Forgotten access is one of the easiest ways for someone to steal your data, cause damage, or commit fraud. A real example: an ex-employee at a Delhi logistics firm still had access to the vendor payment system six months after leaving; a competitor paid him to change supplier bank details, costing the company ₹22 lakhs before discovery. You also fail audits when customers or banks ask 'show us your offboarding process' and you can't. If you handle customer data and a breach happens, regulators ask 'did you remove the fired person's access' and if you didn't, penalties follow.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You don't have a process at all. When someone leaves, their manager might tell IT informally, or might not—no one tracks it, and people often discover old logins still work weeks or months later.
Initial
You have a rough offboarding list on paper or a spreadsheet, but it's incomplete and inconsistent. Sometimes IT removes access quickly, sometimes the manager forgets to notify IT, and you have no way to verify that access was actually removed.
Developing
You have a documented checklist for offboarding (email, systems, building access, software licenses) and the manager always tells IT when someone leaves. IT removes access within a few days, but no one verifies it actually worked or checks for orphaned accounts.
Defined
You have a formal offboarding procedure; the manager fills out a form or sends an email to IT with a deadline; IT removes access from all known systems within 24–48 hours. You do spot checks quarterly to make sure old accounts are really gone.
Managed
Offboarding is a documented, signed-off process with clear handover checklists. IT removes access on the same day or next day from all systems (email, drives, VPN, software, building badges). You have a quarterly audit of active user accounts across all systems to catch orphaned access.
Optimised
Offboarding is automated where possible (email suspension, VPN/system access removal on a scheduled date). You maintain a central access registry; when someone leaves, their access is removed from that registry and systems auto-sync. You audit all active accounts monthly and test that old logins actually fail.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Create a simple offboarding checklist (email, Gmail/Office drive, ERP, VPN, WiFi, software, building key) and ask the manager to email IT when someone leaves, copying HR. Keep a log of these notifications. | HR Manager or Office Manager | 1 day |
| 1 → 2 | Move the checklist into a simple Google Form or printed form that HR fills out and gives to IT immediately on last day. IT signs off on each item when done (e.g. 'email disabled on 2025-01-15'). Store the signed forms in a folder. | IT person and HR Manager | 1 week |
| 2 → 3 | Set a deadline: access must be removed within 24–48 hours of the form submission. Do a spot check every 3 months—pick 3–4 recent departures and try to log in with their old credentials to confirm access is gone. Document the results. | IT person | 2–4 weeks |
| 3 → 4 | Create a master list of all active user accounts across email, drives, VPN, ERP, and any other system. After each offboarding, mark the person as 'removed' in that list. Run a full audit quarterly: compare the active account list against the current employee roster and flag mismatches. | IT person | 1–2 months |
| 4 → 5 | Automate offboarding where the system allows (e.g. email systems can suspend accounts on a date; VPN access can be revoked via scripts; sync the master access registry monthly to detect orphaned accounts automatically). Test quarterly that the automation is working. | IT person (or outsourced IT vendor) | Ongoing (maintenance every month) |
Documents and records that prove your maturity level.
- A signed or logged offboarding checklist for every employee departure in the last 12 months, showing what access was removed and when
- A master list or registry of all active user accounts (email, systems, VPN, software) with the date each was created and last verified
- Records of at least one quarterly or annual audit comparing active accounts to the current employee roster, with notes on any orphaned accounts found and removed
- A documented offboarding procedure or policy (even one page) that says who does what and by when
- IT change logs or email confirmations showing when access (email, VPN, system login) was disabled for at least 3 recent departures
Prepare for these questions from customers or third-party reviewers.
- "Walk me through your process when an employee leaves. Who notifies IT, when, and how do you verify access is actually removed?"
- "Show me offboarding records for the last 5 people who left. How long after their last day was their email actually disabled?"
- "Do you have a list of all active user accounts? How often do you compare it to your current employee roster to find old accounts?"
- "Can you prove that a former employee's VPN, email, and system access no longer works? Can you show me a test or log?"
- "What happens if a manager forgets to tell IT someone is leaving? How do you catch that?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Track and manage offboarding checklists and deadlines | Google Forms + Google Sheets (set up a form that feeds into a sheet, use conditional formatting to flag overdue removals) | Workday, SAP SuccessFactors, or local HR software (₹5,000–50,000/year depending on company size) |
| Monitor active user accounts and detect orphaned logins | Manual audit using Google Admin console, Microsoft 365 admin center, or system dashboards (built-in, no extra cost) | Okta, Azure AD reporting, or Identity governance tools (₹20,000–2,00,000/year) |
| Schedule and automate access removal on a specific date | Email system native scheduling (Gmail, Outlook have suspension features), SSH scripts for on-premise servers | Delinea (formerly Thycotic), Keeper, or identity lifecycle management platforms (₹50,000–5,00,000/year for small businesses) |
- The manager tells HR, HR tells the office admin, the admin forgets to email IT, and weeks go by with the person still having access. Fix: require a single signed-off form or email that goes directly to IT and HR.
- Access is removed from email but not from the ERP, shared drive, or VPN because IT only removes from the systems they think of. Fix: use a mandatory checklist covering every single system.
- No one verifies that access was actually removed—IT says 'done' but the old login still works. Fix: require IT to test the old login fails or provide a screenshot of the disabled account.
- Contractors, part-time workers, or temporary staff access is often forgotten because they're not in the regular HR offboarding process. Fix: explicitly include contractors in your checklist and set automatic expiry dates for contractor accounts.
- Building access cards and physical keys are left with the employee, or returned but not deactivated, while system access is removed. Fix: make physical access part of the same checklist as digital access.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (Purpose Limitation): data must not be processed beyond the original purpose; Section 6 (Legitimate Interest): access control is part of reasonable safeguards |
| CERT-In 2022 | Direction 4: Organizations must implement access controls and promptly revoke access upon role change or termination |
| ISO 27001:2022 | Annex A 5.15 (Access Control) and Annex A 5.16 (Access Management): control of access rights including removal on role change or termination |
| NIST CSF 2.0 | Govern (GV): account and access provisioning processes; Protect (PR.ac-1): access management through formal processes |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →