When someone leaves your business, are they still bound by the terms of the contract they previously signed? Are they under any obligation to comply with your policies?

On first reading this ISO27001 control title, it may seem pretty simple, but as ever with ISO27001, the devil is in the detail and there are aspects which need to be explored and understood.

What does the standard require?

The standard states that “Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, enforced and communicated to relevant personnel and other interested parties.” (A6.5 – Termination or change of employment responsibilities).

On initial view, the title talks about employment responsibilities, which can lead us to think this is only about people we employ. But upon reading this ISO27001 control requirements, we can see see this isn’t just about your own internal personnel, you need to include consideration for interested parties. Therefore, this can include contractors, consultants, vendors and possibly even clients.

Who you employ to carry out a task can include suppliers and contracts, and this clause isn’t just talking about responsibilities of other entities. It’s also about your responsibilities too.

Finally, note that this isn’t only about what happens when a contract is terminated. You also need to consider what happens when employment changes.

Why is this required?

Imagine the scenario where a disgruntled ex-employee decides to inform competitors about your latest business plans, for the launch of a new service or product that you’ve been planning for months. Or they decide to try and ‘poach’ your best team members when they leave your employment.

We worked with a client who had a difficult time with a customer following the cancelling of a service. In line with the contract, the customer cancelled the contract with our client, which is perfectly fine. However, soon after the customer had left, we discovered they had approached several members of the delivery and development team in an attempt to hire them directly.  Under the terms of the contract, they were not permitted to approach individuals in a bid to hire them.  Along with the legal team, we helped the client deal with this errant customer, but also outline a process for managing this risk so that it shouldn’t happen again,

These are real-world examples of actions we’ve seen happen after someone leaves a business.

Having a process that manages those people, and interested parties after their roles have changed, or suspended and cancelled helps manage the risk of something like this happening.

We worked with a client that received angry emails from their customers when a previous employee started contacting them about the profits the client were making from these customers. It quickly transpired that the disgruntled ex-employee had informed customers what discounts some customers were receiving and what profits the client were making.  Of course, a lot goes into pricing structures, but if you discovered that another customer was paying 20% or even 30% less than you, would you be happy? This led to some very awkward and difficult conversations, and some customers cancelling their contracts. 

We helped put processes in place which would manage this risk, so that employees know what their obligations are.

Finally, remember that you have an obligation under the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) to protect data that is under your control, or that you process.  This responsibility doesn’t end when someone leaves your employment, or you end a contract with a supplier. You need to have a process in place to protect confidentiality before, during and after a contract or agreement ends.

What the auditor is looking for

The auditor will typically want to see employment contracts, supplier and customer agreements that outline responsibilities following the termination or change of a contract.  Contracts might include details associated to;

• Use of Intellectual Property

• Use of systems

• Obligations of Confidentiality

• Contact with clients, suppliers or employees

The auditor will want to see how you’re managing this risk with interested parties, so evidence might include an exit process (for employees), and service review meetings. These should be documented so that you can present them to the auditor upon request.

If there have been any disciplinary actions, the auditor may also ask to see how the matter was managed and documented.

What do you need to do?

Ensure that you review employment contracts to ensure that the above topics are covered, and also check your supplier agreements to see if these areas are covered too.  It won't always be obvious, so read the contracts carefully in order to understand what is and isn't in place. Any gaps may represent a risk, and should either be closed off or added to your risk register.

Speak to your HR function or specialist about how the exit process works for personnel.  Is there an exit interview? Do they receive a letter confirming termination? What does the letter contain and what is included in the exit interview?

If this is a change of role, are employees reminded of their obligations not to access systems and data which they are no longer permitted to access?

You should also include a section within the exit and mover process that reminds personnel of their obligations towards confidentiality and data protection, so that there can be no room for doubt what the burden of responsibility is.

For suppliers and customers, this may not be as easy, but you can still have a process whereby you outline ongoing licence or contract agreements that are still valid once the contract has ended or has been terminated.

Q & A

Who is covered by this control?

ISO27001 is pretty clear about this, in the control requirement where it says that it relates to relevant personnel and interested parties. Therefore, keep in mind that this isn’t just your internal people this control is referring to. Consider who you have listed within your Interested Parties Register.

What should we do if we find someone has breached this requirement?

Dependent upon the infringement, this could be a matter for your lawyers. However, remember that you are responsible for the protection of data and if you didn’t conduct an exit interview, or remind the employee of their obligations, then you need to shoulder some of the blame. 

Typically, employees sign contracts at the start of employment or engagement, and then forget about them until the contract ends. There could be many years between these two events, which is why it’s important to remind personnel and interested parties of these obligations.

Difficulty rating

We rate this a 1 out of 5 difficulty rating. This isn’t difficult, but it requires input from your HR function and your supplier management function too.  They need to define process and you need to provide input and support as needed.

More questions?

Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.

For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.