ISO 27701, Clause 6.4.3 – Termination and Change of Employment

ISO 27701 Controls and Clauses Explained

Book a demo

img building 1020x680 1

ISO regards privacy protection roles as a fluid concept that needs continual consideration in the face of organisational change.

A significant part of this involves managing privacy-related risks when the organisation either terminates a relationship with personnel and/or contracts, or assigned job roles change that have the potential to impact PII.

What’s Covered in ISO 27701 Clause 6.4.3

ISO 27701 6.4.3 contains one sub-clause that deals solely with guidance related to how privacy protection may be affected when employment or supplier contracts either end, or change.

To achieve this, ISO 27701 6.4.3 leans heavily on information security guidance contained within ISO 27002 6.5.

ISO 27701 6.4.3 doesn’t contain any further guidance on how employment contracts and responsibilities may or may not affect the implementation and maintenance of a PIMS, nor are there any specific GDPR considerations to keep in mind.

Jump to Topic
Achieve ISO 27701 Success

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

ISO 27701 Clause 6.4.3.1 – Termination or Change of Employment Responsibilities

References ISO 27002 Control 6.5

When staff members are dismissed, or their job changes, organisations should ensure that privacy protection roles remain valid at all times.

It is vitally important to ensure that any privacy protection-related roles are transferred to another individual, when a staff member has left the organisation.

Organisations should also implement procedures that communicate role changes (and any associated operating procedures) to all relevant customers and suppliers.

As well as specific PII-related roles, additional measures may also include the protection of IP, confidentiality agreements, or any knowledge obtained that would warrant protection (see ISO 27002 6.6).

Any responsibilities that continue after termination of employment should be clearly outlined in employment contracts and/or mid-term agreements (see ISO 27002 6.2).

Organisations should use the same set of employee termination or role change procedures when dealing with third-party suppliers whose services are either no longer needed, or are in need of amendments.

Relevant ISO 27002 Controls

  • ISO 27002 6.2

  • ISO 27002 6.6

Supporting Controls From ISO 27002 and GDPR

ISO 27701 Clause IdentifierISO 27701 Clause NameISO 27002 ControlAssociated GDPR Articles
6.4.3Termination and Change of Employment6.5 – Responsibilities After Termination Or Change Of Employment for ISO 27002None

How ISMS.online Helps

In order to achieve ISO 27701 you must build a Privacy Information Management System.

With our preconfigured PIMS you can quickly and easily organise and manage customer, supplier and staff information to fully comply with ISO 27701.

You can also accommodate the growing number of global, regional and sector-specific privacy regulations we support on the ISMS.online platform.

Find out more by booking a hands on demo.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

We’re cost-effective and quick

Discover how easy ISO 27701 is with ISMS.online
Get your quote

ISMS.online now supports ISO 42001 - the world's first AI Management System. Click to find out more