ISO 27001:2022 Annex A Control 6.5

Responsibilities After Termination or Change of Employment

Book a demo

casual,man,,freelance,working,on,laptop,computer,and,clicking,wireless

What Is ISO 27001:2022 Annex A 6.5?

ISO 27001:2022 Annex A 6.5 mandates that organisations specify information security roles and responsibilities that remain effective even if personnel leave or are reassigned. Communicate these duties and responsibilities to the employee and any applicable third party.

Information Duties and Responsibilities Explained

Employees are legally obliged to keep confidential any information that their employer entrusts to them. It is essential for personnel to comprehend the requirements for protecting their employer’s data.

Employers are generally entitled to anticipate their workers to safeguard confidential data and not exploit it for personal profit, e.g. through insider trading or other unlawful activities.

A few examples of Information Security duties and responsibilities include:

  • Ensuring the confidentiality of personal information is of utmost importance.
  • It is essential to maintain a log of how personal data is managed, applied and shared.
  • Ensuring accuracy and dependability of data is paramount. This necessitates collection from reliable sources, secure storage, and secure disposal when no longer needed.
  • Ensure only authorised individuals have access to information.
  • Make use of and divulge personal data lawfully and justly, in agreement with applicable laws.

It’s essential for organisations to be aware of their obligations when managing personal data in order to stay clear of infringing upon any privacy regulations, as the repercussions for both the business and its staff could be dire.

What Is The Purpose of ISO 27001:2022 Annex A 6.5?

Annex A 6.5 should be implemented upon an employee or contractor’s departure from the organisation, or when a contract ends before its expiration.

This control safeguards the organisation’s information security interests in the event of employment changes or contract terminations.

This Annex A Control safeguards against the possibility of employees taking advantage of their access to confidential information and processes for personal gain or malicious intent, especially following their departure from the organisation or job.

Annex A Control 6.5 Explained

ISO 27001:2022 Annex A 6.5 seeks to safeguard the organisation’s data security interests in the event of changing or ending employment or contracts. This covers employees, contractors, and third parties who gain access to confidential data.

Assess if any persons (including contracted ones) with access to your sensitive personal data are departing your organisation and take measures to guarantee they do not keep and persist in accessing your sensitive personal data after they leave.

If you detect that an individual is departing and there is a chance that confidential personal information could be revealed, then you must take appropriate steps either before they go or as swiftly as possible afterwards to ensure this does not occur.

What Is Involved and How to Meet the Requirements

To meet the criteria of Annex A 6.5, an individual’s employment contract or agreement should specify any information security responsibilities and duties that still stand after the conclusion of the relationship.

Information security responsibilities may be included in other contracts or agreements that last longer than an employee’s period of employment.

Upon leaving a role or changing jobs, the incumbent must ensure their security responsibilities are transferred and all access credentials are deleted and replaced.

For further details of this process, consult the ISO 27001:2022 standard document.

Changes and Differences from ISO 27001:2013

ISO 27001:2022 Annex A 6.5 is an adaptation of ISO 27001:2013 Annex A 7.3.1 rather than a new Annex A Control.

The fundamentals of these two controls are alike, though there are small discrepancies. For instance, the implementation guidance differs slightly in both versions.

The first part of Annex A 7.3.1 in ISO 27001:2013 directs that organisations must:

Upon termination, it is essential to communicate the necessary information security and legal requirements, as well as any applicable confidentiality agreements and terms and conditions of employment that may run for a specified period following the end of the employee or contractor’s engagement.

The same section Annex A 6.5 of ISO 27001:2022 stipulates that:

The procedure for managing termination or change of employment should specify which information security responsibilities and obligations remain in force after termination or alteration. This may include maintaining confidentiality of information, intellectual property and other knowledge acquired, as well as any other responsibilities stipulated in a confidentiality agreement.

Responsibilities and duties that remain in effect after the termination of an individual’s employment, contract, or agreement should be detailed in their terms and conditions. Additionally, any contracts or agreements that span a defined period beyond the end of the individual’s employment may include information security responsibilities.

Despite the difference in wording, both Annex A Controls have a largely similar structure and purpose in their respective contexts. To make Annex A 6.5 more user-friendly, the language has been simplified, allowing users to better understand its content.

The 2022 version of ISO 27001 includes a statement of purpose and attributes table for each control, aiding users in understanding and implementing them. This is absent in the 2013 edition.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

Who Is in Charge of This Process?

In keeping with the recommendation of ISO 27001:2022 Annex A 6.5, Human Resources usually takes charge of the entire termination process in most organisations, collaborating with the individual’s supervisor to ensure information security as part of the procedures.

Personnel supplied by an external party (for example, a supplier) should be terminated in accordance with the contract established between the organisation and the external party.

What Do These Changes Mean for You?

The ISO 27001:2022 standard has remained largely unchanged, merely updated for improved usability. No organisation currently compliant with ISO 27001:2013 needs to take any extra measures to stay compliant.

To meet the changes in ISO 27001:2022, the organisation will only have to make slight alterations to their existing methods and processes, particularly if aiming to renew certification.

How ISMS.Online Help

Companies can harness ISMS.online to assist with their adherence to ISO 27001:2022. This platform simplifies the process of managing, updating, testing and evaluating their security protocols.

Our cloud-based platform simplifies ISMS management, allowing you to efficiently oversee risk management, policies, plans, procedures and more, all from one single source. The platform is straightforward and its user-friendly interface makes it simple to pick up.

ISMS.online enables your organisation to:

  • Document your procedures using a user-friendly web interface, no software installation necessary on your computer or network.
  • Automate your danger evaluation technique for greater efficiency.
  • Achieving compliance is simple with online reports and checklists.
  • Monitor your progress while seeking certification.

If you operate a business requiring adherence to ISO 27001, ISMS.Online provides a comprehensive selection of features to enable you to accomplish this essential task.

Contact us now to arrange a demonstration.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Get a Headstart on ISO 27001
  • All updated with the 2022 control set
  • Make 81% progress from the minute you log in
  • Simple and easy to use
Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.