Implementing ISO 27001 Annex A 6.5 Responsibilities After Termination or Change of Employment
You are looking at Annex A 6.5 and wondering what it actually means for your business. As a certification body, we see many organisations overthink this control. It is actually quite straightforward. You need to ensure that information security does not stop when an employee leaves or changes jobs. This guide explains exactly how to implement this control and what we expect to see during your audit.
Table of contents
Understanding Annex A 6.5
The full title of this control is Responsibilities after termination or change of employment. It sits within the People Controls section of the ISO 27001:2022 standard. The requirement is simple. You must define which security responsibilities remain valid after someone leaves your organisation or moves to a new role. You must also enforce and communicate these responsibilities.
Think of this as the “clean break” control. When a relationship ends or changes, the risk to your data often increases. An unhappy leaver might try to steal data. A mover might accidentally keep access to sensitive files they no longer need. This control puts a process in place to manage those specific risks.
Why this control matters to us
We care about this because people are your biggest risk. Most data breaches happen because of human error or malicious insider action. When someone leaves, they should not take your intellectual property with them. If they change roles internally, they should not accumulate access rights like a badge of honour. We want to see that you have a grip on your movers and leavers process.
How to implement it practically
You do not need expensive software to meet this requirement. You need good processes and clear documentation. Here is the step by step approach to getting it right.
Start with your contracts
Your employment contracts and contractor agreements are your first line of defence. You need to check that they include clauses that survive the termination of employment. These clauses should cover confidentiality, intellectual property, and data protection. If an employee leaves today, they must know they are still legally bound to keep your secrets.
Consult with your legal team or HR advisors here. Ensure your contracts explicitly state that confidentiality obligations continue indefinitely or for a set period after they leave. If it is not in writing, it is very hard to enforce.
Manage the Joiners Movers Leavers process
You likely already have a process for hiring people. You need an equally robust process for when they leave or change roles. In the industry, we call this the JML process. For Annex A 6.5, the “Movers” and “Leavers” parts are critical.
Create a checklist for leavers. This is not just an HR form. It is a security control. This checklist must ensure that all access is revoked on their last day. It should also track the return of all assets like laptops, phones, and access keys.
The mover scenario
Many people forget the “change of employment” part of this control. When a staff member moves from accounts to marketing, they likely do not need access to the payroll system anymore. You must have a process that triggers a review of their access rights. Remove the old access before or at the same time as granting the new access. Do not let rights pile up.
Communicate the responsibilities
It is not enough to have it in a contract. You must tell the person. When an employee hands in their notice, remind them of their obligations. You can do this during an exit interview or via a formal letter. Remind them they still have a duty of confidentiality. Ask them to confirm they have returned all data and have not kept any copies.
What we expect to see at your audit
When we come to audit you, we are looking for evidence. We do not just take your word for it. Here is what we typically ask for to verify Annex A 6.5.
Evidence of the process
We will ask to see your leaver procedure. We want to see the checklist you use. We will pick a sample of recent leavers and ask you to prove that their access was removed on time. If they left on Friday, but their account was active until Tuesday, that is a non conformity.
Reviewing employment terms
We may ask to see a blank template of your employment contract. We are checking for those confidentiality clauses that apply post employment. We might also check your contractor agreements for similar terms.
Asset return records
You should have a log showing that assets were returned. If a leaver had a laptop, show us the record that confirms it is back in your possession. If you let them keep the laptop, show us the evidence that it was wiped clean of corporate data first.
Common mistakes to avoid
We see the same issues come up repeatedly. Avoid these to save yourself a headache during the audit.
Relying on HR alone
HR teams are great, but they are not IT security experts. Often, HR will process a leaver but forget to tell IT until a week later. This gap is a security risk. Ensure your process forces HR and IT to talk to each other immediately.
Ignoring contractors
This control applies to everyone, not just full time staff. If a contractor finishes their project, you must revoke their access and remind them of their confidentiality duties. Do not let third parties retain access “just in case” they come back.
The accumulation of access
As mentioned earlier, internal movers are often overlooked. We frequently find senior staff who have access to every department simply because they have worked in all of them over the last ten years. This breaks the principle of least privilege. Clean up access when roles change.
Making it work for you
Implementing Annex A 6.5 is about protecting your business interests. It ensures that when people move on, your data stays put. It creates a professional end to the working relationship and sets clear boundaries. If you need templates or more resources, you can find helpful toolkits on iso27001.com that align with these requirements.