All types Page Article White Paper Download
Solutions The best route to security compliance
Hicomply Privacy™ ISO 27001 ISO 9001 ISO 14001 SOC 2 NHS DSPT NIST 800-53 Hicomply GRC™ Services & Customer Support
Platform A powerful suite of ISMS features
Dashboard ISMS Scoping Policy Management Risk Management Information Asset Management Task Management Integrations Hicomply for Enterprises Trust Centre Controls Monitor Hicomply AI SCIM Integration
Resources Everything you need to know
Knowledge & Insights Resources Hub Case Studies Sectors Glossary News ROI Calculator
Knowledge Base Learn more about infosec
ISO 27001 Knowledge Base SOC 2 Knowledge Base NHS DSPT Knowledge Base PCI DSS Knowledge Base NIST 800-53 Knowledge Base DORA Knowledge Base
Company Security and customers first
About News Partners Contact

Responsibilities after termination or change of employment

Annex A control 6.5 of the 2022 version of the ISO 27001 standard can be mapped to ISO 27001:2013 Annex A 7.3.1

Control 6.5 focuses on how it’s important for organisations to outline the information security responsibilities and roles that remain in effect even if staff leave or are reassigned. Duties and responsibilities should be communicated to the employee and any other relevant persons.

Any information entrusted to employees by their employers must be kept confidential, and it is vital that staff comprehend the requirements for protecting the organisation’s data.

The responsibilities of information security

Safeguarding confidential data is something that employers are generally entitled to assume from their staff. Data should never be shared or exploited for personal profit or to sabotage the business.

Information security duties and responsibilities will likely include:

  • Making sure personal information confidentiality is of the highest importance
  • Maintaining a log of how personal data is applied, managed and shared
  • Ensuring data accuracy and dependability by collecting from reliable sources and securely storing and disposing of data when necessary
  • Limiting data access to authorised individuals only
  • Only using and divulging personal data lawfully

Understanding Annex A control 6.5

In the event of an employee’s departure from the organisation, control 6.5 gains relevance by safeguarding the organisation’s information security interests when an employment contract changes or is terminated.

The purpose of control 6.5 is to protect the organisation against employees taking advantage of their access to confidential data and processes for malicious intent or personal gain, especially after leaving the organisation or role.

Meeting the requirements of control 6.5

The control covers employees, contractors and third parties with access to sensitive data. Measures must be taken to ensure people don’t maintain access to personal data after leaving the organisation.

Employment contracts or agreements must specify any information security responsibilities and duties that are still in place after the conclusion of the role within the organisation. Upon leaving the role or organisation, all security responsibilities must be transferred, and all access credentials must be replaced or deleted.

What’s changed since 2013?

Because control 6.5 replaces 2013’s Annex A control 7.3.1, the two controls are very alike. However, the 2022 version goes into more detail when offering guidance on how to implement the control.

Control 6.5 also uses more user-friendly language to ensure it is as accessible as possible and includes a statement of purpose and an attributes table for each control, making it easier for users to understand and implement them.