ISO 27001:2022 Annex A Control 6.5

Explaining Annex A Control 6.5 Responsibilities after termination or change of employment

ISO/IEC 27001 Control 6.5, titled "Responsibilities after termination or change of employment," emphasizes the necessity for organizations to clearly define, enforce, and communicate information security responsibilities that persist even after an individual's employment ends or their role changes. This ensures the organization's information remains protected, mitigating risks associated with departing or transitioning personnel.

Iso 27001 Annex A Control 6.5

Control Type

  • Preventive

Information Security Properties

  • Confidentiality
  • Integrity
  • Availability

Cybersecurity Concepts

  • Protect

Operational Capabilities

  • Human Resource Security
  • Asset Management

Security Domains

  • Governance and Ecosystem

Objective of Control 6.5

The objective of this control is to ensure the continuity and protection of your organization’s information assets during and after employment transitions by:

  • Defining specific information security duties that remain valid after employment ends or roles change.
  • Enforcing these responsibilities to prevent unauthorized access or misuse of sensitive information.
  • Communicating these responsibilities clearly to all relevant personnel, external parties, and stakeholders.

Purpose of Control 6.5

The purpose of this control is to protect your organization’s information security interests as part of managing employment changes or terminations. Specifically, it seeks to:

  1. Preserve confidentiality: Protect sensitive information, intellectual property, and other critical assets even after an individual leaves the organization.
  2. Maintain operational integrity: Ensure that security responsibilities are transferred seamlessly during role changes to avoid gaps or disruptions.
  3. Uphold compliance: Meet legal, regulatory, and contractual requirements by enforcing post-employment obligations.
  4. Reduce risks: Prevent data leaks, sabotage, or other security incidents by departing employees or contractors.

Detailed Implementation Guidance

To successfully implement Control 6.5, your organization should adopt the following steps:

1. Define Post-Employment Responsibilities

Clearly outline the information security responsibilities that persist after termination or role changes. These should include:

  • Confidentiality Obligations: Employees and contractors must maintain the confidentiality of sensitive information they accessed during their tenure. This includes trade secrets, customer data, and intellectual property.
  • Non-Disclosure Agreements (NDAs): Ensure that NDAs explicitly state the duration of confidentiality obligations after employment ends.
  • Ownership of Intellectual Property: Specify that intellectual property developed during employment remains the property of your organization.
  • Prohibited Activities: Outline restrictions, such as not sharing company information with competitors or engaging in activities that breach contractual obligations.

2. Enforce Responsibilities Through Contracts

Incorporate information security obligations into employment contracts, confidentiality agreements, and terms of employment. For example:

  • Employment contracts should specify ongoing security responsibilities, such as safeguarding organizational data even after termination.
  • Contracts with external personnel or suppliers should include clauses detailing security responsibilities during and after engagement.
  • Outline legal consequences for non-compliance, including potential litigation or penalties.

3. Create a Comprehensive Termination Process

A structured termination process is crucial for managing security risks. This process should include:

  • Access Revocation: Immediately revoke access to systems, applications, physical locations, and sensitive data upon termination or role change. Use automated tools to streamline the process and prevent delays.
  • Asset Retrieval: Recover company-issued devices, such as laptops, mobile phones, and access cards, to prevent unauthorized use.
  • Exit Interviews: Conduct exit interviews to remind employees of their post-employment obligations and to address any potential concerns.

4. Manage Role Changes Effectively

Role changes should be treated as both the termination of the old role and the initiation of a new one. This ensures continuity and avoids gaps in responsibilities. Steps include:

  • Reviewing and updating access rights to align with the new role.
  • Transferring security responsibilities to other team members during transitions.
  • Communicating the changes to internal teams and relevant stakeholders.

5. Collaborate with Human Resources (HR)

HR teams play a critical role in managing the termination and role change processes. Ensure HR is involved in:

  • Coordinating the offboarding process.
  • Communicating with the departing employee about their ongoing responsibilities.
  • Maintaining records of signed agreements and NDAs for future reference.

6. Apply to External Personnel

For contractors, suppliers, or other external personnel, ensure that contracts explicitly define post-engagement responsibilities. Collaborate with external parties to enforce these responsibilities and verify compliance.

Relevance to External Personnel

This control applies equally to internal employees and external personnel, such as contractors and suppliers. Contracts with external parties should clearly specify their information security responsibilities both during and after their engagement. This ensures that your organization’s data remains protected, even when external relationships end.

Relevant ISO 27001 Controls

Control 6.5 closely relates to the following controls:

  • Control 5.2 – Information security roles and responsibilities: Ensures clarity in defining roles.
  • Control 6.2 – Terms and conditions of employment: Includes security responsibilities in employment contracts.
  • Control 6.6 – Confidentiality or non-disclosure agreements: Ensures confidentiality post-employment.

Supporting Templates

Your organization can leverage the following templates to streamline the implementation of Control 6.5:

  1. Confidentiality Agreement Template
    Clearly define and enforce confidentiality obligations that remain valid after employment ends.
  2. Access Revocation Checklist Template
    Ensure that all access rights are revoked systematically for departing employees or contractors.
  3. Termination Checklist Template
    Create a step-by-step process for managing employee or contractor offboarding.
  4. Role Transition Plan Template
    Help facilitate transitions during role changes by addressing access rights, responsibilities, and communication.

Final Thoughts

With the implementation of ISO 27001 Control 6.5 your organization can mitigate risks associated with employment transitions, protect sensitive information, and maintain operational continuity. Defining, enforcing, and communicating post-employment responsibilities ensures that your organization is prepared to handle personnel changes securely and confidently. 

Control 6.4
ISO 27001 overview
Control 6.6