Former employees with active credentials are one of the most common audit findings in ISO 27001 surveillance audits. When security obligations end at the office door, confidential data walks out with the person. The employment contract ends, but the risk doesn’t — and Control 6.5 exists to close that gap. Getting this control right means building a process that connects HR, IT, and security into a single offboarding workflow, while ensuring that post-employment obligations are contractually enforceable long after the badge is returned.
What 6.5 Requires
ISO 27001 Annex A Control 6.5 requires organizations to define, communicate, and enforce information security responsibilities that remain in effect after employment ends or a role changes. It is a People Control within Domain 6 of the ISO/IEC 27001:2022 standard, and its scope is broader than most teams realize.
The control covers three distinct scenarios: leavers who depart the organization entirely, movers who transfer to a different internal role, and external personnel whose contract or engagement ends. For each scenario, the organization must address confidentiality obligations, intellectual property protection, return of assets, and revocation of access rights.
The practical consequence is straightforward: without explicit post-employment obligations written into contracts and enforced through procedure, an organization has no legal or procedural basis to hold former staff accountable for mishandling information after they leave. Within any information security management system, Control 6.5 is what turns good intentions into enforceable requirements.
Why 6.5 Matters
Consider a scenario that plays out more often than most security teams admit. A software engineer leaves the company on good terms. HR processes the departure and closes the payroll file. But IT never receives the notification — or receives it late. Three weeks later, the former engineer still has VPN access, still has credentials to the staging environment, and still has read access to a shared drive containing client deliverables. No one notices until the next quarterly access review.
This is not a hypothetical edge case. According to Wing Security research, 63% of businesses may have former employees retaining access to organizational data. The gap between HR processing a departure and IT revoking access is exactly where breaches happen — not through sophisticated attacks, but through simple operational neglect.
The risk class here is insider threat, and the most common driver is not malice but negligence in offboarding. When organizations treat termination as an HR event rather than a security event, they create a window of exposure that grows wider with every departure.
The consequences extend beyond data exposure. Orphaned accounts become entry points for credential stuffing attacks. Former employees with unrevoked access to SaaS platforms retain the ability to export customer lists, download proprietary documents, or modify configurations. In regulated industries, the failure to demonstrate timely access revocation can trigger compliance penalties independent of whether any data was actually compromised. The risk is both operational and legal — and it compounds with every departure that slips through the cracks.
What attackers exploit
The failure modes are predictable and well-documented:
- Orphaned accounts — credentials that remain active after the person has left, creating persistent unauthorized access
- Privilege creep — accumulated access rights from prior roles that are never revoked when someone moves to a new position internally, a risk closely tied to weak privileged access management
- Unsecured handover — sensitive project data transferred informally between colleagues without an audit trail
- Missing NDAs — no contractual basis to enforce post-employment confidentiality, leaving the organization without legal recourse
- Delayed revocation — the gap between an employee’s last working day and actual access removal, sometimes stretching to weeks or months
- Contractor blind spots — external personnel offboarded through a different process than employees, or through no formal process at all
Each of these failure modes aligns with the threat model described in NIST SP 800-53 Rev. 5 controls PS-04 and PS-05 — and every one represents a vulnerability that a motivated adversary can exploit.
How to Implement 6.5
Implementation requires coordination across HR, IT, security, and line management. The control cannot live in a single department. The most common failure pattern is siloed ownership: HR handles the resignation paperwork, IT handles system accounts, and no one owns the end-to-end process. Effective implementation means designing a single workflow that spans all three functions with clear handoffs, defined timelines, and accountability at each step.
For your organization (first-party)
1. Build a JML procedure. A Joiners/Movers/Leavers process is the operational backbone of Control 6.5 and a key item on any ISO 27001 implementation checklist. It should define triggers (resignation, termination, transfer, contract end), responsible parties, timelines, and escalation paths. HR initiates; IT executes access changes; security verifies.
2. Embed post-employment clauses in contracts. Employment contracts and engagement agreements must include clauses that survive termination: confidentiality obligations, intellectual property assignment, restrictions on data handling, and acknowledgment of ongoing security responsibilities. These clauses need specific durations (for example, confidentiality obligations lasting two years post-termination) and explicit scope covering the types of information protected. Vague language like “employee agrees to maintain confidentiality” without defining what is confidential or for how long is effectively unenforceable. Have legal counsel review these clauses to ensure they hold up in the jurisdictions where you operate.
3. Create an offboarding checklist. Every departure should trigger a structured process: access revocation across all systems (including SaaS platforms, VPN, email, cloud infrastructure, and shared credentials), return of physical and digital assets, knowledge transfer documentation, and an exit interview that includes a security briefing reminding the departing employee of their ongoing obligations. The checklist should be owned by a single process owner — typically IT security or GRC — with task completion tracked and timestamped for audit evidence.
4. Address movers, not just leavers. Internal role changes are where privilege creep takes root. Before granting new permissions, conduct an access review of existing rights. Remove what the new role does not require. The principle of least privilege applies to lateral moves, not just new hires. A common blind spot: employees who move from a technical role to a management role often retain their original engineering-level access to production systems indefinitely. Treat every internal transfer as a partial offboarding followed by a fresh onboarding for the new role’s access requirements.
5. Automate deprovisioning where possible. Identity providers like Okta or Microsoft Entra ID can trigger automated deprovisioning workflows when an employee’s status changes in the HR system. Automation reduces the gap between HR action and IT execution from days to minutes. For organizations using multiple SaaS platforms, SCIM (System for Cross-domain Identity Management) provisioning can propagate access changes across connected applications automatically. The key is ensuring your HR system is the authoritative source of employment status and that all downstream systems subscribe to its events.
6. Maintain evidence. Auditors will look for timestamped logs of access revocation, signed exit acknowledgments, asset return receipts, and records of access reviews for movers. If it is not documented, it did not happen.
Common mistakes to avoid:
- Leaving email accounts active for auto-replies after departure — this maintains an active credential
- Having no process for movers — treating only leavers as an offboarding event
- Relying on managers to manually request access removal instead of building automated triggers
- Omitting post-employment clauses from contractor and vendor agreements
- Running exit interviews that skip the security obligation reminder
- Failing to revoke access to shared or service accounts that are not tied to individual identities
For your vendors (third-party assessment)
When assessing vendors against Control 6.5 as part of your third-party risk requirements, the questions should be specific and evidence-driven.
Key questions to ask:
- Describe your offboarding process for employees who have access to our data.
- Do employment contracts include post-termination confidentiality clauses?
- What is your SLA for revoking access after termination?
- How do you handle access changes when employees move between roles?
Evidence to request: A sample offboarding checklist, NDA template, redacted access revocation logs, and the JML procedure document. If the vendor claims automated deprovisioning, ask for a description of the workflow triggers and the identity provider used.
Red flags to watch for:
- No formal offboarding process documented — reliance on ad hoc procedures
- NDAs that do not explicitly survive termination, or that lack a defined post-employment duration
- No defined SLA for access revocation — or an SLA measured in weeks rather than hours
- The response “we handle it on a case-by-case basis,” which typically means no repeatable process exists
- No distinction between employee and contractor offboarding — suggesting external personnel are an afterthought
- Inability to produce a recent access revocation log when requested
Any of these suggests the vendor lacks the procedural maturity to protect your data after their personnel changes.
For verification, request evidence of a recent offboarding (redacted for privacy), confirm whether automated deprovisioning is in place, and review the vendor’s access review cadence. Ask specifically whether the vendor’s offboarding process covers SaaS applications with shared or service account credentials, since these are frequently missed even by organizations with otherwise mature JML workflows. Structuring this as part of your regular vendor risk assessments ensures coverage is consistent.
Audit Evidence for 6.5
Auditors verify three layers: that the policy exists, that procedures implement it, and that operational records prove it runs. A common mistake is preparing only the policy layer — writing a document that describes the process without producing the operational evidence that it actually executes. Passing the audit means producing artifacts across all three layers, with particular emphasis on timestamped records that prove the process ran for real departures.
| Evidence Type | Example Artifact |
|---|---|
| Policy | Information Security Policy with a section on post-employment responsibilities |
| Procedure | JML (Joiners/Movers/Leavers) procedure defining offboarding steps, owners, and timelines |
| Contract clause | Employment contract template with surviving confidentiality and IP clauses |
| NDA | Signed non-disclosure agreement specifying post-termination duration and scope |
| Operational record | Access revocation log showing timestamp of account disablement relative to last working day |
| Asset register | Asset return receipt signed by departing employee and verified against asset inventory |
| Exit acknowledgment | Signed exit form confirming employee was reminded of ongoing security obligations |
| Access review | Quarterly access review report showing movers had old permissions removed |
The strongest evidence is operational: timestamped logs that demonstrate access was revoked on or before the employee’s last day, not weeks later. Auditors will compare the termination date in HR records against the access revocation timestamp in your identity provider or directory service. A gap of more than 24 hours typically triggers a finding. For movers, auditors look for evidence that old permissions were removed — not just that new ones were granted. For a broader view of what to expect, see this guide to ISO 27001 audit preparation.
Cross-Framework Mapping
Organizations managing compliance across multiple frameworks can map Control 6.5 to equivalent controls elsewhere, reducing duplicate effort and streamlining audits. An ISO 27001 compliance questionnaire can help structure this mapping exercise.
| Framework | Equivalent Control(s) | Coverage |
|---|---|---|
| NIST 800-53 | PS-04 (Personnel Termination) | Full |
| NIST 800-53 | PS-05 (Personnel Transfer) | Full |
| SOC 2 | CC6.2 (Prior to Issuing System Credentials), CC6.3 (Based on Authorization) | Partial |
| NIST CSF 2.0 | PR.AA-05 (Identity Management, Authentication, and Access Control) | Partial |
| CIS Controls v8.1 | 6.1, 6.2 (Account Management) | Partial |
| DORA (EU) | Article 13 (Human Resources Policy and Access Control) | Partial |
NIST 800-53 PS-04 and PS-05 are the closest equivalents, covering personnel termination and transfer respectively with nearly identical requirements. PS-04 specifically mandates disabling system access within a defined timeframe and conducting exit interviews — mirroring the procedural requirements of 6.5. PS-05 addresses the “movers” scenario, requiring review and reassignment of access rights when personnel transfer roles.
SOC 2 and CIS Controls address the access management dimension but do not explicitly require post-employment confidentiality obligations. DORA, the EU’s Digital Operational Resilience Act, is relevant for financial sector organizations that need to demonstrate personnel security controls as part of their ICT risk management framework. For organizations subject to multiple frameworks, implementing a strong 6.5 process provides evidence that satisfies overlapping requirements across all of these standards simultaneously.
Related ISO 27001 Controls
Control 6.5 does not operate in isolation. It connects to a network of controls that collectively manage the employee lifecycle from a security perspective. Understanding these relationships helps you design an implementation that satisfies multiple controls through shared processes rather than building separate workflows for each.
| Control ID | Control Name | Relationship |
|---|---|---|
| 6.1 | Screening | Pre-employment screening establishes the baseline that 6.5 protects post-employment |
| 6.2 | Terms and Conditions of Employment | Defines the contractual obligations that 6.5 enforces after termination |
| 6.4 | Disciplinary Process | Enforcement mechanism when post-employment obligations are violated |
| 6.6 | Confidentiality or Non-Disclosure Agreements | The NDA instrument that operationalizes 6.5’s confidentiality requirements |
| 5.10 | Acceptable Use of Information and Other Associated Assets | Defines usage rules that must be communicated as surviving termination |
| 5.11 | Return of Assets | Asset return process triggered during 6.5 offboarding |
| 5.18 | Access Rights | Access provisioning and deprovisioning directly supports 6.5 implementation |
| 8.2 | Privileged Access Rights | Privileged accounts require priority revocation under 6.5 |
Frequently Asked Questions
What is ISO 27001 6.5?
ISO 27001 Annex A Control 6.5 requires organizations to define and enforce information security responsibilities that continue after an employee leaves or changes roles. It covers confidentiality obligations, access revocation, asset return, and intellectual property protection for leavers, movers, and external personnel.
What happens if 6.5 is not implemented?
Without Control 6.5, organizations face audit nonconformities, orphaned accounts that create persistent security vulnerabilities, and no legal basis to enforce post-employment confidentiality. The control’s absence typically surfaces as a major finding during ISO 27001 certification or surveillance audits.
How do you audit 6.5?
Auditors review three evidence layers: policy documentation (post-employment responsibilities section), procedural evidence (JML procedure, offboarding checklists), and operational records (access revocation logs with timestamps, signed exit acknowledgments, asset return receipts). They verify that access removal happens promptly relative to the employee’s last working day.
How UpGuard Helps
UpGuard’s platform helps security teams monitor vendor offboarding practices and detect orphaned access risks across their third-party ecosystem. Continuous monitoring surfaces gaps in vendor personnel security controls before they become audit findings — giving you visibility into whether your vendors enforce the same termination security standards you maintain internally.