Episode 45 — A.6.5–6.6 — Responsibilities after termination/change; NDAs
A.6.5 applies equally to employees, contractors, and third parties. It addresses two primary scenarios—role transitions within the organization and full separations when an individual leaves. Both situations introduce risk. When someone changes roles, their access privileges may no longer align with their responsibilities, potentially exposing sensitive data. When they depart completely, residual access, retained devices, or undeclared data copies can create hidden vulnerabilities. This control mandates that the organization’s HR, IT, and management teams collaborate to ensure secure closure of employment or contract cycles. It is not just about collecting keys and laptops; it is about formally reaffirming that security obligations endure beyond employment and ensuring that these obligations are recorded and acknowledged.
Role changes often receive less attention than terminations, yet they can be just as risky. Promotions may expand access privileges without revalidation of need. Lateral transfers might introduce exposure to new systems or data sets. Demotions or role reductions, if not accompanied by prompt access revocation, can leave inappropriate privileges intact. Each of these situations represents a point of exposure where privilege misalignment can lead to unauthorized access or accidental data leakage. To mitigate these risks, HR and IT must work in sync to reassess access rights immediately after a role change, ensuring that system permissions mirror the individual’s current responsibilities. Effective governance treats every role change as a controlled event requiring verification, not as a routine administrative formality.
A well-managed separation process aligns operational and administrative steps to ensure completeness. Departing personnel must return all organizational assets—physical devices, identification cards, storage media, and documentation—through a structured checklist. Digital access must be revoked or reassigned the same day departure occurs, including network accounts, VPN credentials, and privileged logins. HR representatives should obtain signed acknowledgment forms confirming that the individual understands and accepts their continuing confidentiality obligations. Exit interviews provide a final opportunity to reinforce these expectations, reminding employees that sensitive information acquired during employment remains protected. When handled professionally, this process balances courtesy and control, maintaining goodwill while safeguarding organizational interests.
Residual knowledge is often more valuable—and more vulnerable—than physical assets. Employees and contractors inevitably carry proprietary insights, client information, and intellectual property gained through their roles. A.6.5 emphasizes that this knowledge remains confidential after departure, protected by both policy and law. NDAs, intellectual property clauses, and non-compete terms may restrict how such knowledge can be used. Organizations should remind departing staff of these obligations, ideally during exit discussions and through written communication. While laws vary regarding the enforceability of post-employment restrictions, the ethical expectation of confidentiality is universal. Reinforcing this message protects the organization’s competitive edge and reduces the risk of inadvertent disclosure.
Common failures in termination handling often stem from coordination gaps. Incomplete communication between HR and IT can leave former employees with active VPN, email, or cloud storage access. Supplier or contractor accounts may remain live after contract closure, exposing systems to unauthorized reuse. Departing personnel may retain proprietary documents or client data, whether intentionally or accidentally. In some cases, unclear contractual terms lead to disputes about ownership of work products or the scope of confidentiality. Such oversights can result in data breaches, litigation, and reputational harm. A.6.5 exists to prevent these scenarios through precise processes, consistent accountability, and documented assurance that no access or obligation is left unresolved.
Global operations add another layer of complexity. Labor laws vary significantly between jurisdictions, influencing what obligations can legally persist after employment ends. Some regions limit the enforceability of restrictive covenants, while others require explicit consent for post-employment obligations. Cultural norms also affect how employees perceive continued confidentiality—what is assumed in one country may require formal explanation in another. Organizations must therefore tailor their offboarding policies and contracts to local legal contexts while preserving a consistent global standard. This careful balance ensures compliance without compromising the protection of information assets.
For more cyber related content and books, please check out cyber author dot me. Also, there are other prepcasts on Cybersecurity and more at Bare Metal Cyber dot com.
Control A.6.6 formalizes the concept of confidentiality through the use of non-disclosure agreements, or NDAs. Where A.6.5 governs the process of revoking access and reaffirming residual responsibilities, A.6.6 provides the legal mechanism that binds individuals and organizations to those responsibilities. NDAs are contracts designed to protect information from unauthorized disclosure or misuse during and after employment or collaboration. They extend beyond employees to include contractors, suppliers, consultants, and any third party with access to sensitive data. This control ensures that the organization’s confidential knowledge, intellectual property, and trade secrets remain protected not by assumption, but through enforceable commitments recognized in law.
The scope of A.6.6 covers the entire information lifecycle—from initial hiring or engagement to post-termination obligations. NDAs must clearly define what constitutes “confidential information,” ensuring that all parties share a common understanding of what is being protected. They must specify how this information may be used, the duration of the confidentiality obligation, and the remedies available if breaches occur. Typically, confidentiality obligations continue long after employment ends, especially for proprietary information or trade secrets. These agreements provide a foundation for legal recourse, serving as both deterrent and protection against unauthorized disclosure.
Well-constructed NDAs share several essential elements. First, they contain an explicit definition of confidential information, distinguishing it from public or trivial data. Second, they delineate permitted and prohibited uses—allowing use only for legitimate organizational purposes and prohibiting disclosure to unauthorized parties. Third, they specify the duration of the obligation, which may be fixed (for example, five years) or indefinite for trade secrets. Finally, they outline remedies for breach, which may include disciplinary action, financial penalties, or legal proceedings. By formalizing these components, NDAs give clarity and enforceability to the organization’s confidentiality expectations, making them more than symbolic paperwork.
Internally, NDAs apply to every member of the workforce with access to sensitive or proprietary information. Employees typically sign them during onboarding, alongside acknowledgment of policies and codes of conduct. For roles involving special access—such as those handling research, intellectual property, or mergers and acquisitions—NDAs may be renewed or supplemented with project-specific clauses. Reassignments or promotions to sensitive positions should trigger renewed agreements to confirm continued compliance. All signed NDAs should be stored securely within HR or legal systems, with version control and access restricted to authorized personnel. This internal discipline ensures that confidentiality is not just agreed upon but managed and auditable.
Beyond employees, NDAs extend to external parties who handle or encounter the organization’s data. Suppliers, service providers, consultants, and partners must sign confidentiality clauses embedded within their master agreements or standalone NDAs. These agreements should extend downward through subcontractor chains, ensuring consistent obligations across all participants in a project or supply network. NDAs play a pivotal role in collaborative ventures, such as joint research, outsourcing, or cloud service partnerships, where sensitive information is shared beyond corporate boundaries. When integrated into supplier relationship management programs, NDAs become part of a broader assurance ecosystem that protects information throughout its lifecycle, no matter where it travels.
Operationalizing NDA obligations requires more than signatures. Organizations must actively monitor for potential violations or leaks of sensitive data. Monitoring tools—such as data loss prevention (DLP) systems—can identify unusual data movements, while HR and legal teams should reinforce NDA reminders during exit or role-change processes. Some organizations require periodic reaffirmations of confidentiality, especially in long-term projects. Enforcement must also be consistent: breaches should trigger investigations and, where necessary, legal or disciplinary action. These measures sustain the credibility of the NDA framework, showing both staff and auditors that confidentiality obligations are not theoretical but enforced through ongoing vigilance.
Weak NDA practices introduce avoidable risk. Vague definitions of what constitutes confidential information may leave gaps exploitable in disputes. Inconsistent enforcement undermines credibility, signaling that breaches may go unpunished. Outdated templates that fail to reflect current privacy or data protection laws can expose organizations to legal vulnerabilities. Poor record-keeping—such as missing or unsigned agreements—renders the entire NDA system unenforceable. To avoid these pitfalls, organizations must review their NDA templates regularly with legal counsel, ensure all agreements are tracked and stored securely, and integrate confidentiality obligations into broader compliance monitoring systems.
Auditors evaluating A.6.6 compliance look for both structure and proof. They expect to see legally reviewed NDA templates, showing when they were last updated and who approved them. They may request random samples of signed agreements across different employment types—staff, contractors, and vendors—to confirm coverage and consistency. Documentation linking NDAs to personnel files or supplier contracts demonstrates that obligations are tracked and enforceable. In cases where breaches have occurred, auditors may review evidence of how violations were handled—disciplinary records, legal correspondence, or remedial training. This documentation establishes that NDAs are not perfunctory forms but living elements of the ISMS.
Together, A.6.5 and A.6.6 close the loop on personnel and partner lifecycle management. A.6.5 ensures that the practical aspects of termination—revoking access, collecting assets, confirming obligations—are completed swiftly and securely. A.6.6 reinforces this with the contractual muscle of NDAs, ensuring confidentiality obligations survive long after employment or engagement ends. The combined effect is a secure closure to each relationship, protecting intellectual property, trade secrets, and client trust across time and geography. These controls create continuity of responsibility, turning the end of employment or a contract into a managed security checkpoint rather than a vulnerability.
When these two controls are well executed, they provide both defensive and reputational benefits. Legally enforceable agreements reduce the risk of insider threats and intellectual property theft. Documented offboarding processes assure auditors and clients that security controls extend across the entire personnel lifecycle. Employees leave with clear understanding of their continuing obligations, while management retains evidence of due diligence and fairness. In an age where data can move instantly and invisibly, these post-employment controls ensure that information security remains durable—anchored not just in systems, but in the ethical and legal responsibilities of every person who once held the organization’s trust.
A.6.5 and A.6.6 together complete the personnel assurance cycle begun with screening and employment terms. They ensure that confidentiality, integrity, and accountability endure even as people and projects change. By securing both the practical and legal dimensions of offboarding, these controls reduce the risk of data leakage, reputational harm, and compliance failure. They also reassure clients and regulators that the organization’s commitment to information protection extends beyond contracts and calendars—it persists as an enduring principle of professional trust. The next episode will build on this foundation by examining modern workforce realities such as remote working and event reporting under A.6.7 and A.6.8.
