This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.6.5 Responsibilities after termination or change of employment.
ISO 27001: 2022 Control Description
Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, enforced and communicated to relevant personnel and other interested parties.
Purpose
To safeguard the organisation’s interests during the process of changing or terminating employment or contracts.
Guidance on implementation
The process for managing termination or changes in employment should specify which information security responsibilities and duties continue to be valid after termination or change.
This may include the confidentiality of information, intellectual property, and other knowledge acquired, as well as responsibilities outlined in any confidentiality agreements. Responsibilities and duties that remain in effect after termination of employment or contract should be specified in the individual’s terms and conditions of employment, contract, or agreement. Other contracts or agreements that extend for a defined period after the end of employment may also include information security responsibilities.
Changes in responsibility or employment should be managed as the cessation of the current role or employment combined with the initiation of the new role or employment.
Information security roles and responsibilities held by any individual who leaves or changes job roles should be identified and reassigned to another individual.
A process should be established to communicate the changes and operational procedures to staff, other interested parties, and relevant contact persons (e.g. customers and suppliers).
The process for managing termination or change of employment should also be applied to external parties (i.e. suppliers) when their contract or role with the organisation is terminated, or when there is a change in their role within the organisation.
Other Information
In many organisations, the Human Resources function is generally responsible for overseeing the termination process and works together with the supervising manager of the individual transitioning to manage the information security aspects of the relevant procedures. For staff provided through an external party (e.g. a supplier), this termination process is managed by the external party in accordance with the contract between the organisation and the external party.