ISO 27001:2022 Annex A Control 6.5

What Is The Purpose of ISO 27001:2022 Annex A 6.5?

Annex A 6.5 should be implemented upon an employee or contractor’s departure from the organisation, or when a contract ends before its expiration.

This control safeguards the organisation’s information security interests in the event of employment changes or contract terminations.

This Annex A Control safeguards against the possibility of employees taking advantage of their access to confidential information and processes for personal gain or malicious intent, especially following their departure from the organisation or job.

Annex A Control 6.5 Explained

ISO 27001:2022 Annex A 6.5 seeks to safeguard the organisation’s data security interests in the event of changing or ending employment or contracts. This covers employees, contractors, and third parties who gain access to confidential data.

Assess if any persons (including contracted ones) with access to your sensitive personal data are departing your organisation and take measures to guarantee they do not keep and persist in accessing your sensitive personal data after they leave.

If you detect that an individual is departing and there is a chance that confidential personal information could be revealed, then you must take appropriate steps either before they go or as swiftly as possible afterwards to ensure this does not occur.

What Is Involved and How to Meet the Requirements

To meet the criteria of Annex A 6.5, an individual’s employment contract or agreement should specify any information security responsibilities and duties that still stand after the conclusion of the relationship.

Information security responsibilities may be included in other contracts or agreements that last longer than an employee’s period of employment.

Upon leaving a role or changing jobs, the incumbent must ensure their security responsibilities are transferred and all access credentials are deleted and replaced.

For further details of this process, consult the ISO 27001:2022 standard document.

Changes and Differences from ISO 27001:2013

ISO 27001:2022 Annex A 6.5 is an adaptation of ISO 27001:2013 Annex A 7.3.1 rather than a new Annex A Control.

The fundamentals of these two controls are alike, though there are small discrepancies. For instance, the implementation guidance differs slightly in both versions.

The first part of Annex A 7.3.1 in ISO 27001:2013 directs that organisations must:

Upon termination, it is essential to communicate the necessary information security and legal requirements, as well as any applicable confidentiality agreements and terms and conditions of employment that may run for a specified period following the end of the employee or contractor’s engagement.

The same section Annex A 6.5 of ISO 27001:2022 stipulates that:

The procedure for managing termination or change of employment should specify which information security responsibilities and obligations remain in force after termination or alteration. This may include maintaining confidentiality of information, intellectual property and other knowledge acquired, as well as any other responsibilities stipulated in a confidentiality agreement.

Responsibilities and duties that remain in effect after the termination of an individual’s employment, contract, or agreement should be detailed in their terms and conditions. Additionally, any contracts or agreements that span a defined period beyond the end of the individual’s employment may include information security responsibilities.

Despite the difference in wording, both Annex A Controls have a largely similar structure and purpose in their respective contexts. To make Annex A 6.5 more user-friendly, the language has been simplified, allowing users to better understand its content.

The 2022 version of ISO 27001 includes a statement of purpose and attributes table for each control, aiding users in understanding and implementing them. This is absent in the 2013 edition.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

Who Is in Charge of This Process?

In keeping with the recommendation of ISO 27001:2022 Annex A 6.5, Human Resources usually takes charge of the entire termination process in most organisations, collaborating with the individual’s supervisor to ensure information security as part of the procedures.

Personnel supplied by an external party (for example, a supplier) should be terminated in accordance with the contract established between the organisation and the external party.

What Do These Changes Mean for You?

The ISO 27001:2022 standard has remained largely unchanged, merely updated for improved usability. No organisation currently compliant with ISO 27001:2013 needs to take any extra measures to stay compliant.

To meet the changes in ISO 27001:2022, the organisation will only have to make slight alterations to their existing methods and processes, particularly if aiming to renew certification.

How ISMS.Online Help

Companies can harness ISMS.online to assist with their adherence to ISO 27001:2022. This platform simplifies the process of managing, updating, testing and evaluating their security protocols.

Our cloud-based platform simplifies ISMS management, allowing you to efficiently oversee risk management, policies, plans, procedures and more, all from one single source. The platform is straightforward and its user-friendly interface makes it simple to pick up.

ISMS.online enables your organisation to:

• Document your procedures using a user-friendly web interface, no software installation necessary on your computer or network.
• Automate your danger evaluation technique for greater efficiency.
• Achieving compliance is simple with online reports and checklists.
• Monitor your progress while seeking certification.

If you operate a business requiring adherence to ISO 27001, ISMS.Online provides a comprehensive selection of features to enable you to accomplish this essential task.

Contact us now to arrange a demonstration.