Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

04) Does your organisation have a process for editing or removing employee access to systems and information (whether digital or physical) when they are changing role or leaving the organisation?

August 30, 2022
IT Operations
Access Removal

Answer yes if your organisation has a formal process that ensures all access to your organisation's systems & information (this includes, but is not limited to corporate endpoints, networks, offices and third party services) is removed when employees, contractors and third party users leave the organisation and is updated when they change roles. Please describe these processes within the notes and/or upload any relevant evidence.

Your company security of information policy should detail the criteria under which information access will be granted and the circumstances under which that access will be removed. To underpin the policy, a robust security procedure should:

  1. record who has access to business information;
  2. have the capability to audit access to business information;
  3. enable access to be immediately revoked as required, for example on an employee leaving the company.

Step 3, removing an employees access upon termination of their employment contract, is a key step within the HR Leaver Process.

How to implement the control

For small companies a template Leaver’s checklist can be requested at You must ensure that all line managers fill in the checklist when a new employee or contractor joins, and that they complete the checklist when they leave (this includes revoking any access to business information).

For larger companies we suggest the IT team ensure that a formal step for revoking employee access is baked into their IT service desk and leaver processes.

If you would like to contribute to this article or provide feedback, please email Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.