ISO 27001:2022 A 6.5 Responsibilities after termination or change of employment

by Pretesh Biswas

Audio version of the article

This control covers the need for organisations to define the information security duties and responsibilities that remain valid should personnel stop work or move to a new department. These duties and responsibilities should be communicated to the employee as well as any other relevant party. To prevent unauthorized access to sensitive information, access must be revoked immediately upon termination/separation of an employee with access to such information. This also includes the return of any assets of the organization that was held by the employee. To protect the organization’s interests as part of the process of changing or terminating employment. This Annex says that, if the termination happened for any employee, they are legally bound to maintain he information security. Employees should sign a Return of Property form policy where they return all the properties of the company. This is not just about the exit and termination, it’s about confidentiality. The organization must advise the employee that they don’t have access to information asset and must be kept confidential.

A 6.5 Responsibilities after termination or change of employment

Control:

Information security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced and communicated to relevant personnel and other interested parties.

Purpose

To protect the organization’s interests as part of the process of changing or terminating employment or contracts.

ISO 27002 Implementation Guidelines:

The process for managing termination or change of employment should define which information security responsibilities and duties should remain valid after termination or change. This can include confidentiality of information, intellectual property and other knowledge obtained, as well as responsibilities contained within any other confidentiality agreement. Responsibilities and duties still valid after termination of employment or contract should be contained in the individual’s terms and conditions of employment, contract or agreement. Other contracts or agreements that continue for a defined period after the end of the individual’s employment can also contain information security responsibilities. Changes of responsibility or employment should be managed as the termination of the current responsibility or employment combined with the initiation of the new responsibility or employment. Information security roles and responsibilities held by any individual who leaves or changes job roles should be identified and transferred to another individual. A process should be established for the communication of the changes and of operating procedures to personnel, other interested parties and relevant contact persons (e.g. to customers and suppliers). The process for the termination or change of employment should also be applied to external personnel (i.e. suppliers) when a termination occurs of personnel, the contract or the job with the organization, or when there is a change of the job within the organization.

Other information

In many organizations, the human resources function is generally responsible for the overall termination process and works together with the supervising manager of the person transitioning to manage the information security aspects of the relevant procedures. In the case of personnel provided through an external party (e.g. through a supplier), this termination process is undertaken by the external party in accordance with the contract between the organization and the external party.

TERMINATION OR CHANGE OF EMPLOYMENT

This control should be implemented when an employee or contractor leaves the organisation, or the contract is terminated before it expires. The purpose of this control is to protect the organisation’s information security interests as part of the process of changing or terminating employment or contracts. This control can also work to protect against the risk of employees who have access to sensitive information and processes, misusing their position for personal gain or malicious intent, particularly after they have left the organisation or job role. Control 6.5 aims to protect the organisation’s information security interests as part of the process of changing or terminating employment or contracts. This includes employees, contractors and third parties who have access to your sensitive information. Implementing the control means assessing whether any individuals (including those employed by a third party) who have access to your sensitive personal data are leaving your organisation and whether it is necessary to take steps to ensure that they do not retain and continue to access your sensitive personal data after their departure. If you find that someone is leaving and there is a risk that sensitive personal data may be disclosed, then you must take reasonable steps before they leave, or as soon as possible after they have left, so this does not happen. n order to meet the requirements for control 6.5, the terms and conditions of an individual’s employment, contract, or agreement should specify any information security responsibilities and duties that remain in effect after the end of the relationship.Information security duties may also be included in other contracts or agreements that extend beyond the end of an employee’s employment.

To ensure that employees, contractors, and third-party users exit the organization, or change employment responsibilities within the organization, in an orderly manner. Responsibilities for performing employment termination or change of employment should be clearly defined and assigned. The organization must implement and maintain a procedure or set of procedures to effectively manage departing employees or the withdrawal of assigned responsibilities for employees, contractors, and other third-party users. The procedure must also be included for the withdrawal of assigned responsibilities resulting from a change in employment status for employees, contractors, and other third-party users. The organization should ensure that important knowledge or operational skills have been transferred to other resources prior to the departure of the employee and/or contractor. Control includes:

  • changes of responsibilities and duties within the organization are processed as a termination (of the old position) and re-hire (to the new position), using standard controls for those processes unless otherwise indicated;
  • other employees, contractors, and third parties are appropriately informed of a person’s changed status; and
  • any post-employment responsibilities are specified in the terms and conditions of employment, or a contractor’s or third party’s contract;

Return of assets

All employees, contractors, and third parties should return all of the organization’s assets in their possession upon termination of the employment relationship or contract. Assets include all instances of information, data, documents, etc. The organization must establish procedures and processes to transfer Official Information contained on personal (home office or BYO) devices such as home computers and mobile devices to agency-owned information assets. Such procedures shall include a provision for the secure erasure of all Official Information (other than PUBLIC) that is stored on the personal device. Assets must be sanitized, secured and those assets not required must be safely disposed of.   Control includes:

  • formalization of the process for return (e.g., checklists against inventory);
  • inclusion in this requirement of the organization’s hardware, software and data of any kind; and
  • where the employee, contractor or third party use personal equipment, secure erasure of software and data belonging to the organization.

Removal of access rights

Access rights to information and information systems should be removed upon termination of the employment or contractual relationship. The organization must have an established and logged procedure for the withdrawal and/or modification of access rights for departing employees, contractors, and third-party users. Control includes:

  • changes of employment or contractual status include removal of all rights associated with prior roles and duties, and creation of rights appropriate to the new roles and duties;
  • removal or reduction of access rights prior to the termination, where risks indicate this step to be appropriate (e.g., where termination is initiated by the organization, or the access rights involved highly sensitive information or facilities).

Back to Home Page

If you need assistance or have any doubt and need to ask any questions contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.

One thought on “ISO 27001:2022 A 6.5 Responsibilities after termination or change of employment

  1. I am most captivated when you explained that management must instruct employees, contractors, and third-party users to implement security controls in conformity with specified policies and procedures of the company. My friend mentioned that their organization wants to improve its security policies to be certified for ISO 27001. I think that’s possible with the help of an ISO 27001 consulting firm to ensure they are guided.

Leave a Reply