A.6.5 ISO 27001

ISO 27001 A.6.5: Responsibilities after termination or change of employment

What This Control Requires

Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, enforced and communicated to relevant personnel and other interested parties.

In Plain Language

When someone leaves your organisation, their NDA does not expire at the door. Certain security responsibilities - especially around confidentiality - continue well beyond their last day. This control makes sure those obligations are clearly defined, communicated, and enforceable. Post-termination responsibilities typically include ongoing confidentiality under non-disclosure agreements, a prohibition on using proprietary information gained during employment, intellectual property obligations, and any restrictions on competitive activities or data usage. The same principle applies when people change roles internally. Access rights from the previous role need reviewing and adjusting, special security obligations should be formally transferred, and the individual needs reminding that confidentiality obligations around information from their former role still apply. Auditors regularly check whether internal movers retain access they no longer need.

How to Implement

Define the security responsibilities that survive after termination or a role change. Document them in employment contracts, confidentiality agreements, and the termination process. Key obligations include confidentiality of all information gained during employment, non-use of proprietary information and trade secrets, IP assignment for work created during employment, return of all organisational assets and information, and any non-compete or non-solicitation clauses. Build a security component into your offboarding process. During exit, remind departing staff of their ongoing obligations. Run an exit interview covering: confirmation that all information and assets have been returned, a reminder of confidentiality obligations with reference to the specific agreements they signed, removal of organisational data from personal devices, and written acknowledgment of post-employment restrictions. For internal role changes, implement a managed transition. Review and revoke access rights that are not needed in the new role. Brief the individual on security requirements for their new position. Make sure sensitive information from the previous role does not inappropriately follow them. Document the transition and access changes. Enforce post-employment obligations through proper legal mechanisms. Make sure confidentiality agreements are enforceable with appropriate durations. Include provisions for legal action in case of breach. Keep an eye out for potential violations, particularly when employees leave for competitors. Maintain records of all signed agreements and offboarding acknowledgments. Handle contractors and third parties separately. Ensure service agreements define post-engagement obligations. Verify that organisational data is returned or destroyed, confirm all system access has been revoked, and get written confirmation of compliance.

Evidence Your Auditor Will Request

Documentation defining post-employment security responsibilities
Exit interview records showing security obligations were communicated
Confidentiality agreements with post-employment clauses signed by all personnel
Offboarding checklists showing access revocation and asset return for recent departures
Records of access modification when personnel change roles internally

Common Mistakes

Post-employment security obligations are not defined or communicated during the exit process
Confidentiality agreements do not specify a post-employment duration
No exit interview process to reinforce ongoing security obligations
Internal role changes do not trigger a review of access rights and security responsibilities
No mechanism for monitoring or enforcing post-employment obligations

Related Controls Across Frameworks

Framework	Control ID	Relationship
SOC 2	CC6.2	Partial overlap
SOC 2	CC6.3	Partial overlap
GDPR	Art.32	Partial overlap

Frequently Asked Questions

How long should post-employment confidentiality obligations last?

It depends on the information type and jurisdiction. General confidentiality obligations typically run 2-5 years after departure. Trade secret protection can be indefinite as long as the information still qualifies as a trade secret. Non-compete clauses are usually limited to 1-2 years depending on jurisdiction, and some jurisdictions restrict or ban them entirely. Get legal counsel to advise on what is appropriate and enforceable where you operate.

What should the exit interview cover from a security perspective?

Cover the practical and the legal. On the practical side: return of all equipment, badges, and keys; removal of organisational data from personal devices; confirmation that no copies of company information are being retained. On the legal side: a clear reminder of their signed confidentiality agreements, how long those obligations last, and that the organisation will enforce them if necessary. Leave them with a contact for any post-departure questions about their obligations.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment