A.7.3 Human Resource Security

Section A.7.3 of ISO 27001 has only one control A.7.3.1 which requires that information security responsibilities remain valid after the change or termination of a contract. Therefore, to implement this control you need to insert a legal clause in your agreements that information security responsibilities you have agreed on need to remain in force after you cancel these agreements. 

The point is - for such a legal clause you do not need a template for a policy or a procedure - this is why we did not include it in the toolkit. 

It is important to go through the template for Statement of Applicability because it very precisely suggests which document to write or which activity you need to perform to become compliant with each and every control. For example, for control A.7.3.1 you will find the suggestion that I mentioned above. 

We have double-checked the toolkit numerous times to make sure it covers all mandatory documents and all activities that must be done to become fully compliant with the standard. It is important that you follow the steps indicated in the toolkit, and to watch video tutorials that you got with the toolkit to understand how it is used. 

Hello Dejan,

I understand what you are saying, that it is not mandatory, but as our HR is in the process of writing an exit policy, I would like  some guidance as to what should be mentioned in a A.7.3.1 "Termination or change of employment responsibilities".

Do you have some example templates ?

I would like thoughts about best practices to include in an exit policy. (i.e. points of attention when an employee leaves the company). The descripton of the control confuses me: "Information security responsibilities and duties that remain valid after termination or change of employment should be defined, communicated to the employee or contractor and enforced."

Confusing in the sense that this seems to talk about what to specify what needs to remain active, and not what needs to be addressed when leaving (i.e. does not remain active)

Does anyone in this forum have examples ?

Please note that this control seems incomplete because an Exit Policy would cover at least these controls:
- A.7.3.1 "Termination or change of employment responsibilities"
- 8.1.4 "Return of assets" 
- 9.2.1 "User registration and de-registration"

Considering these controls, and the ISO 27002, a supporting standard which provides guidelines for implementation of ISO 27001 Annex A controls, in terms of information security you should consider:
- remembering the former employee about clauses signed in confidentiality agreements and employment contracts (e.g., not to disclose information, or not work for competitors, for a defined period, etc.)
- communicating with other employees, customers, and contractors about the change in the status of the former employees
- ensuring the return of all physical and electronic assets in possession of the former employee that belongs to the organization or are under the organization's responsibilities 
- disabling or removing user IDs of former employees

Please also note that controls A.7.3.1 also covers when an employee changes his position within the company, so you might address such scenario through a different policy.

This article will provide you a further explanation about employment contracts and termination or change of employment:
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/
- What to consider in case of termination or change of employment according to ISO 27001 https://advisera.com/27001academy/blog/2018/09/03/what-to-consider-in-case-of-termination-or-change-of-employment-according-to-iso-27001/