ISO 27001 control 6.5 Responsibilities after termination or change of employment

The basics

ISO 27001 control A.6.5 Responsibilities after termination or change of employment requires companies to define which security duties will remain valid after a person leaves the company or changes the position within the company. This is done to avoid any unclear responsibilities after the change of a person’s status. This can be done by including security clauses in the termination agreements or in annexes.

Documentation

ISO 27001 control A.6.5 Responsibilities after termination or change of employment can be documented by adding into the agreements with the personnel security clauses that are valid after the termination; this could also be documented through Confidentiality Statement, Termination Agreement, etc.

These documents are not mandatory but are recommended for all companies.

Implementation

• Technology — the technology to enforce the responsibilities after termination or change of employment may include access to systems and social media that enable monitoring (within legal restrictions) of ex-employees activities after employment.
• Organization/processes — you should set up a process for defining which information security requirements must be enforced after termination or change of employment. You can document those processes by inserting security clauses into Confidentiality Statement, Termination Agreement, or similar documents.
• People — make employees aware of why defining responsibilities that need to be kept after termination or change of employment is needed, and train HR personnel on how to include them in proper documentation and make personnel aware of such requirements during the termination process.

Audit evidence