process should define owners, timing, notification routes, evidence records, and escalation paths.

2. Remove logical and physical access

Access removal should include:

  • user accounts and privileged accounts;
  • VPN and remote access;
  • SaaS and cloud applications;
  • email and collaboration tools;
  • shared mailboxes and groups;
  • physical access cards, keys, badges, and visitor permissions;
  • supplier or customer portals;
  • administrator credentials and shared secrets where applicable.

Urgency should match risk. A high-risk termination may require immediate access suspension before or during the termination meeting.

3. Return or remove assets and information

Assets and information should be returned or securely removed according to policy.

Examples:

  • laptops, phones, removable media, badges, keys, tokens;
  • paper records, notebooks, customer documents;
  • software licences and subscriptions;
  • organization data on personal or third-party devices where policy permits recovery or deletion;
  • customer-owned information and equipment.

This links to A.5.11 Return of Assets.

4. Communicate changes to all involved parties

Relevant parties need timely notification, such as:

  • HR;
  • line manager;
  • IT and access administrators;
  • facilities or physical security;
  • security team;
  • legal or compliance;
  • procurement/vendor management;
  • customer or supplier contacts where appropriate;
  • payroll or finance where applicable.

Notification records should be retained. If nobody can prove the notification happened, the control is weak.

5. Enforce continuing responsibilities

Responsibilities that may continue after termination or role change include:

  • confidentiality;
  • non-disclosure;
  • return or destruction of information;
  • intellectual property obligations;
  • privacy and data protection obligations;
  • non-use of organization/customer information;
  • incident or legal cooperation where contractually valid.

These responsibilities should be included in contracts or agreements and communicated again during exit or role change.

Audit guidance

Auditor focus

Test leavers and movers. Movers are often where hidden access accumulation and segregation failures appear.

Auditors should verify that termination and role-change procedures exist, responsibilities are assigned, and actions are executed with evidence.

Audit testing should include:

  • termination and role-change procedures;
  • sampled leaver and mover records;
  • notification records to IT, HR, managers, facilities, and other parties;
  • access removal evidence for logical and physical access;
  • asset return evidence;
  • urgent termination handling criteria;
  • retained responsibilities in contracts or confidentiality agreements;
  • evidence that role changes remove old-role access and assets;
  • interviews with HR, IT, managers, facilities, and security.

The auditor should compare termination/change dates with actual access removal timestamps. Late removal is a control failure even if the account was eventually disabled.

Evidence examples

Evidence quality

Strong evidence links the termination or role-change event to notifications, access removal, asset return, continuing duties, and closure.

Evidence What it proves
Leaver/mover procedure Process is documented
Leaver or mover checklist Actions are tracked
HR termination/change record Trigger event is recorded
IT access removal logs Logical access was removed
Physical access revocation record Building access was removed
Asset return record Organization/customer assets were returned
Notification record Relevant parties were informed
Contract or NDA clause Continuing duties are defined
Exit acknowledgement Continuing duties were communicated
Urgent termination procedure High-risk cases are handled quickly

Strong evidence

  • Procedure covers termination and role change, not only leavers.
  • Responsibilities and owners are assigned.
  • Notifications are recorded and timely.
  • Logical and physical access removal is completed according to urgency.
  • Old-role access is removed during internal transfers.
  • Assets and information are returned or securely erased.
  • Continuing confidentiality and legal duties are defined in contracts and communicated.
  • High-risk terminations have a faster access-removal path.

Weak evidence

  • Leaver process exists but no mover process.
  • Access is removed days or weeks after termination.
  • Physical access is forgotten.
  • Managers notify IT informally with no record.
  • Contractors are offboarded outside the process.
  • Old-role access remains after transfer.
  • Continuing responsibilities are assumed but not documented.
  • Asset return is tracked only for laptops, not information or customer assets.

Common failures

Implementation watchouts

The most common failure is treating role change as harmless. It often creates excessive access and segregation-of-duties problems.

Failure Why it matters
Movers keep old access Least privilege and SoD fail silently
No urgent termination path High-risk leavers may retain access too long
Physical access ignored Building or records access remains active
Contractor offboarding omitted Third-party users retain organization access
No notification record The organization cannot prove the process ran
Continuing duties not in contracts Confidentiality and legal obligations are harder to enforce
Asset return too narrow Information copies and customer assets remain uncontrolled

Exam traps

Exam focus

A.6.5 applies to termination and change of employment. Role change is not a minor HR event; it is both the end of one role and the start of another.

Trap Correct interpretation
This is only about leavers It also covers role changes, contractors, and third-party users where relevant
Access removal is enough Asset return, notifications, continuing duties, and communication also matter
Role change only adds new access Old-role access should be removed unless still justified
Confidentiality ends when employment ends Some duties can continue after termination where legally valid and agreed
All leavers follow the same timeline High-risk terminations may require urgent access removal
Physical access is separate Logical and physical access rights are both relevant

KB-ready summary

  • A.6.5 requires security responsibilities and duties that remain after termination or role change to be defined, enforced, and communicated.
  • Termination and role-change procedures should remove old logical and physical access.
  • Assets and information should be returned or securely removed.
  • Relevant parties must be notified and notification records retained.
  • Role changes should be treated as ending one role and beginning another.
  • Continuing confidentiality, legal, privacy, and IP duties should be contractually defined and communicated.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • People controls
  • Termination
  • Role change
  • Leavers
  • Audit

Note Metadata

Aliases: A.6.5, Responsibilities After Termination or Change of Employment, Termination or Change of Employment

Source: 03 Annex A People Controls/A.6.5 Responsibilities After Termination or Change of Employment.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

10

links

01
02
03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.