Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Process for removing hardware and access rights at termination of employment relationship

Critical
High
Normal
Low

Our organization has defined procedures for coordinating, at the time of termination of employment, e.g..:

  • Hardware recovery
  • Removal of access rights
  • Restoration of other information assets
Connected other frameworks and requirements:
8.1.4: Return of assets
ISO 27001
9.2.1: User registration and de-registration
ISO 27001
9.2.6: Removal or adjustment of access rights
ISO 27001
PR.AC-1: Identity and credential management
NIST CSF
5.11: Return of assets
ISO 27001

Instructions for reporting changes affecting access rights

Critical
High
Normal
Low

Supervisors have been instructed to notify the owners of data systems in advance of significant changes in the employment relationships of subordinates, such as promotions, discounts, termination of employment or other changes in the job role.

Based on the notification, a person's access rights can be updated either from the centralized management system or from individual data systems.

Connected other frameworks and requirements:
9.2.6: Removal or adjustment of access rights
ISO 27001
I06: Pääsyoikeuksien hallinnointi
PR.AC-1: Identity and credential management
NIST CSF
5.18: Access rights
ISO 27001

Restriction of access rights at high risk times of employment

Critical
High
Normal
Low

If a person's employment is terminating or significantly changing, the reduction of access rights to assets should be considered, depending on the following:

  • a person’s reluctance towards the upcoming change
  • the extent of the person’s current access rights and responsibilities
  • the value of the assets to which the employee has access
Connected other frameworks and requirements:
9.2.6: Removal or adjustment of access rights
ISO 27001
5.18: Access rights
ISO 27001

Special supervision of dismissed workers

Critical
High
Normal
Low

During the period of termination of employment, the organization should ensure that the dismissed employee does not, for example, copy important information (e.g. intangible assets) without authorization.

Connected other frameworks and requirements:
8.1.4: Return of assets
ISO 27001
9.2.6: Removal or adjustment of access rights
ISO 27001
5.11: Return of assets
ISO 27001
No items found.