This policy establishes secure, repeatable procedures for when employees join, change roles, or leave your company. It ensures access is granted correctly, revoked promptly, and all company assets are returned, closing critical security gaps.
-
Secure Employee Onboarding: Ensure new hires receive only the minimum necessary access ('least privilege') and complete required security training from day one.
-
Prevent Lingering Access: Immediately revoke all system and physical access for departing employees, eliminating the risk of "orphan accounts."
-
Recover All Company Assets: Use detailed checklists to ensure all company-issued devices, keys, and access cards are returned upon termination.
-
Manage Internal Role Changes: Safely manage employee transitions by formally revoking old permissions before granting new ones, preventing access accumulation.
Read Full Overview
The Onboarding and Termination Policy for SMEs is a comprehensive framework designed to manage the employee lifecycle with a focus on security and compliance. It outlines standardized procedures for onboarding new employees, managing internal transfers, and executing terminations, ensuring that access rights are appropriately provisioned and revoked. This policy mitigates risks associated with unauthorized access, data leakage, and unreturned assets by embedding onboarding and termination processes into HR, IT, and security workflows. For SMEs, this policy not only enhances security and compliance but also instills confidence and clarity in managing human resources. By embedding security controls into everyday processes, organizations can minimize risks and focus on their core business operations, knowing that their personnel transitions are managed efficiently and securely.
What's Inside
- Onboarding Procedures & Checklists
- Termination Procedures & Checklists
- Internal Role Change Process
- Asset Issuance & Recovery
- Access Provisioning & Revocation
- Security Awareness Onboarding
- Roles & Responsibilities (HR/IT/Manager)
- Enforcement & Compliance
Built for Leaders, By Leaders
This policy provides HR, IT, and managers with a clear, coordinated plan, turning a high-risk process into a secure, auditable, and efficient workflow. It was authored by a security leader to be a practical framework that stands up to auditor scrutiny.
Authored by an expert holding:
Framework Compliance
🛡️ Supported Standards & Frameworks
This product is aligned with the following compliance frameworks, with detailed clause and control mappings.
| Framework | Covered Clauses / Controls |
|---|---|
| ISO/IEC 27001:2022 | 6.27.2 |
| ISO/IEC 27002:2022 | 6.26.5 |
| NIST SP 800-53 Rev.5 | PS-4AC-2PL-4 |
| EU GDPR | Art. 32 |
| EU NIS2 | Art. 21(2)(h) |
| EU DORA | Art. 12 |
| COBIT 2019 | APO07DSS01 |
Part of a Complete ISMS Toolkit
This policy is one of 37 documents in our complete toolkit. When implemented as a set, our framework helps you achieve comprehensive compliance across major standards.
100%
ISO 27001:2022
95%
NIST
88%
NIS2
75%
DORA
70%
GDPR
Related Policies
This foundational policy is directly linked to the following organizational security policies to ensure comprehensive alignment and traceability across the ISMS.
P2S - Governance Roles & Responsibilities Policy
Ensures accountability in access and onboarding processes.
P4S - Access Control Policy
Establishes technical enforcement of role-based provisioning.
P6S - Risk Management Policy
Assesses risks from onboarding and termination control failures.
P8S - Information Security Awareness & Training Policy
Enforces staff orientation requirements during onboarding.
P30S - Incident Response Policy
Treats failure to deprovision access as a security incident.
About This Policy
An Onboarding and Termination Policy is a critical component of human resources security, designed to manage the full lifecycle of an employee's access to company resources. For a Small or Medium-sized Enterprise (SME), this process is one of the highest-risk areas for security gaps. This policy provides a structured, repeatable process for HR, IT, and department managers to follow when a person joins, moves within, or leaves the company.
By implementing formal checklists for both onboarding and offboarding, this policy ensures that access is granted based on the principle of least privilege and, crucially, that it is revoked completely and on time. This prevents "orphan accounts" from being left active—a common vector for data breaches. It also ensures all physical assets are returned. Adhering to this ISO 27001:2022-aligned policy provides auditors with clear evidence of due diligence and gives leadership confidence that personnel transitions are handled securely and efficiently.
