Zum Hauptinhalt springen
CENEDRIL WIKI
DE
Annex A · People Control

A.6.5 — Responsibilities After Termination or Change of Employment

Updated on 5 min Reviewed by: Cenedril Editorial
A.6.5 ISO 27001ISO 27002BSI ORP.2

A system administrator resigns and leaves the company on a Friday. On Monday morning, IT discovers that the admin’s VPN account is still active, the SSH keys have not been revoked and the person still has root access to three production servers. The NDA was signed years ago, but nobody reminded the departing employee of their ongoing confidentiality obligations. A.6.5 addresses both sides of this problem: revoking access and reinforcing post-employment duties.

The control requires organizations to define and enforce the information-security responsibilities that persist after a person leaves or changes roles — and to manage the transition in a way that protects the organization’s interests.

What does the standard require?

The core requirements address two scenarios — termination and role change:

  • Continuing obligations. Confidentiality and non-disclosure duties must survive the end of the employment relationship. These obligations should be defined in the original contract (A.6.2) and reinforced during the exit process.
  • Access revocation. All access rights must be reviewed and revoked promptly when a person leaves. For role changes, rights must be adjusted to match the new position.
  • Asset return. The departing person must return all organizational assets — devices, badges, keys, tokens, documents.
  • Knowledge transfer. Security-relevant responsibilities must be formally handed over to a successor or interim owner.
  • Stakeholder notification. Relevant parties — customers, suppliers, partners — should be informed of the change when they had a direct relationship with the departing person.

In practice

Automate what you can. Link the HR exit process to identity management. When HR triggers a departure, the IAM system should automatically disable accounts, revoke VPN access and flag outstanding access for manual review.

Conduct an exit interview with a security component. During the exit interview, remind the departing employee of their ongoing NDA obligations, collect a signed acknowledgement and verify asset return.

Handle role changes as mini-offboardings. When someone moves to a different department, treat it as a partial offboarding: revoke old access, provision new access, brief the person on changed responsibilities. Many organizations skip this step, leading to privilege creep.

Set calendar reminders for NDA expiry. If your NDAs have a defined duration (e.g. two years post-employment), set a reminder so that you can assess whether an extension or renewal is needed before the obligation lapses.

Typical audit evidence

Auditors typically expect the following evidence for A.6.5:

  • Offboarding checklist — the standardized process document (link to HR Security Policy in the Starter Kit)
  • Completed checklists — signed offboarding forms for recent departures
  • Access-revocation logs — timestamps showing when accounts were disabled
  • Asset-return records — signed confirmation that devices and materials were returned
  • NDA acknowledgement — signed confirmation that the departing person was reminded of their continuing obligations
  • Role-change documentation — evidence that access was adjusted when someone changed positions

KPI

% of departing employees with documented post-employment obligation acknowledgement

Measured as a percentage: how many of your recent departures (last 12 months) have a completed offboarding checklist with a signed NDA acknowledgement? Target: 100%. A common starting point is 50–70%, often because contractor offboarding is informal.

Supplementary KPIs:

  • Average time between last working day and full access revocation (target: same day)
  • % of role changes with documented access adjustment
  • Number of orphaned accounts discovered per quarter

BSI IT-Grundschutz

A.6.5 maps to several BSI modules:

  • ORP.2.A2 (Regulated procedure for the departure of employees) — the core requirement. Mandates a checklist covering access revocation, asset return, knowledge transfer and NDA reminder.
  • ORP.2.A14 (Personnel measures in the event of changes) — covers role changes, requiring access review and responsibility transfer.
  • ORP.4.A2 (Assigning access authorizations) — requires that access rights are revoked when the person no longer needs them.
  • ISMS.1.A5 (Assigning responsibility for information security) — requires that departing security officers formally hand over their duties.
  • OPS.1.1.2.A4 (Regulating the handover and withdrawal of resources) — covers asset return and resource withdrawal.

A.6.5 closes the people-security lifecycle:

Sources

Frequently asked questions

What obligations typically survive termination?

Confidentiality and non-disclosure obligations are the most common. Depending on the contract, intellectual-property clauses, non-compete restrictions and data-handling duties may also persist for a defined period after the employment relationship ends.

Does A.6.5 also apply when someone changes roles internally?

Yes. A role change can mean the person no longer needs access to certain systems or data. The control requires that access rights are reviewed and adjusted, security responsibilities are reassigned, and the person is briefed on any new obligations.

Who is responsible for ensuring offboarding is complete?

Typically HR manages the process, IT revokes access, the line manager confirms asset return and knowledge transfer, and the ISB verifies that all security-related steps have been completed.