How do you enforce security after a leaver departs?

Enforcement relies on legally binding contracts signed at the start. You must remind leavers of these terms during offboarding. Document this reminder in a formal exit interview record. Store these records in your secure internal repository.

Why avoid SaaS compliance tools for leaver management?

SaaS tools often decouple the leaver process from actual HR operations. They provide a green tick without real procedural evidence. Auditors prefer seeing leaver history in your native Jira and SharePoint environments. This proves management ownership of the process.

ISO 27001:2022 Annex A 6.5 Guide

Q: What is ISO 27001 Annex A 6.5?

Annex A 6.5 defines security duties that remain valid after employment ends. It covers staff leaving or changing roles. The organisation must document these responsibilities clearly. Use internal systems like SharePoint to manage these records.

What is ISO 27001 Annex A 6.5 in ISO 27001?

ISO 27001 Annex A 6.5 requires documented security responsibilities for staff leaving or changing roles. It ensures confidentiality duties continue after employment ends. This process must integrate into business-as-usual tools like Jira and SharePoint. It prevents data leaks and legal breaches during personnel transitions.

Auditor’s Eye: The Shortcut Trap

Automated SaaS compliance platforms frequently offer a “compliance dashboard” for leavers. This status often lacks actual procedural evidence. Auditors want to see the specific Jira tickets that revoked access. We look for manual exit interview notes in your SharePoint repo. Reliance on “Black Box” software decouples security from your daily HR operations. It suggests a lack of management ownership. If an auditor cannot see the audit trail in your native tools: you risk a non-conformity.

2013 Control Reference	2022 Control Reference	Key Changes
7.3.1 Termination or change of employment responsibilities	6.5 Responsibilities after termination or change of employment	The requirement remains essentially identical. It emphasizes the continuity of security duties.

How to Implement ISO 27001 Annex A 6.5 (Step-by-Step)

Implementation requires integrating security reminders into your existing HR offboarding process. You must use SharePoint and Jira to track every leaver. This ensures security remains a cultural habit during transitions. It is not a software installation. Answer-first: Successful compliance requires a mandatory offboarding workflow in Jira. This workflow must include a final legal reminder of confidentiality duties.

Define Terms: Store confidentiality clauses in your SharePoint contract templates.
Setup Workflows: Create a Jira project for all personnel changes.
Automate Revocation: Link leaver tickets to IT tasks for account deletion.
Conduct Briefings: Perform exit interviews and log them in SharePoint.
Verify Return: Update the asset register when hardware is returned.

ISO 27001 Annex A 6.5 Audit Evidence Checklist

Auditors focus on manual records and internal document versions. These prove human oversight and intent. Use these items to satisfy your auditor.

Employment contracts containing post-termination security obligations.
Jira workflow history for recent leavers showing timely task completion.
SharePoint folder containing signed exit interview certificates.
Meeting minutes discussing the offboarding process performance.
Records of physical asset returns logged in your internal wiki.

Relational Mapping

Annex A 6.1: Screening of personnel.
Annex A 6.2: Terms and conditions of employment.
Annex A 5.10: Acceptable use of information and assets.

Auditor Interview

Auditor: How do you ensure leavers remember their security duties?

Manager: We use a mandatory exit interview briefing. We record this in our SharePoint HR repository.

Auditor: Can you show me the last three leaver tickets?

Manager: Yes. Here are the Jira tickets showing access was revoked within one hour.

Common Non-Conformities

Failure Mode	Description	Remediation Action
Automated Complacency	Relying on a SaaS platform dashboard tick. No internal procedural evidence exists.	Move offboarding records to internal SharePoint and Jira systems.
Delayed Revocation	Staff keep access to systems days after leaving the business.	Link the Jira HR ticket to an automated IT revocation task.
Missing Reminders	The leaver never receives a reminder of their confidentiality duties.	Add a mandatory sign-off step in the SharePoint exit form.

Frequently Asked Questions

What is the goal of ISO 27001 Annex A 6.5?

Bottom Line Up Front: The goal is protecting organisational information when staff leave. It ensures they remain legally bound by confidentiality terms. Use your internal document systems to track these obligations. This prevents unauthorised disclosure of sensitive data by former employees.

Who is responsible for the leaver process?

Bottom Line Up Front: Responsibility sits with HR and the Information Security Manager. They must collaborate using shared Jira workflows. This ensures technical access revocation matches legal documentation. Management must oversee the entire personnel transition lifecycle.

Should contractors follow the same process?

Bottom Line Up Front: Yes, contractors must be treated the same as permanent staff. Their contracts must include post-termination clauses in SharePoint. You must revoke their access via Jira tickets immediately. This creates a consistent security posture across the whole workforce.

LA CASA DE CERTIFICACIÓN