Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-9-5 – Personnel access to information and technology assets must be reviewed and removed immediately upon termination/separation.
Understanding the Requirement
This control requires that when an employee, contractor, or other personnel leave the organization their access to information systems and technology assets is promptly reviewed and removed to prevent unauthorized access. Practically, the organization must have documented offboarding procedures that ensure credentials, device access, and physical entry rights are revoked at the time of termination or separation. The goal is immediate and verifiable removal of access so departing personnel can no longer reach sensitive data or systems.
Technical Implementation
-
Document a clear offboarding policy and assign owners: Create a short, approved cybersecurity requirement document that defines what "end of service" means, who must approve access removals, and which teams (HR, IT, security, facilities) are responsible. Keep a simple checklist for each role to ensure nothing is missed during offboarding.
-
Use automated deprovisioning where possible: Integrate HR systems with identity and access management (IAM) or single sign-on (SSO) so that changing an employee's status triggers automated workflows to disable accounts, revoke tokens, and remove group memberships. For SMBs without IAM, use a central ticketed process with SLAs to ensure same-day deprovisioning.
-
Recover physical and digital assets immediately: Maintain an asset register (laptops, phones, access cards, keys) tied to each user. On termination, require return of devices and immediately revoke physical access (badge, door codes) and digital access (VPN, email, cloud services). Log the return in the asset register for accountability.
-
Revoke privileged and shared access: Immediately disable privileged accounts, remove users from admin groups, and rotate any shared credentials or service account passwords that the departing person used. If the person had access to secrets (API keys, cloud keys), revoke and reissue those secrets and update systems that relied on them.
-
Verify and audit: After deprovisioning, run a short audit within 24–72 hours to confirm accounts are disabled, access tokens revoked, and no orphaned sessions remain (check active sessions, SSH keys, cloud console sessions). Keep an offboarding log entry with timestamps and the approver's name; review these logs periodically to improve the process.
</ul>Example in a Small or Medium Business
Acme Design Co., a 40-person marketing agency, formalized an offboarding workflow to reduce risk when staff leave. HR immediately marks a departing employee's termination in the HR system and selects an offboarding date; that status automatically creates a ticket for IT. IT follows the checklist: disable the user in the SSO portal, revoke VPN and cloud service sessions, remove email forwarding, and reset any shared account passwords. Facilities is alerted to collect the laptop, smartphone, and access badge the employee used and to deactivate the badge the same day. The IT admin also rotates API keys for client projects the employee had access to and updates any scheduled jobs that used the employee's credentials. A final audit is completed within 48 hours to verify no active logins remain and to note any missing assets. HR files the completed checklist in the employee record and the security lead reviews the offboarding log monthly to look for gaps and make improvements.
Summary
Combining a documented policy, clear owner responsibilities, and technical controls (automation, IAM/SSO, asset tracking, privileged access revocation, and auditing) delivers rapid, verifiable removal of access when personnel separate from the organization. For SMBs, a simple, repeatable offboarding checklist integrated with HR and IT — supported by short SLAs and periodic audits — provides strong protection against orphaned accounts and unauthorized access while keeping implementation practical and cost-effective.
