Control Definition
The organization must define which information security responsibilities and duties stay in force after employment ends or a role changes, communicate those surviving obligations to the personnel and other interested parties they bind, and enforce them. In practice this means contract clauses that outlive the relationship, a deliberate reminder at exit or transfer, and the willingness to act on breaches.
Control Objective
To protect the organization's information beyond the employment relationship, by keeping confidentiality and related duties legally and practically in force when people leave or move roles.
What This Really Means
Most offboarding checklists obsess over what the company takes back: the laptop, the badge, the accounts. A.6.5 is about what walks out the door anyway — everything in the person's head and history: customer relationships, system architecture, pricing models, source-code knowledge, the contents of five years of email. You cannot revoke a memory, so the control asks you to bind it with obligations that are designed to outlive the badge.
In practice the control is three moves. First, define the surviving duties at hire, not at exit: employment and contractor agreements (A.6.2) should carry confidentiality that continues for a defined period after separation, intellectual-property assignment, and non-solicitation where local law allows it — clauses agreed when the relationship starts, because nobody negotiates new obligations on their way out. Second, re-communicate at exit: a written reminder during offboarding, listing exactly which duties survive, with a signed acknowledgment. Courts and auditors both discount obligations the person was never reminded of. Third, enforce: pair the legal duties with the operational teardown — asset return under A.5.11 and access revocation under A.5.18 — and be prepared to act, from a counsel letter to litigation, when a former employee breaches.
The half of this control almost everyone forgets is change of employment. A promotion or internal transfer is, for security purposes, an exit from the old role: its duties should be formally handed to a successor, access should be re-baselined to the new role rather than accumulated on top of the old, and the person should be reminded that information from the previous role — payroll data, M&A discussions, customer financials — stays confidential even though they still work for you. The classic failure is the employee who moved from finance to engineering two years ago and still holds payroll system access nobody remembers granting.
Auditors treat the chain of custody as the heart of this control: a contract clause that creates the surviving duty, an offboarding record showing it was communicated at exit, and revocation and return records showing the practical side happened on time. A beautifully drafted clause with no exit-stage evidence is treated as half an implementation — and they will sample recent leavers and movers to trace the chain end to end.
Why It Matters
Departing employees are one of the most reliable data-loss vectors an organization has. The pattern repeats across industries: sales staff export the CRM in their notice period, engineers take repositories or design documents to a competitor, and managers walk out with board packs in personal cloud storage. The window around resignation and termination concentrates risk precisely when attention to the person is winding down — and the only protections that work in that window are the ones put in place at hire and executed at exit.
Enforceability is built years before it is needed. A confidentiality clause signed at hire, re-communicated in a signed exit acknowledgment, backed by records of what was returned and when access was cut, gives counsel something to work with. Skip the middle step and the former employee's defense writes itself. And the duty does not end with your commercial secrets: personal data that leaves with a leaver is still your breach in the eyes of regulators, whoever carried it out.
Weak post-employment responsibility management leads directly to:
- •Customer-list walkouts – departing sales and account staff take pipelines and contact books to competitors, and the organization discovers it has no communicated, enforceable basis to respond
- •IP ownership disputes – missing or vague assignment clauses surface at the worst moments: funding due diligence, acquisition negotiations, or a former contractor claiming rights to shipped code
- •Unenforceable confidentiality – obligations defined at hire but never re-communicated at exit collapse into "nobody told me" when tested
- •Role-change privilege creep – movers accumulate access and knowledge across roles with no close-out, leaving old-department data exposed indefinitely
- •Regulatory exposure – personal data leaving with a former employee remains the organization's reportable incident under DPDP, GDPR, or PDPL
Regional Compliance Context
India: Indian courts generally treat post-termination non-compete restraints as void restrictions on trade, while confidentiality and intellectual-property assignment obligations do survive and are enforceable — so build your protection on well-drafted confidentiality and IP clauses, not on non-competes copied from US templates. Narrowly scoped non-solicitation clauses fare better but are fact-dependent; take local counsel's view. Under the DPDP Act 2023 the organization remains the accountable data fiduciary for personal data a leaver mishandles, which makes prompt access revocation and recovery of data copies at exit a compliance matter, not just hygiene.
Gulf: Saudi and UAE labor frameworks permit post-employment non-compete and confidentiality restrictions, but only when limited in duration, geography, and scope — over-broad clauses risk being struck down entirely. Where the workforce is heavily expatriate, exits often mean the person leaves the country within weeks, so front-load the exit acknowledgment and asset recovery into the notice period rather than the final day.
Implementation Guidance
Define Surviving Obligations in Contracts at Hire
Work with counsel to embed the clauses that outlive employment: confidentiality continuing for a defined period after exit (with trade secrets protected for as long as they stay secret), IP assignment for work created in the role, return-of-property duties, and non-solicitation where lawful. Use jurisdiction-specific templates — enforceability varies sharply by country — and apply equivalent terms to contractors and their personnel via A.6.2 and supplier agreements.
Build a Leaver Checklist That Pairs Duties With Teardown
Create a single offboarding checklist owned by HR with named owners and deadlines for each item: written reminder of surviving obligations, exit acknowledgment signature, asset return (A.5.11), access revocation (A.5.18), and knowledge handover. One artifact, one timeline, every leaver — this checklist is the first thing auditors sample.
Re-Communicate Obligations at Exit in Writing
During offboarding, give the leaver a short letter listing exactly which duties survive — confidentiality, IP assignment, non-solicitation where applicable, and the duty to return or destroy organizational information — and capture a signed acknowledgment. If the person refuses to sign or is a no-show, record the delivery attempt; documented communication is the point, and it is also what makes later enforcement credible.
Treat Role Changes as Exit Plus Rejoin
Trigger a lighter version of the same process for internal transfers and promotions: close out the old role's responsibilities with a handover to a successor, re-baseline access to the new role instead of adding to the old (coordinate with A.5.18), and remind the person in writing that information from the previous role remains confidential. Route this through the joiner-mover-leaver process so transfers cannot bypass it.
Escalate Handling for High-Risk Departures
Define in advance which exits get enhanced treatment: terminations for cause, resignations to direct competitors, and anyone holding privileged access or crown-jewel knowledge. For these, suspend access at notification rather than on the last day where lawful, review recent activity logs and large data movements (DLP or egress reports for the prior 30-90 days), and involve legal early. Write the trigger criteria down so escalation is policy, not improvisation.
Extend the Process to Contractors and Third Parties
Contracts end too. Ensure supplier and contractor agreements impose surviving confidentiality on the individuals who worked with your information, require the supplier to confirm offboarding of their personnel from your systems, and run external accounts through the same leaver checklist. Third-party leavers are the population most often missed because no HR event fires for them.
Enforce, Sample, and Review
Track leaver-checklist completion and audit a sample quarterly: trace recent leavers and movers end to end, and reconcile active accounts in your identity provider against the HR leaver list. When a breach of surviving duties surfaces, act — a counsel letter early is cheaper than litigation late, and a pattern of non-response makes every clause weaker. Revisit clause wording with counsel when employment or data protection law changes.
Audit Evidence
During your ISO 27001 certification audit, auditors will expect to see the following evidence to demonstrate compliance with A.6.5:
Documentation
- Employment contract and NDA templates showing confidentiality, IP-assignment, and other clauses that expressly survive termination
- Completed leaver checklists for recent departures, with sign-offs, dates, and links to asset-return and access-revocation records
- Signed exit acknowledgment letters reminding leavers of surviving obligations (or recorded delivery attempts)
- Mover records for internal transfers showing role handover, access re-baselining, and confidentiality reminders
- A documented termination and change-of-employment procedure integrated with the HR joiner-mover-leaver process
Interviews
- HR manager about the offboarding flow, how surviving obligations are communicated at exit, and what happens with no-show leavers
- IT or IAM administrator about how termination notifications trigger access revocation and how quickly it happens
- A line manager who recently had a team member transfer roles, about how old-role duties and access were closed out
Observations
- A recent leaver traced end to end: HR notification, exit acknowledgment, asset return record, and access revocation timestamps
- The HRIS or ticketing workflow that automatically opens offboarding tasks when a leaver or mover event fires
- A live reconciliation of active directory or IdP accounts against the HR leaver list for the last quarter
Practitioner Insights
The pattern I keep finding: the lawyers wrote excellent surviving-confidentiality clauses years ago, and the actual exit is twenty minutes of laptop collection where none of it is mentioned. A year later the ex-employee is soliciting customers, and the file contains no exit acknowledgment, no reminder letter, nothing to show the obligation was ever communicated at separation. The fix costs one page: a standard exit letter listing what survives, signed during the final HR conversation and filed with the leaver checklist. Build it into the template once and every future exit produces its own evidence.
Certification auditors have learned to sample movers, not just leavers, because that is where this control quietly fails. The finding writes itself: an employee who transferred from finance to engineering two years ago still holds payroll access, and no record shows anyone reviewed it at transfer. Treat every internal move as a leave-and-rejoin in your joiner-mover-leaver process — old duties formally handed over, access rebuilt for the new role rather than accumulated. Then let your periodic access reviews under A.5.18 act as the backstop that catches whatever the transfer process missed.
Common Challenges & Solutions
Challenge
Exits happen suddenly — same-day resignations, terminations, no-shows — and the offboarding checklist runs late or not at all.
Solution
Automate the trigger: an HR status change opens the offboarding ticket and notifies IT without a human remembering to. Make access suspension the non-negotiable same-day step (it takes minutes and closes the biggest risk), then let asset recovery and paperwork complete within a defined window, commonly 5-10 working days. Track checklist completion as a metric so late runs are visible rather than silent.
Challenge
Surviving obligations exist in contracts but are never mentioned at exit, so leavers genuinely do not know what still binds them.
Solution
Add a standard exit acknowledgment letter to the offboarding pack: one page listing the surviving duties with the source clause references, signed in the final HR conversation. Give HR a short script so the conversation happens consistently, and file the signed copy with the leaver record. Where signature is refused, record that the letter was delivered — communication, not consent, is the requirement.
Challenge
Internal transfers accumulate access and nobody closes out the old role's duties.
Solution
Add a mover branch to the joiner-mover-leaver process: manager confirms handover of old responsibilities, IAM rebuilds access from the new role's profile instead of appending entitlements, and HR issues the old-role confidentiality reminder. Back it with quarterly access recertification under A.5.18, which catches the transfers that slip through. Auditors sample movers deliberately, so generate the records as the transfer happens.
Challenge
Non-compete and non-solicitation clauses copied from foreign templates turn out to be unenforceable locally.
Solution
Have employment counsel review post-employment restrictions for each jurisdiction where you hire, and anchor your protection in confidentiality and IP-assignment clauses, which are broadly enforceable almost everywhere. Where non-solicits are permitted, keep them narrow — named accounts, limited duration. An unenforceable clause is worse than none: it invites people to assume the whole agreement is bluster.
Challenge
A remote or global workforce makes asset recovery and signed acknowledgments hard to collect at exit.
Solution
Use prepaid tracked-courier workflows for hardware with serial-number reconciliation against the asset register, e-signature for exit acknowledgments, and remote wipe via MDM as the compensating control when a device will not come back. Where local law allows, tie final settlement completion to checklist completion. Document every attempt — demonstrated diligence is what the auditor and, later, a court will look for.
