A.6.5 — Are responsibilities and duties on termination/change of employment documented and applied?
Demonstrate that responsibilities and duties related to termination and role changes are documented, consistently applied, and verifiable through records and evidence of execution.
Description
What this control does
This control ensures that when an employee's role changes or their employment terminates, all security-related responsibilities—such as access removal, asset return, knowledge transfer, and confidentiality obligations—are formally documented and systematically executed. Organizations typically maintain termination checklists, update HR and IT workflows, and track completion of each step to prevent orphaned access rights or data leakage. Proper application of this control reduces the window of opportunity for malicious insiders and ensures business continuity during personnel transitions.
Control objective
What auditing this proves
Demonstrate that responsibilities and duties related to termination and role changes are documented, consistently applied, and verifiable through records and evidence of execution.
Associated risks
Risks this control addresses
- Terminated employees retain logical access to systems, data, or facilities beyond their last day, enabling unauthorized data exfiltration or sabotage
- Unreturned corporate assets (laptops, tokens, keycards) are used to access sensitive information or impersonate the organization
- Departing employees fail to transfer critical knowledge or cryptographic keys, causing operational disruption or data loss
- Role changes grant excessive privileges without revoking prior entitlements, leading to privilege creep and segregation-of-duties violations
- Confidentiality and non-disclosure obligations are not reinforced upon exit, increasing the risk of intellectual property theft or competitive harm
- Accounts and credentials remain active in third-party SaaS platforms, cloud tenants, or partner systems after contract termination
- Lack of formal handover processes causes loss of institutional knowledge, undocumented configurations, or unmonitored systems
Testing procedure
How an auditor verifies this control
- Obtain the organization's termination and role-change policy, including documented responsibilities, checklists, timelines, and approval workflows.
- Retrieve a sample of recent terminations (at least 5-10 within the past 12 months) and role changes (at least 3-5) from HR records or ticketing systems.
- For each sampled termination, verify the completion date and compare it to the date of access revocation in identity management systems (Active Directory, IAM, SSO logs).
- Review evidence of physical asset return, including signed asset custody forms, device wipe logs, or inventory reconciliation records for laptops, badges, and tokens.
- Validate that exit interviews or formal acknowledgments of confidentiality obligations were conducted and documented, with signatures or electronic confirmations.
- For role-change samples, inspect access review logs or provisioning tickets to confirm that old entitlements were removed and new ones granted according to the principle of least privilege.
- Cross-check active accounts in critical systems (email, file shares, databases, VPNs) against current employee rosters to identify orphaned or stale accounts.
- Interview HR and IT personnel to assess whether termination checklists are consistently applied, exceptions are logged, and delays are escalated for remediation.