A.6.5 Responsibilities After Termination or Change of Employment

What is this control?

ISO 27001 control A.6.5 Responsibilities After Termination or Change of Employment ensures that information security responsibilities and duties are properly enforced when personnel leave or change employment. The organisation implements a formal Joiners, Movers, and Leavers process using Microsoft Entra Identity Lifecycle Workflows to automatically revoke access, update role-based group membership to prevent access creep, and wipe remote devices upon termination.

How to implement in Microsoft 365

Implement A.6.5 by configuring Microsoft Entra Identity Lifecycle Workflows with an active Leaver workflow that automatically retires or wipes all Intune-enrolled devices, removes all PIM role eligibilities, revokes all active sign-in sessions, and disables the user’s Entra account. Implement dynamic groups based on departmental and role attributes to automatically update group membership when HR updates user attributes during role changes. Configure automatic access review triggers when a user’s department or job title changes requiring the new manager to attest pre-existing access permissions.

Set up recurring Microsoft Entra Access Review policies for B2B and guest accounts with 90-day review cycles.

What an auditor looks for

Auditors will verify an active Leaver workflow in Identity Lifecycle Workflows with recent execution history. They will check recently disabled user accounts showing automated enforcement via audit logs. Auditors will review dynamic group configurations based on job attributes with automatic membership updates.

They will verify access review definitions targeting role changes with manager attestation evidence. Auditors will check recurring access review policies for guest and B2B accounts with attestation history. They will review Intune device management showing retire and wipe capability with recent actions.

Related controls

• A.5.22
• A.5.32
• A.6.2
• A.6.4
• A.6.6
• A.8.1
• A.8.12