Responsibilities after employment termination or role change
Ensure security responsibilities are clear when employment ends or roles change.
Plain language
When someone leaves your organisation or changes roles, their responsibilities related to keeping information safe need to be clear. Think of it like making sure someone locks the door behind them after they leave. If we don't do this, sensitive information could get into the wrong hands, leading to data breaches or misuse.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
People controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, enforced and communicated to relevant personnel and other interested parties.
Why it matters
If post-employment/role-change duties aren’t defined and enforced, staff may misuse retained access or disclose information, causing breaches and legal/reputational harm.
Operational notes
At termination/role change, promptly revoke/adjust access, recover assets, update role responsibilities, and remind personnel of ongoing confidentiality and security obligations.
Implementation tips
- The HR department should clearly outline ongoing security responsibilities in employment contracts. They can do this by including specific clauses about confidentiality and information security duties that continue even after an employee leaves or changes positions.
- Managers must ensure that when someone changes roles, their old security responsibilities are managed and handed over properly. They should create a checklist for outgoing tasks and responsibilities, ensuring nothing falls through the cracks.
- IT administrators must promptly disable access to systems for employees leaving the company or changing roles. They need to have a standard procedure that includes revoking access to emails and databases to prevent unauthorised access.
- The legal team should review and update confidentiality agreements periodically to ensure they cover all aspects of information security relevant to former employees. They should cross-check these agreements with the latest regulations, such as the Privacy Act 1988.
- The security team should conduct exit interviews that include a section on information security. During these interviews, they should remind exiting employees of their ongoing confidentiality obligations, as described in their contracts.
Audit / evidence tips
-
AskRequest documentation outlining employee offboarding procedures.
GoodClear, documented procedures that include comprehensive steps for managing information security responsibilities during employment changes.
-
AskAsk for examples of employment contracts or non-disclosure agreements.
GoodContracts include specific language on post-employment security duties, aligning with organisational policies.
-
AskRequire a log of access revocations and systems changes for former employees.
GoodAccess logs show timely deactivation of accounts and access removal, with no unnecessary delays.
-
AskRequest records from recent exit interviews that address security responsibilities.
GoodExit interviews consistently document a discussion on continued confidentiality obligations.
-
AskInquire about training materials or sessions on information security for departing employees.
GoodTraining content highlights the importance of ongoing confidentiality and security principles.
Cross-framework mappings
How Annex A 6.5 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| ISM-0430 | Annex A 6.5 requires information security responsibilities and duties that continue after termination or a role change to be defined, enf... | |
| ISM-1569 | Annex A 6.5 requires ongoing information security obligations to be defined, enforced and communicated when employment terminates or role... | |
| handshake Supports (2) expand_less | ||
| ISM-1997 | Annex A 6.5 requires that information security responsibilities and duties that remain valid after termination or role change are defined... | |
| ISM-2036 | Annex A 6.5 requires organisations to define, enforce and communicate security responsibilities that continue after termination or role c... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.