Glossary

What is Offboarding?

What is Offboarding?

Offboarding is the formal process of revoking an employee's or contractor's access to systems, applications, and data when they leave an organization or change roles. A well-executed offboarding process is critical for preventing unauthorized access after separation and is a key control auditors review during compliance assessments.

Why offboarding matters

Delayed or incomplete offboarding creates significant security risks:

  • Former employees retaining access to sensitive systems and data
  • Orphaned accounts that attackers can discover and exploit
  • Shared credentials that remain active after a team member departs
  • Compliance findings for inadequate access termination procedures

Key offboarding activities

  • Disable user accounts — immediately deactivate accounts in identity providers (SSO, Active Directory) to cascade access revocation
  • Revoke application access — remove access to SaaS applications, cloud consoles, code repositories, and internal tools
  • Recover assets — collect laptops, mobile devices, badges, hardware tokens, and other company property
  • Transfer ownership — reassign shared resources, documents, and project ownership
  • Remove from communication channels — remove from email distribution lists, Slack channels, and shared drives
  • Review privileged access — ensure any administrative or elevated access is fully revoked

Offboarding in compliance frameworks

  • SOC 2 — CC6.2 requires timely revocation of access when personnel leave
  • ISO 27001 — A.6.5 covers responsibilities after termination or change of employment
  • HIPAA — the Security Rule requires procedures for terminating access to ePHI when employment ends
  • PCI DSS — Requirement 8.1.3 mandates immediate revocation of access for terminated users

Best practices

  • Automate offboarding checklists triggered by HR termination events
  • Set a target of same-day access revocation for all departures
  • Conduct post-offboarding audits to verify no residual access remains
  • Document the offboarding process and retain evidence for audit review

How episki helps

episki tracks offboarding policies, links them to access control evidence, and provides checklists to ensure complete access revocation. Learn more on our compliance platform.

Related frameworks

soc2iso27001hipaapci

Related terms

access-controlleast-privilegejob-separation

Continue exploring

What is Access Control?

Glossary definition

episki vs Drata

See how we compare

What Makes a CISO Metric Actually Useful?

From the blog

See how episki handles this

Start a free trial and explore controls, evidence, and automation firsthand.
Start free trialBook a demo