ISO 27001:2022 Annex A 6.5 Checklist Guide •

ISO 27001:2022 Annex A 6.5 Checklist Guide

See how ISMS.online can help your business

See it in action
By Max Edwards | Updated 15 August 2024

Utilising a checklist for A.6.5 Responsibilities After Termination or Change of Employment ensures systematic management of access revocation, asset return, and confidentiality obligations, thereby mitigating security risks. Achieving compliance enhances organisational security posture, maintaining the integrity of sensitive information even after employment termination.

Jump to topic

ISO 27001 A.6.5 Responsibilities After Termination or Change of Employment Checklist

Implementing A.6.5 Responsibilities After Termination or Change of Employment is essential for safeguarding an organisation’s sensitive information and ensuring that former employees do not have residual access to company resources.

This control involves a series of steps that must be meticulously managed to prevent data breaches and unauthorised access.

Challenges can arise at each stage, but with the right tools and strategies, organisations can achieve robust compliance. Leveraging ISMS.online features can significantly streamline this process, making it more efficient and effective.


Get an 81% headstart

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

Why Should You Comply With Annex A.6.5? Key Aspects and Common Challenges

Access Revocation

Objective: Ensure that all access rights to systems, networks, and data are promptly revoked upon the termination or change of employment. This includes disabling user accounts, removing physical access, and retrieving any company-issued devices.

Challenges:

  • Identifying all access points and systems the employee had access to can be complex.
  • Ensuring timely communication between HR and IT departments to deactivate access immediately.
  • Managing access rights for remote workers or those using personal devices.

Solutions:

  • Implement an automated access management system integrated with HR processes to track and revoke access rights promptly.
  • Use a centralised identity and access management (IAM) system to maintain an up-to-date record of user access.
  • Regularly audit access rights and update access control lists to ensure accuracy.

Related ISO 27001 Clauses:

  • Clause 9.2: Internal Audit
  • Clause 7.5: Documented Information

Return of Assets

Objective: Ensure the return of all organisational assets, such as laptops, mobile devices, access cards, documents, and other company property. This helps in preventing unauthorised access and potential data breaches.

Challenges:

  • Tracking all assets assigned to the employee, especially if there is no centralised asset management system.
  • Ensuring employees return assets promptly, particularly in remote or offsite scenarios.
  • Handling the condition and data sanitisation of returned assets.

Solutions:

  • Maintain a detailed asset registry and update it regularly.
  • Use asset tracking tools with check-in/check-out features for better accountability.
  • Implement a clear policy for the return of assets and include this in the exit process.

Related ISO 27001 Clauses:

  • Clause 8.1: Operational Planning and Control
  • Clause 8.2: Risk Assessment

Confidentiality Agreements

Objective: Reinforce any existing confidentiality or non-disclosure agreements that extend beyond the period of employment. Employees should be reminded of their ongoing obligations to protect the organisation’s sensitive information even after leaving the company.

Challenges:

  • Ensuring that employees fully understand their ongoing confidentiality obligations.
  • Keeping track of signed agreements and ensuring they are up-to-date and legally binding.
  • Addressing potential legal disputes regarding confidentiality breaches.

Solutions:

  • Conduct regular training sessions to remind employees of their confidentiality obligations.
  • Use electronic signature tools to maintain and track signed agreements.
  • Engage legal counsel to review and update agreements periodically.

Related ISO 27001 Clauses:

  • Clause 7.3: Awareness
  • Clause 7.4: Communication

Knowledge Transfer

Objective: Facilitate the transfer of knowledge and responsibilities to other employees or new hires. This helps in maintaining business continuity and ensures that critical information and tasks are not lost during the transition.

Challenges:

  • Ensuring a smooth transfer of knowledge without losing critical information.
  • Managing the transition process effectively, especially during sudden or unplanned departures.
  • Ensuring that remaining employees are adequately trained to take over new responsibilities.

Solutions:

  • Develop a structured knowledge transfer plan that includes documentation and training sessions.
  • Use collaborative tools like wikis or internal knowledge bases to store and share information.
  • Schedule overlap periods where outgoing employees work with their replacements.

Related ISO 27001 Clauses:

  • Clause 7.2: Competence
  • Clause 7.5: Documented Information

Exit Interviews

Objective: Conduct exit interviews to discuss any outstanding security concerns and ensure that the departing employee is aware of their continuing responsibilities. This can also provide insights into potential security improvements.

Challenges:

  • Conducting thorough and consistent exit interviews across the organisation.
  • Addressing feedback constructively and implementing necessary improvements.
  • Ensuring that all security concerns are documented and followed up on.

Solutions:

  • Develop a standardised exit interview process and checklist.
  • Assign dedicated personnel to conduct exit interviews and handle feedback.
  • Document feedback and track the implementation of suggested improvements.

Related ISO 27001 Clauses:

  • Clause 9.3: Management Review
  • Clause 10.2: Nonconformity and Corrective Action

Monitoring and Auditing

Objective: Monitor and audit the processes related to termination or change of employment to ensure compliance with security policies. This includes verifying that access has been revoked and assets have been returned.

Challenges:

  • Keeping accurate records of all termination-related activities for audit purposes.
  • Conducting regular audits to identify gaps or non-compliance issues.
  • Ensuring that corrective actions are implemented and tracked.

Solutions:

  • Implement a robust record-keeping system to track all termination activities.
  • Schedule regular audits and use audit management tools to streamline the process.
  • Develop a system for tracking and following up on corrective actions.

Related ISO 27001 Clauses:

  • Clause 9.2: Internal Audit
  • Clause 10.2: Nonconformity and Corrective Action


Compliance doesn't have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

ISMS.online Features for Demonstrating Compliance with A.6.5

ISMS.online offers several features that can be instrumental in demonstrating compliance with A.6.5:

User Management

  • Access Control: Manage and revoke access rights effectively through detailed user access logs and role-based access controls.
  • Identity Management: Ensure the comprehensive management of user identities, including the prompt deactivation of accounts and removal of privileges.

Asset Management

  • Asset Registry: Track and manage organisational assets assigned to employees, ensuring they are returned upon termination or change of employment.
  • Labeling System: Facilitate the tracking and retrieval of assets through systematic labeling and categorisation.

Policy Management

  • Policy Templates: Implement and communicate confidentiality agreements and other relevant policies clearly to ensure understanding and compliance.
  • Document Control: Maintain and update confidentiality agreements, ensuring they are signed and acknowledged by all employees.

Incident Management

  • Incident Tracker: Log and manage any incidents related to termination or change of employment, ensuring a structured and documented approach to addressing security concerns.
  • Workflow: Streamline the exit process with predefined workflows that ensure all necessary steps, such as access revocation and asset return, are completed.

Audit Management

  • Audit Templates: Regularly audit termination processes using customisable templates to ensure adherence to policies and identify areas for improvement.
  • Corrective Actions: Document and implement corrective actions derived from exit interviews or audits, enhancing the overall process.

Communication

  • Notification System: Automate notifications to relevant departments when an employee’s status changes, ensuring timely action for access revocation and asset return.
  • Collaboration Tools: Facilitate communication between HR, IT, and other relevant departments to ensure seamless execution of termination procedures.

Detailed Annex A.6.5 Compliance Checklist

To ensure compliance with A.6.5, the following checklist can be used:

Access Revocation

Identify all systems and applications the employee had access to.

Revoke physical access (e.g., building entry cards).

Deactivate user accounts on all systems.

Remove access to remote work tools and VPNs.

Retrieve all company-issued devices.

Return of Assets

Verify the list of assets assigned to the employee.

Ensure the return of all physical assets (e.g., laptops, mobile devices).

Check the condition of returned assets.

Perform data sanitisation on returned devices.

Update asset management records.

Confidentiality Agreements

Review the confidentiality agreement signed by the employee.

Remind the employee of their ongoing confidentiality obligations.

Ensure legal counsel reviews the agreement for any updates.

Document the acknowledgment of confidentiality terms post-termination.

Knowledge Transfer

Identify key responsibilities and knowledge areas held by the departing employee.

Arrange knowledge transfer sessions with other employees or new hires.

Document critical processes and tasks.

Ensure new personnel are trained to take over responsibilities.

Monitor the transition to ensure continuity.

Exit Interviews

Schedule exit interviews with all departing employees.

Discuss any outstanding security concerns.

Gather feedback on the termination process.

Document all points discussed during the interview.

Implement necessary improvements based on feedback.

Monitoring and Auditing

Maintain records of all termination-related activities.

Conduct regular audits of the termination process.

Verify that access has been revoked and assets have been returned.

Identify and address any gaps or non-compliance issues.

Implement and track corrective actions.

Additional Best Practices for Annex A.6.5

  • Document Everything: Ensure all processes, decisions, and actions are well-documented. This helps in auditing and demonstrating compliance.
  • Regular Training: Provide regular training to HR and IT staff on the importance and procedures for handling terminations and changes in employment.
  • Continuous Improvement: Use feedback from exit interviews and audits to continuously improve the termination process.
  • Legal Compliance: Ensure all actions comply with local labour laws and regulations regarding termination and employment changes.

By effectively leveraging these ISMS.online features and addressing the common challenges faced during implementation, organisations can ensure comprehensive compliance with the A.6.5 control, minimising risks associated with employee terminations or role changes and maintaining robust information security.


Manage all your compliance in one place

ISMS.online supports over 100 standards
and regulations, giving you a single
platform for all your compliance needs.

Book a demo

Every Annex A Control Checklist Table

ISO 27001 Annex A.5 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.5.1Policies for Information Security Checklist
Annex A.5.2Information Security Roles and Responsibilities Checklist
Annex A.5.3Segregation of Duties Checklist
Annex A.5.4Management Responsibilities Checklist
Annex A.5.5Contact With Authorities Checklist
Annex A.5.6Contact With Special Interest Groups Checklist
Annex A.5.7Threat Intelligence Checklist
Annex A.5.8Information Security in Project Management Checklist
Annex A.5.9Inventory of Information and Other Associated Assets Checklist
Annex A.5.10Acceptable Use of Information and Other Associated Assets Checklist
Annex A.5.11Return of Assets Checklist
Annex A.5.12Classification of Information Checklist
Annex A.5.13Labelling of Information Checklist
Annex A.5.14Information Transfer Checklist
Annex A.5.15Access Control Checklist
Annex A.5.16Identity Management Checklist
Annex A.5.17Authentication Information Checklist
Annex A.5.18Access Rights Checklist
Annex A.5.19Information Security in Supplier Relationships Checklist
Annex A.5.20Addressing Information Security Within Supplier Agreements Checklist
Annex A.5.21Managing Information Security in the ICT Supply Chain Checklist
Annex A.5.22Monitoring, Review and Change Management of Supplier Services Checklist
Annex A.5.23Information Security for Use of Cloud Services Checklist
Annex A.5.24Information Security Incident Management Planning and Preparation Checklist
Annex A.5.25Assessment and Decision on Information Security Events Checklist
Annex A.5.26Response to Information Security Incidents Checklist
Annex A.5.27Learning From Information Security Incidents Checklist
Annex A.5.28Collection of Evidence Checklist
Annex A.5.29Information Security During Disruption Checklist
Annex A.5.30ICT Readiness for Business Continuity Checklist
Annex A.5.31Legal, Statutory, Regulatory and Contractual Requirements Checklist
Annex A.5.32Intellectual Property Rights Checklist
Annex A.5.33Protection of Records Checklist
Annex A.5.34Privacy and Protection of PII Checklist
Annex A.5.35Independent Review of Information Security Checklist
Annex A.5.36Compliance With Policies, Rules, and Standards for Information Security Checklist
Annex A.5.37Documented Operating Procedures Checklist


ISO 27001 Annex A.6 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.6.1Screening Checklist
Annex A.6.2Terms and Conditions of Employment Checklist
Annex A.6.3Information Security Awareness, Education and Training Checklist
Annex A.6.4Disciplinary Process Checklist
Annex A.6.5Responsibilities After Termination or Change of Employment Checklist
Annex A.6.6Confidentiality or Non-Disclosure Agreements Checklist
Annex A.6.7Remote Working Checklist
Annex A.6.8Information Security Event Reporting Checklist


ISO 27001 Annex A.7 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.7.1Physical Security Perimeters Checklist
Annex A.7.2Physical Entry Checklist
Annex A.7.3Securing Offices, Rooms, and Facilities Checklist
Annex A.7.4Physical Security Monitoring Checklist
Annex A.7.5Protecting Against Physical and Environmental Threats Checklist
Annex A.7.6Working in Secure Areas Checklist
Annex A.7.7Clear Desk and Clear Screen Checklist
Annex A.7.8Equipment Siting and Protection Checklist
Annex A.7.9Security of Assets Off-Premises Checklist
Annex A.7.10Storage Media Checklist
Annex A.7.11Supporting Utilities Checklist
Annex A.7.12Cabling Security Checklist
Annex A.7.13Equipment Maintenance Checklist
Annex A.7.14Secure Disposal or Re-Use of Equipment Checklist


ISO 27001 Annex A.8 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.8.1User Endpoint Devices Checklist
Annex A.8.2Privileged Access Rights Checklist
Annex A.8.3Information Access Restriction Checklist
Annex A.8.4Access to Source Code Checklist
Annex A.8.5Secure Authentication Checklist
Annex A.8.6Capacity Management Checklist
Annex A.8.7Protection Against Malware Checklist
Annex A.8.8Management of Technical Vulnerabilities Checklist
Annex A.8.9Configuration Management Checklist
Annex A.8.10Information Deletion Checklist
Annex A.8.11Data Masking Checklist
Annex A.8.12Data Leakage Prevention Checklist
Annex A.8.13Information Backup Checklist
Annex A.8.14Redundancy of Information Processing Facilities Checklist
Annex A.8.15Logging Checklist
Annex A.8.16Monitoring Activities Checklist
Annex A.8.17Clock Synchronisation Checklist
Annex A.8.18Use of Privileged Utility Programs Checklist
Annex A.8.19Installation of Software on Operational Systems Checklist
Annex A.8.20Networks Security Checklist
Annex A.8.21Security of Network Services Checklist
Annex A.8.22Segregation of Networks Checklist
Annex A.8.23Web Filtering Checklist
Annex A.8.24Use of Cryptography Checklist
Annex A.8.25Secure Development Life Cycle Checklist
Annex A.8.26Application Security Requirements Checklist
Annex A.8.27Secure System Architecture and Engineering Principles Checklist
Annex A.8.28Secure Coding Checklist
Annex A.8.29Security Testing in Development and Acceptance Checklist
Annex A.8.30Outsourced Development Checklist
Annex A.8.31Separation of Development, Test and Production Environments Checklist
Annex A.8.32Change Management Checklist
Annex A.8.33Test Information Checklist
Annex A.8.34Protection of Information Systems During Audit Testing Checklist


How ISMS.online Help With A.6.5

Implementing robust information security measures is critical in today’s digital landscape. Ensuring compliance with ISO 27001:2022, particularly with controls like A.6.5 Responsibilities After Termination or Change of Employment, can be challenging but is essential for protecting your organisation’s sensitive information.

ISMS.online provides a comprehensive platform with the tools and features necessary to streamline this process and ensure thorough compliance.

Ready to elevate your information security and compliance strategies?

Contact ISMS.online today to learn how our platform can support your organisation’s needs. Book a demo now and experience firsthand how ISMS.online can simplify and enhance your compliance efforts.

complete compliance solution

Want to explore?
Start your free trial.

Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer

Find out more

Explore ISMS.online's platform with a self-guided tour - Start Now