What to consider in case of termination or change of employment according to ISO 27001
As relationships between people and organizations evolve, it is natural for work situations to change. Concluded contracts lead to termination of employment relationships, and opportunities or gaps in roles or functions lead people to relocate to new positions.
While organizations normally have processes to accommodate people in these new situations, the status of the knowledge and information these people accessed to perform their duties is often neglected, which may pose unacceptable risks to the business.
This article will present how ISO 27001, the leading ISO standard for information security management, addresses alterations on human resources employment status, and how its practices can help your organization protect its information in these situations.
Why worry about people leaving your organization or changing positions?
Let’s start with the more obvious scenario: when someone leaves the organization.
A person who leaves the organization is not under its control anymore, so any asset or information that is under their possession cannot be identified or recovered, and there is no way to know if it was used or not (the most probable scenario is that the information is not confidential anymore).
The other scenario is subtler, but it may be more dangerous: when someone changes their position or role in the organization.
When someone leaves the organization, it is often more difficult, if not impossible, for them to have access to new information. On the other hand, when someone changes their position or role within the organization, they may start accumulating privileges from both the old and the new positions or roles.
Accumulated privileges may allow the employee to see sensitive information not meant for his eyes, or to perform actions that normally would not be available to him or would require a two-person action.
Handling termination and change of employment with ISO 27001
To avoid such information security risks that can bring significant impacts to the organization, ISO 27001 control A.7.3.1 – Termination or change of employment responsibilities, requires the application of practices such as:
- definition of responsibilities and duties that will remain after termination of employment, and for how long these have to remain
- regarding change of employment, definition of which access and privileges must be kept or revoked considering the new position or role and the access control policy; such adjustments should be performed before the person starts working in the new position, or as soon as possible
- communication, not only to the persons themselves, but also to other employees, customers, suppliers, and other interested parties, about the employment termination or change; in some cases, even competitors should be informed, so they can be aware that information provided by a person that left the organization may be sensitive and the organization may be legally actioned if they take advantage of it
- enforcement of defined responsibilities and duties by the use of confidentiality agreements and clauses on employment contracts (see the article What to consider in security terms and conditions for employees according to ISO 27001), as well as by performing periodic awareness sessions; in most cases, these preventive actions are very effective in minimizing such risks
It is important to note that such practices are to be applied not only to employees, but to contractors as well. The practices to be applied, and their level of detail or complexity, must be supported by the results of a risk assessment or applicable legal requirements, considering the sensitivity of information involved. See the article 6-step process for handling supplier security according to ISO 27001 to learn more.
Internally to the organization, the human resources function, together with direct managers, should ensure that such practices are effectively implemented. This is a two-person responsibility, because while human resources are often responsible for policies and procedures involving employees, direct managers know which systems and information must be protected for each role.
In case of outsourced personnel, these practices should be enforced by the external parties responsible for them, by means of contracts or service agreements signed between your organization and these external parties.
When people leave, do not leave doors open
Cases where it has been identified that sensitive information was disclosed by former employees who started working for competitors, or that employees with excessive privileges were caught committing fraud, are not difficult to find on the Internet.
The lack of control over how people must handle information when they leave the organization, or when they move from one position to start a new one, is generally the root cause of such cases, and organizations should start paying attention to prevent such incidents from happening to them.
By adopting ISO 27001 practices to properly terminate work relationships and change employee roles in an organized way, organizations can implement robust preventive actions that can both minimize the risks of information being compromised, as well as provide a basis to minimize the impacts of such occurrences.
Learn more about human resources security in this free online training: ISO 27001 Foundations Online Course.