Responsibilities after employment termination or role change
Ensure security responsibilities are clear when employment ends or roles change.
🏛️ Framework
ISO/IEC 27001:2022
🧭 Control effect
Preventative
🧱 ISO 27001 domain
People controls
🔐 Classifications
N/A
🗓️ Official last update
24 Oct 2022
✏️ Control Stack last updated
22 Feb 2026
🎯 Maturity levels
N/A
Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, enforced and communicated to relevant personnel and other interested parties.
Source: ISO/IEC 27001:2022
Plain language
When someone leaves your organisation or changes roles, their responsibilities related to keeping information safe need to be clear. Think of it like making sure someone locks the door behind them after they leave. If we don't do this, sensitive information could get into the wrong hands, leading to data breaches or misuse.
Why it matters
If post-employment/role-change duties aren’t defined and enforced, staff may misuse retained access or disclose information, causing breaches and legal/reputational harm.
Operational notes
At termination/role change, promptly revoke/adjust access, recover assets, update role responsibilities, and remind personnel of ongoing confidentiality and security obligations.
Implementation tips
- The HR department should clearly outline ongoing security responsibilities in employment contracts. They can do this by including specific clauses about confidentiality and information security duties that continue even after an employee leaves or changes positions.
- Managers must ensure that when someone changes roles, their old security responsibilities are managed and handed over properly. They should create a checklist for outgoing tasks and responsibilities, ensuring nothing falls through the cracks.
- IT administrators must promptly disable access to systems for employees leaving the company or changing roles. They need to have a standard procedure that includes revoking access to emails and databases to prevent unauthorised access.
- The legal team should review and update confidentiality agreements periodically to ensure they cover all aspects of information security relevant to former employees. They should cross-check these agreements with the latest regulations, such as the Privacy Act 1988.
- The security team should conduct exit interviews that include a section on information security. During these interviews, they should remind exiting employees of their ongoing confidentiality obligations, as described in their contracts.
Audit / evidence tips
-
Ask: Request documentation outlining employee offboarding procedures.
Good: Clear, documented procedures that include comprehensive steps for managing information security responsibilities during employment changes.
-
Ask: Ask for examples of employment contracts or non-disclosure agreements.
Good: Contracts include specific language on post-employment security duties, aligning with organisational policies.
-
Ask: Require a log of access revocations and systems changes for former employees.
Good: Access logs show timely deactivation of accounts and access removal, with no unnecessary delays.
-
Ask: Request records from recent exit interviews that address security responsibilities.
Good: Exit interviews consistently document a discussion on continued confidentiality obligations.
-
Ask: Inquire about training materials or sessions on information security for departing employees.
Good: Training content highlights the importance of ongoing confidentiality and security principles.
Cross-framework mappings
How Annex A 6.5 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (1) | ||
| ISM-1569 | Annex A 6.5 requires ongoing information security obligations to be defined, enforced and communicated when employment terminates or role... | |
| Supports (2) | ||
| ISM-1997 | Annex A 6.5 requires that information security responsibilities and duties that remain valid after termination or role change are defined... | |
| ISM-2036 | Annex A 6.5 requires organisations to define, enforce and communicate security responsibilities that continue after termination or role c... | |