What to consider in case of termination or change of employment according to ISO 27001

As relationships between people and organizations evolve, it is natural for work situations to change. Concluded contracts lead to termination of employment relationships, and opportunities or gaps in roles or functions lead people to relocate to new positions.

While organizations normally have processes to accommodate people in these new situations, the status of the knowledge and information these people accessed to perform their duties is often neglected, which may pose unacceptable risks to the business.

This article will present how ISO 27001, the leading ISO standard for information security management, addresses alterations on human resources employment status, and how its practices can help your organization protect its information in these situations.

Why worry about people leaving your organization or changing positions?


Let’s start with the more obvious scenario: when someone leaves the organization.

A person who leaves the organization is not under its control anymore, so any asset or information that is under their possession cannot be identified or recovered, and there is no way to know if it was used or not (the most probable scenario is that the information is not confidential anymore).

The other scenario is subtler, but it may be more dangerous: when someone changes their position or role in the organization.

When someone leaves the organization, it is often more difficult, if not impossible, for them to have access to new information. On the other hand, when someone changes their position or role within the organization, they may start accumulating privileges from both the old and the new positions or roles.

Accumulated privileges may allow the employee to see sensitive information not meant for his eyes, or to perform actions that normally would not be available to him or would require a two-person action.

Handling termination and change of employment with ISO 27001

To (Read more...)

*** This is a Security Bloggers Network syndicated blog from The ISO 27001 & ISO 22301 Blog – 27001Academy authored by The ISO 27001 & ISO 22301 Blog – 27001Academy. Read the original post at: