What Changed Between the 2013 and 2022 Versions? ISO 27001:2022 Annex A 6.5

ISO 27001 Annex A 6.5 - what changed in the 2022 update

When an employee or contractor leaves your company, they don’t just leave behind their desk and their favourite coffee mug; they leave with a head full of company secrets, processes, and potentially, active access to your most sensitive data. In the shift from ISO 27001:2013 to the 2022 update, the way we handle these departures was refined and moved into a more strategic category. This is now known as Annex A 6.5: Responsibilities after termination or change of employment.

Table of contents

The Evolution from 7.3.1 to 6.5

In the older ISO 27001:2013 standard, this control was numbered 7.3.1. It lived in the “Human Resources Security” domain, often making it feel like a “one-and-done” checklist for the HR department to tick off during an exit interview. While it was functional, it was sometimes siloed away from the broader security strategy.

In the 2022 update, this has been reclassified as Annex A 6.5 and moved into the People Controls theme. This move is significant. According to the experts at Hightable.io, reclassifying this as a “People Control” elevates the off boarding process to a core security function. It reminds us that security responsibilities don’t vanish the moment a contract ends, they simply transition into a new phase of enforcement.

What is the Core Objective of Annex A 6.5?

The goal remains constant: to protect the organisation’s interests during and after the process of changing or terminating employment. This applies to employees, contractors, and third-party users. The 2022 standard is very clear that these responsibilities must be defined, communicated, and enforced.

Common examples of these ongoing duties include:

  • Maintaining the confidentiality of proprietary information and trade secrets.
  • Abiding by intellectual property rights and non-compete clauses.
  • Returning all physical and digital assets belonging to the company.
  • Remaining available for a transition period to hand over critical knowledge or credentials.

Key Differences and New Requirements

If you are transitioning from the 2013 version, you will notice that the 2022 update brings a more holistic and risk-adaptive approach to post-employment security. Here is what has changed in practice:

  • The “Movers” are Just as Important as the “Leavers”: While the 2013 version touched on it, the 2022 update places a much heavier emphasis on change of employment. If an employee moves from the Finance department to Marketing, their old access must be revoked just as strictly as if they had left the company entirely.
  • Legal and Contractual Alignment: The 2022 version explicitly links Annex A 6.5 with your legal obligations. Hightable.io points out that your employment contracts must now be robust enough to be legally enforceable long after the person has walked out the door. This often requires closer collaboration between Security, HR, and Legal teams than was required in 2013.
  • Modernised “Attributes”: The 2022 standard introduces attributes for better control management. Control 6.5 is now officially tagged as a Preventive control. This helps you demonstrate to auditors that your offboarding process isn’t just a reaction to someone leaving, it’s a proactive barrier designed to prevent data exfiltration or unauthorised access.

What Should Your Implementation Look Like?

To meet the 2022 requirements, your offboarding process needs to be more than just a handshake and a “good luck.” It should be a documented workflow that includes several key steps:

  1. Immediate Revocation: Access to all systems, cloud services, and physical premises should be cut off the moment the termination becomes effective.
  2. Asset Collection: Laptops, mobile phones, security tokens, and keys must be returned and logged.
  3. The Exit Interview: This is a crucial security step where you remind the individual of their ongoing confidentiality obligations and get them to sign a formal acknowledgement of these duties.
  4. Knowledge Transfer: Ensuring that critical security information (like encryption keys or administrative passwords) held by the individual is securely transferred to a successor.
ISO 27001 Document Templates
ISO 27001 Document Templates
Get Auditor Approved ISO 27001 Templates

Why the Transition to 6.5 Matters

The world has changed since 2013. With remote work and the “gig economy,” people are moving between jobs faster than ever. This creates a massive “insider threat” risk if departures aren’t managed correctly. ISO 27001:2022 Annex A 6.5 addresses this head-on by making post-employment security a formal, high-priority organizational process.

As suggested by Hightable.io, the best way to handle this transition is to treat your “Joiner-Mover-Leaver” (JML) process as a single, continuous security lifecycle. Don’t wait for an audit to find out that a former employee still has access to your CRM. By aligning your HR processes with the refined requirements of 6.5, you create a more resilient and professional security posture.

Final Thoughts for Your ISO 27001 Update

While the jump from 7.3.1 to 6.5 might look like a simple renumbering, it’s an invitation to tighten your ship. Take this opportunity to review your contracts, update your exit checklists, and ensure your IT team is in lockstep with HR. In the era of ISO 27001:2022, a clean break is the only secure break.