ISO 27001 Annex A 6.5 asks you to make sure that security duties are still valid even after an employee stops working for you. You need to have these duties clearly stated, shared with people, and enforced.
This term is generally a requirement in the contract that explains what you expect an employee to do when they leave the company or when they move to a new position.
This is usually handled by including a relevant term in your employment agreements.
Table of contents
What is ISO 27001 Annex A 6.5?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Responsibilities After Termination Or Change Of Employment”.
What is the ISO 27001 Annex A 6.5 control objective?
The formal definition and control objective in the standard is: “Information security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced and communicated to relevant personnel and other interested parties.“
What is the purpose of ISO 27001 Annex A 6.5?
The purpose of ISO 27001 Annex A 6.5 is “to ensure that you are protecting the organisation even after someone leaves.“
Is ISO 27001 Annex A 6.5 Mandatory?
ISO 27001 Annex A control 6.5 (Responsibilities After Termination Or Change Of Employment in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 6.5 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
You need to make sure a few things are true:
- Your job contracts must include rules about information security.
- These rules should say what happens with information security after someone leaves your company.
- You must talk to a human resources expert.
- You must talk to a legal expert.
- The contracts must be in place, signed, and something you can enforce legally.
Responsibilities That Continue
Even after someone leaves their job, some of their information security duties remain. While these duties change based on the company and the person’s role, common duties include:
- Keeping company information private.
- Giving back all things that belong to the company.
- Not sharing private details with people who should not see them.
Handling Job Changes and Endings
When an employee who knows private information changes jobs or leaves the company, you should take these steps:
- Take away the employee’s ability to use all company computer systems, networks, and data.
- Get back any company items the employee has.
- Hold a final meeting with the employee to talk about any worries about the private information they had access to.
- Look over computer records to check for any odd activity or times when data may have been breached while the employee worked there.
- Change any passwords and codes that the employee knew.
- Check access for any outside groups to make sure the former employee can no longer see private information through them.
Who Manages the Job Ending
Usually, the human resources department manages the process of someone leaving. However, sometimes the employee’s manager or supervisor might handle it.
Changing Roles and Duties
When someone leaves, their work duties should be properly given to someone else. Not handing over vital tasks is a big error companies often make. This means important work may be missed or forgotten.
Rules for Outside People
These same rules apply to your suppliers and people from outside your company. You manage this through the contracts you have with them.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will look for:
1. Employment Contracts
The auditor will review your standard contract. They want to confirm that it includes the right language about information security and what must happen when someone leaves the company. If your standard contract looks correct, they might ask to see examples of current employee contracts. This is to make sure your actual agreements follow the standard contract and meet the necessary rules.
2. Legal Advice
The auditor might check that your contracts and their security rules are legally sound. While this is unlikely, they could check to see that your agreements are enforceable in court and not just something you created without professional help.
3. Awareness of Responsibilities
The auditor will check to see that you have written-down procedures and specific policies for different security topics. They will confirm that you have shared these with people and that everyone has been trained on what is expected of them. For employees who are leaving, the auditor will check that making them aware of these responsibilities is a part of your Human Resources process for when staff members depart.
