What the auditor wants to verify
Audit objective
Verify that termination and role-change responsibilities are defined, communicated, enforced, and evidenced.
The auditor wants proof that old access and assets are removed, relevant parties are notified, and continuing duties are communicated after termination or role change.
Evidence to request
| Evidence | Purpose |
|---|---|
| Leaver/mover procedure | Shows the process is documented |
| Leaver and role-change checklist | Shows actions are tracked |
| HR termination or transfer record | Shows the trigger event |
| Notification records | Shows relevant parties were informed |
| Logical access removal logs | Shows accounts and permissions were removed |
| Physical access revocation records | Shows building or facility access was removed |
| Asset return records | Shows equipment and information were returned |
| Contract/NDA continuing obligation clauses | Shows post-employment duties are defined |
| Exit acknowledgement | Shows duties were communicated |
| Urgent termination procedure | Shows high-risk cases have faster handling |
Strong evidence
Strong evidence test
Compare event date, notification date, access removal timestamps, asset return date, and closure date.
- Procedure covers both termination and role change.
- Owners are assigned for HR, IT, facilities, security, and managers.
- Notifications are timely and recorded.
- Logical and physical access is removed according to urgency.
- Old-role access is removed for movers.
- Assets and information are returned or securely removed.
- Continuing confidentiality/legal duties are included in agreements and communicated.
- High-risk termination cases have expedited access removal.
Weak evidence
Weak evidence warning
Weak evidence often shows eventual cleanup, not timely control operation.
- Access removed late.
- Leavers handled but movers ignored.
- Physical access not checked.
- Contractor offboarding outside process.
- Asset return limited to laptops.
- No notification record.
- Continuing duties assumed but not documented.
Sample interview questions
Ask HR or managers
- How are leavers and role changes communicated to IT, facilities, and security?
- What is the process for high-risk termination?
- How are continuing duties communicated at exit or role change?
Ask IT or facilities
- How do you know when to remove access?
- How quickly are accounts, badges, keys, and privileged access removed?
- How do you confirm old-role access is removed for movers?
Ask legal or procurement
- Are continuing confidentiality duties in contracts?
- How are contractor terminations handled?
Common nonconformities
- No role-change process.
- Late logical or physical access removal.
- Old-role access retained after transfer.
- No notification records.
- Contractor offboarding omitted.
- Continuing duties not contractually defined.
- High-risk termination handled with normal timing.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A6 5
Note Metadata
Aliases: A.6.5 Evidence
Source: 04 Audit Evidence Packs/A.6.5 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.11 - Return of Assets
- ISO 27001 A.5.18 - Access Rights
- ISO 27001 A.6.5 - Responsibilities After Termination or Change of Employment
- Audit Evidence MOC
- AQ-ISO27001-A.6.5 Responsibilities After Termination or Change of Employment
- A.6 People Controls Audit Guide
- ISO27001-A.6.5 Responsibilities After Termination or Change of Employment
- A.6.5 Audit Checklist
- Leaver and Role Change Security Checklist
- Post-Employment Security Responsibilities Register
- Audit Evidence Index