policy Enterprise

Onboarding and Termination Policy

Ensure secure, compliant onboarding and termination with standardized access, asset control, and audit requirements across all personnel types.

Overview

This policy establishes strict procedures for secure onboarding, internal transfers, and terminations, enforcing access control, asset recovery, and audit trails aligned with major security and privacy standards.

Secure Access Lifecycle

Standardizes onboarding and termination to ensure timely, risk-based access provisioning and revocation.

Comprehensive Asset Control

Mandates asset issuance, tracking, and recovery to prevent losses and data leakage during personnel changes.

Regulatory Compliance

Aligns with ISO/IEC 27001, GDPR, NIST, NIS2, DORA, and COBIT for robust legal and security compliance.

Read Full Overview
The Onboarding and Termination Policy (document P07) provides a comprehensive, standardized framework for managing the full lifecycle of personnel access, from onboarding and internal transfers to termination or contract expiry. Designed for all user types, including employees, contractors, consultants, vendors, and third parties, it enforces timely and secure provisioning and deprovisioning of both physical and logical access, ensuring that every transition is handled with the right blend of confidentiality, accountability, and asset control. This policy applies organization-wide, mandating that all departments, Human Resources, IT, Facilities, Security, Management, Legal, and Compliance, play a defined role in onboarding and offboarding processes. It prescribes detailed workflows: onboarding includes background checks, NDA and policy acknowledgment, security awareness training, and least-privilege access assignment reviewed by responsible managers; for internal transfers, it triggers risk-based access reviews and ensures all prior system entitlements are closed before new access is approved; and the termination process requires all access provision to be revoked (privileged users within four hours), assets collected, policies re-acknowledged, and all related documentation maintained for auditability. The policy’s objectives extend beyond access management. It aims to preserve the confidentiality, integrity, and availability of organizational assets during personnel transitions, supporting audit trails and legal defensibility by requiring thorough documentation in HRIS, IAM, and asset registers. Immediate asset recovery and validation procedures are specified, including IT checks to remove residual sensitive data and facility controls for badges, devices, and keys. Exception handling is tightly controlled: any deviations must be risk-assessed, documented, and subject to periodic reviews by senior managers (CISO or HR Director), with residual risks documented and evaluated every 90 days or as situations change. Aligned with multiple international frameworks, including ISO/IEC 27001:2022, ISO/IEC 27002:2022, NIST SP 800-53 Rev.5, COBIT 2019, EU GDPR, NIS2, and DORA, the policy ensures that organizational practices address all key regulatory requirements. It integrates provisions from these standards covering competence, access control, least privilege, screening, logging, and operational governance. Internal audit and process monitoring requirements are built-in, with ISMS Manager oversight and mechanisms for whistleblower reporting. Violations trigger disciplinary and legal consequences, with escalation to regulatory authorities where personal or regulated data are involved. Policy maintenance is equally robust: it mandates annual reviews, updates after major security or HR system changes, incident-driven updates, and archiving of obsolete versions. Document control procedures preserve change history and ownership records. This interlinks operational risk management with compliance and accountability, forming a critical part of the organization’s integrated control environment through direct linkages to related policy documents (security, access control, user accounts, risk management, acceptable use).

Policy Diagram

Onboarding and Termination Policy diagram illustrating the step-by-step lifecycle: onboarding approvals, access provisioning, role change reviews, immediate termination actions, asset recovery, and audit documentation.

Click diagram to view full size

What's Inside

Scope and Rules of Engagement

Onboarding and Offboarding Workflows

Asset Recovery and Validation

Immediate Access Revocation Requirements

Exception and Risk Treatment Process

Audit Trail and Documentation

Framework Compliance

🛡️ Supported Standards & Frameworks

This product is aligned with the following compliance frameworks, with detailed clause and control mappings.

Framework Covered Clauses / Controls
ISO/IEC 27001:2022
Clause 7.2Clause 6.2Annex A Control 6.5Annex A Control 5.9Annex A Control 6.2
ISO/IEC 27002:2022
Control 6.2Control 6.5Control 5.9
NIST SP 800-53 Rev.5
PS-4PS-5AC-2AC-6IA-4IA-5CM-5AU-2AU-6
EU GDPR
Article 5(1)(f)Article 25Article 32Recital 39
EU NIS2
Article 21(2)(b)Article 21(2)(c)Article 21(2)(d)
EU DORA
Article 5Article 8Article 9
COBIT 2019
APO07BAI08DSS05MEA03

Related Policies

Information Security Policy

Establishes the organization's security objectives, including personnel access governance.

Access Control Policy

Provides operational requirements for assigning and revoking system and physical access based on onboarding and termination triggers.

Acceptable Use Policy

Requires acknowledgment during onboarding and supports enforcement after termination.

Risk Management Policy

Ensures that user access and transition risks are evaluated and mitigated in line with ISMS principles.

User Account And Privilege Management Policy

Governs the technical controls for provisioning and deprovisioning in support of this policy.

About Clarysec Policies - Onboarding and Termination Policy

Effective security governance requires more than just words; it demands clarity, accountability, and a structure that scales with your organization. Generic templates often fail, creating ambiguity with long paragraphs and undefined roles. This policy is engineered to be the operational backbone of your security program. We assign responsibilities to the specific roles found in a modern enterprise, including the CISO, IT Security, and relevant committees, ensuring clear accountability. Every requirement is a uniquely numbered clause (e.g., 5.1.1, 5.1.2). This atomic structure makes the policy easy to implement, audit against specific controls, and safely customize without affecting document integrity, transforming it from a static document into a dynamic, actionable framework.

IAM Integration for Automated Workflows

Enforces IAM platform use for access provisioning, revocation, and audit trails, reducing errors and supporting automated onboarding/offboarding.

Immediate Risk-Driven Revocation

Requires privileged and high-risk account deactivation within four hours, minimizing exposure from critical roles and departures.

Frequently Asked Questions

Built for Leaders, By Leaders

This policy was authored by a security leader with 25+ years of experience deploying and auditing ISMS frameworks for global enterprises. It's designed not just to be a document, but a defensible framework that stands up to auditor scrutiny.

Authored by an expert holding:

MSc Cyber Security, Royal Holloway UoL CISM CISA ISO 27001:2022 Lead Auditor & Implementer CEH

Coverage & Topics

🏢 Target Departments

IT Security Human Resources Compliance Audit

🏷️ Topic Coverage

Governance Human Resources Security Access Control Incident Management
€49

One-time purchase

Instant download
Lifetime updates
Onboarding and Termination Policy

Product Details

Type: policy
Category: Enterprise
Standards: 7