Responsibilities After Termination or Change of Employment - ISO 27001 Annex A Control

ISO 27001 Annex A 6.5

The departure does not end the obligations - the obligations need to outlive the employment.

ISO 27001 Annex A 6.5 - Responsibilities After Termination or Change of Employment

When someone leaves the organisation - or moves into a different role - some information security obligations end and some continue. The control requires the organisation to be clear about which is which, and to make sure the leaver or mover understands the position. Without that clarity, departing staff may genuinely believe they are free to take materials or share information that should remain protected.

The ongoing obligations typically include confidentiality of information learned during employment, return of all organisational assets - documents, devices, access tokens, intellectual property - and continued compliance with any specific contractual undertakings such as restrictive covenants. The leaver process should remind the worker of these obligations in writing at the point of departure, with acknowledgement captured.

The same logic applies to internal moves where someone takes on a different role. Access rights for the previous role should end, even if the worker has not left the organisation. Information held under the previous role's authority needs to be returned or transferred to the appropriate successor. The change-of-role process should trigger the same review that a leaver process would trigger.

The reminder of continuing obligations at the leaver meeting matters more than people think. The leaver may have signed a contract years ago and forgotten what it said. A short written reminder of the key obligations - confidentiality, return of assets, any restrictive covenants - sets the position out clearly and gives the organisation a record that the worker was reminded at the point of departure.

Practical Compliance Guidance

Termination and change of employment arrangements are described in the IMS1 manual at section 8.5 alongside the People Security Policy. The leaver checklist provides the practical record.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

What obligations continue after employment ends?

Typically: confidentiality of information learned during employment, return of all organisational assets, continued compliance with intellectual property obligations, and any specific restrictive covenants in the contract such as non-compete or non-solicitation clauses. The exact list depends on the contract. The leaver process should remind the worker of the specific obligations that apply.

Does this control apply to internal role changes?

Yes. Where someone moves to a different role within the organisation, the access rights for the previous role should end, materials held under that role should be transferred, and any role-specific obligations should be reviewed. The change-of-role process is the equivalent of the leaver process for internal movers.

How quickly should access be removed when someone leaves?

As close to the point of departure as practical, with the timing aligned to the circumstances. For amicable departures with notice periods, access can typically be removed on the last working day. For involuntary departures or higher-risk circumstances, access should be removed at the point the decision takes effect. The HR-IT trigger for this should be defined in the leaver process.

Further Resources