ISO 27001:2022 Annex A Control 6.5: Responsibilities After Termination or Change of Employment

Control 6.5 focuses on how it’s important for organisations to outline the information security responsibilities and roles that remain in effect even if staff leave or are reassigned. Duties and responsibilities should be communicated to the employee and any other relevant persons.

Any information entrusted to employees by their employers must be kept confidential, and it is vital that staff comprehend the requirements for protecting the organisation’s data.

The responsibilities of information security

Safeguarding confidential data is something that employers are generally entitled to assume from their staff. Data should never be shared or exploited for personal profit or to sabotage the business.

Information security duties and responsibilities will likely include:

• Making sure personal information confidentiality is of the highest importance

• Maintaining a log of how personal data is applied, managed and shared

• Ensuring data accuracy and dependability by collecting from reliable sources and securely storing and disposing of data when necessary

• Limiting data access to authorised individuals only

• Only using and divulging personal data lawfully

Understanding Annex A control 6.5

In the event of an employee’s departure from the organisation, control 6.5 gains relevance by safeguarding the organisation’s information security interests when an employment contract changes or is terminated.

The purpose of control 6.5 is to protect the organisation against employees taking advantage of their access to confidential data and processes for malicious intent or personal gain, especially after leaving the organisation or role.

Meeting the requirements of control 6.5

The control covers employees, contractors and third parties with access to sensitive data. Measures must be taken to ensure people don’t maintain access to personal data after leaving the organisation.

Employment contracts or agreements must specify any information security responsibilities and duties that are still in place after the conclusion of the role within the organisation. Upon leaving the role or organisation, all security responsibilities must be transferred, and all access credentials must be replaced or deleted.

What’s changed since 2013?

Because control 6.5 replaces 2013’s Annex A control 7.3.1, the two controls are very alike. However, the 2022 version goes into more detail when offering guidance on how to implement the control.

Control 6.5 also uses more user-friendly language to ensure it is as accessible as possible and includes a statement of purpose and an attributes table for each control, making it easier for users to understand and implement them.