Onboarding and Termination Policy - SME

The Onboarding and Termination Policy (P07S) serves as a critical control for organizations seeking to manage the full lifecycle of user access in a secure, compliant, and auditable manner. This policy is specifically tailored for small and medium-sized enterprises (SMEs), as indicated by the 'S' in its document number and the assignment of responsibility to roles such as General Manager and Office Manager/HR, rather than specialist teams like a dedicated CISO or Security Operations Center. Nonetheless, it meets the requirements of key frameworks including ISO/IEC 27001:2022. The policy’s purpose is to define, standardize, and document processes for onboarding new employees, contractors, and third-party service providers, while ensuring robust controls for their termination or internal role change. It enforces the principle of least privilege when provisioning access, uses checklists to formalize verification of asset issuance and return, and mandates documented logs for account and asset changes. Termination activities focus on prompt access revocation, the retrieval of company assets, and the secure closure of digital identities to control the risk of unauthorized access or data exposure. Roles and responsibilities are designated to fit typical SME structures. The General Manager holds program oversight and high-privilege access approval, Office Manager or HR initiates onboarding/offboarding and checklist maintenance, and IT (internal or external provider) manages accounts and hardware. Department managers ensure that notifications about role changes are actioned, while every employee or contractor is called upon to comply with security training and asset return processes. Governance requirements are robust, requiring the use of onboarding and termination checklists, maintenance of an Access Control Register and Asset Inventory, and immediate handling of emergency deactivations. Exception and risk handling procedures are clearly defined, mandating documentation, notification to the General Manager, and compensating controls if standard steps are skipped due to operational urgency. Compliance is enforced through regular monitoring, sample reviews, and clear consequences for non-compliance such as retraining or escalation. By expressly requiring annual reviews, responsive updates for process or regulatory changes, and communication of policy changes to all relevant staff, this policy supports a continuous improvement process. It is structured to help SMEs efficiently meet the demands of compliance, operational integrity, and data protection, even in organizations without complex security structures.