ISO/IEC 27001 Control 6.5: Responsibilities after termination or change of employment


Information security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced and communicated to relevant personnel and other interested parties.

Necessity of MidPoint

MidPoint is optional for implementation of this control.

Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.

Implementation Overview

Identity lifecycle and policy-driven role-based access control (PD-RBAC) mechanism are instrumental in handling privileges in termination/change situations.

Implementation Details

Identity lifecycle can naturally handle termination of employment. MidPoint is using synchronization mechanisms to pull data from the human resource (HR) systems, including data about termination and change of employment. Such HR data are reflected to identity lifecycle, usually setting users with terminated employment to archived lifecycle state. This lifecycle state can be used to deactivate any access that user had, it can be used to minimize the data or handle the situation in other ways. Assignments can be retained in archived lifecycle state, indicating roles, organizational membership and responsibilities that the user had at the termination of employment. This can be an advantage for clearances that indicate responsibilities and obligations that remain valid after termination of employment, such as non-disclosure agreements (NDA). Policy-driven role-based access control (PD-RBAC) is designed to automatically react to change of employment. The preferred method to grant privileges based on organizational structure is to use inducement mechanism in organizational units. Privileges granted using such mechanisms are automatically recomputed when employment changes, as indicated by change in organizational structure synchronized from the HR system. Alternatively, role auto-assignment rules can be used to automatically adjust privileges when employment and responsibilities of user changes. Micro-certification can be used as an supplementary mechanisms, especially in case that most privileges are assigned using access request process. Micro-certification can be automatically triggered when user's organizational assignment changes, motivating reduction of privileges. Policy rules can be used together with reporting capabilities to detect vacant roles and responsibilities, e.i. responsibilities that need to re-assigned after termination or change of employment of their (former) assignees. Delegated administration can enable suppliers and partner to manage identities representing their organizations, e.g. de-activating access after termination of employment. Audit trail and object history capabilities can be used to examine privileges that a user had before termination or change of employment, e.g. to improve current policies and automation schemes.

Implementation Notes

  • The control suggests that changes in responsibility should be managed as termination of old responsibility and initiation of new responsibility. We like to interpret that in quite a loose way, not requiring literal termination of accounts or removal of privileges that are necessary for new responsibility. MidPoint is designed to remove accounts and privileges that are not needed for new responsibility, keeping the necessary ones.


MidPoint obviously cannot influence contractual obligations after termination of employment or contract. It can keep user record for some time, even record some of the obligations. However, the primary strength of midPoint is handling situations after "change of employment", which usually means re-assignment of users in organizational structure. Many mechanisms of midPoint can be used in this situation.

Was this page helpful?
Thanks for your feedback