top of page

ISO 27001 Control 6.5: Responsibilities After Termination or Change of Employment

Writer's picture: Alan ParkerAlan Parker

Ensuring the protection of organisational assets and sensitive information during and after employment transitions is a critical aspect of information security.


ISO 27001's Clause 6.5 outlines the importance of managing responsibilities during employment changes, focusing on confidentiality, integrity, and availability. This article examines the necessary measures organisations should implement to safeguard their interests.


Purpose of Managing Responsibilities

The primary purpose of defining responsibilities after employment termination or change is to:

  • Protect the organisation's intellectual property, sensitive information, and overall security posture.

  • Clearly communicate the enduring responsibilities to personnel and other interested parties.

  • Ensure compliance with relevant agreements and contracts.


Key Components of an Effective Process


1. Defining Ongoing Responsibilities

Organisations must identify which information security responsibilities and duties remain valid post-employment. These can include:

  • Confidentiality Obligations: Protection of proprietary and sensitive information.

  • Intellectual Property Rights: Respect for ownership of organisational materials developed during employment.

  • Contractual Commitments: Adherence to agreements such as non-disclosure clauses.


2. Formalising in Employment Terms

Responsibilities that continue after termination should be explicitly stated in:

  • Employment contracts or agreements.

  • Confidentiality or non-disclosure agreements (NDAs).

  • Any other relevant contractual documents.


3. Handling Role Transitions

When personnel transition to new roles within the organisation, their previous responsibilities should be formally terminated and transferred to another individual. This process includes:

  • Identifying the information security duties tied to the previous role.

  • Reassigning access rights and resources to the successor.

  • Documenting and communicating the changes internally and externally (e.g., to customers or suppliers).


4. Applying Processes to External Personnel

For external personnel, such as contractors or suppliers, the termination or change process should align with the terms outlined in their contracts. Responsibilities related to information security must be addressed by the external party, in compliance with their agreement with the organisation.


Additional Considerations


Communication and Awareness

Clear communication of changes is vital. Organisations should:

  • Inform relevant stakeholders, including personnel, external parties, customers, and suppliers, about role changes or terminations.

  • Provide updated operating procedures and contact points as necessary.


Collaboration with Human Resources

Human resources typically oversee the overall termination or role change process. They should work closely with line managers and information security teams to address security-specific aspects, ensuring:

  • Proper revocation of access rights.

  • Retrieval of organisational assets (e.g., devices, keycards).

  • Ongoing adherence to confidentiality agreements.


Confidentiality of Disciplinary Actions

Where applicable, organisations must ensure the identity of individuals subject to any post-employment actions remains confidential, in compliance with relevant regulations.


Positive Reinforcement

While managing transitions, organisations can foster goodwill by recognising and rewarding employees who have demonstrated exceptional information security practices during their tenure.


Implementation Steps

  1. Establish Clear Policies: Develop and document policies that outline information security responsibilities during and after employment.

  2. Incorporate Responsibilities in Agreements: Ensure enduring responsibilities are included in employment and supplier contracts.

  3. Communicate Expectations: Provide clear guidance to personnel and external parties about their ongoing obligations.

  4. Regularly Review Processes: Periodically assess termination and transition processes to identify improvements and ensure compliance with evolving standards.


Final Thoughts

Managing responsibilities after termination or change of employment is essential to preserving the organisation’s security and reputation. By implementing a structured approach, organisations can minimise risks, uphold compliance, and foster a culture of accountability.


Consistent communication and collaboration across departments will ensure smooth transitions and continued protection of organisational interests.

Comments

About the author

Alan Parker is an IT consultant and project manager who specialises in IT governance, process implementation, and project delivery. With over 30 years of experience in the industry, Alan believes that simplifying complex challenges and avoiding pitfalls are key to successful IT management. He has led various IT teams and projects across multiple organisations, continually honing his expertise in ITIL and PRINCE2 methodologies. Alan holds a degree in Information Systems and has been recognised for his ability to deliver reliable and effective IT solutions. He lives in Berkshire, UK, with his family.

bottom of page