If former vendors keep access to your systems, they can steal customer data, modify business records, or cause damage—whether by accident or on purpose. A common Indian scenario: a web developer you hired for 3 months leaves but still has password access to your e-commerce site; six months later, the site is defaced and customer credit card data is compromised, leading to RBI warnings and customer lawsuits. You also fail customer audits (many large Indian companies and exporters now check vendor security), lose contracts, and may face regulatory action from CERT-In or the Data Protection Board.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no formal process. When vendors leave, someone might remember to change a password or tell them to log out, but there's no checklist and no one tracks who had access or when it was removed.
Initial
You have an informal understanding that vendors should be removed, and most of the time someone asks them to return keys or passwords when they leave, but there's no documented process or verification that access is actually gone.
Developing
You have a written checklist of systems to disable when a vendor leaves (email, file shares, VPN, etc.), and your IT person manually removes access when informed, but you don't track when access was removed or verify it's actually gone.
Defined
You have a documented offboarding process for all vendors with defined responsibility, a sign-off sheet showing when access was removed from each system, and someone spot-checks that access is actually gone after removal.
Managed
Your offboarding process is automated where possible (e.g., disabling accounts in Active Directory automatically at contract end date), tracked in a log with dates and evidence, and reviewed quarterly to find any overlooked vendor accounts.
Optimised
You have fully automated vendor access lifecycle management integrated with your contract management system, continuous monitoring to detect any old vendor accounts still active, regular audits with third-party verification, and automated alerts if someone tries to use a disabled vendor account.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Create a simple one-page vendor offboarding checklist listing all systems where vendors might have access (email, file shares, software tools, WiFi, door access, VPN), print it, and keep one copy with your contracts | Business owner or office manager | 2 hours |
| 1 → 2 | Write down your vendor offboarding process as a documented procedure (1-2 pages), specify who is responsible for removing access from each system, and make IT person sign off on completion with date and time | IT person with business owner approval | 1 day |
| 2 → 3 | Create a vendor access log (Excel sheet or simple database) that records: vendor name, systems they accessed, date access was granted, date contract ended, date access was removed, and who verified removal | IT person | 3-5 days |
| 3 → 4 | Set up automatic account disablement in your main system (Active Directory or Google Workspace) by linking contract end dates, create a monthly report of disabled accounts, and test that disabled accounts actually cannot log in | IT person with possible help from software vendor | 3-4 weeks |
| 4 → 5 | Integrate vendor management system with access control tools, set up automated alerts for any login attempts from disabled vendor accounts, conduct quarterly external audits of vendor access, and maintain a dashboard visible to management | IT person and external security consultant | Ongoing (monthly maintenance, quarterly audits) |
Documents and records that prove your maturity level.
- Written vendor offboarding procedure or checklist document, signed and dated by IT person and manager
- Vendor access log or spreadsheet showing: vendor name, contract end date, systems accessed, and date access was removed with sign-off
- Screenshots or export showing disabled/inactive vendor accounts in your main systems (email, file sharing, VPN, etc.) with disablement dates
- At least 3 examples of completed offboarding forms or checklists from recent vendor departures, signed by the person who verified access removal
- Audit trail or log from your IT system showing successful removal of vendor accounts from each platform where they had access
Prepare for these questions from customers or third-party reviewers.
- "Show me your vendor offboarding process. How do you know when a vendor's contract ends and their access should be removed?"
- "Give me a list of all vendor accounts that were active in the last 12 months and proof that access was removed for those who left. Can you show me a current list of active vendor accounts?"
- "Pick a vendor who left 6 months ago and show me evidence that their access to email, files, systems, and applications was actually removed. How did you verify this?"
- "What happens if a vendor's contract ends on a Friday and no one removes their access until Monday? Is there a risk window and how do you minimize it?"
- "Do you have any monitoring or alerting if a removed vendor account tries to log back in? Have you ever found and removed ghost accounts (old vendor accounts that were forgotten)?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Track vendor contracts and auto-remind when to offboard | Google Calendar + Google Sheets (basic vendor tracking with reminders); Frappe ERPNext Community Edition (open-source, self-hosted) | Zoho CRM or Zoho People (₹3,000–8,000/year for small team); HubSpot free tier limited |
| Manage user accounts and disable access in bulk | Microsoft Active Directory (if using Windows); Google Workspace free plan limited to 5 accounts | Okta (₹20,000–50,000/year); Microsoft Azure AD Premium (₹5,000–15,000/year); Zoho Directory (₹2,000–5,000/year) |
| Log and monitor all user access changes and logins | Windows Event Viewer (built-in); Splunk Free (up to 500 MB/day); ELK Stack (open-source, requires setup) | Splunk Enterprise (₹50,000+/year); Datadog (₹15,000+/month); SolarWinds Access Rights Manager (₹30,000+/year) |
- Relying on vendors to 'self-deactivate' or saying 'just delete my account'—many forget or don't actually do it, and you have no proof
- Only removing email access but forgetting cloud tools (Google Drive, Dropbox, Slack), VPN, or physical access like WiFi or office keys, leaving multiple backdoors open
- No documentation of when access was removed, so during a later audit or breach investigation, you cannot prove vendors were ever offboarded, damaging your credibility with customers and regulators
- Lack of a centralized vendor list—different departments hire consultants and you lose track; the finance department forgets to tell IT, and access lingers for months
- Treating vendor offboarding as 'IT's job' with no accountability; if something goes wrong, no one owns it, and the process drifts
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (Lawfulness of Processing) and Schedule 2 Part B (obligations to limit access to personal data to authorized personnel only) |
| CERT-In 2022 Guidelines | Guideline 6.2 (Access Control and User Management) - requirement to revoke access when employment or contract ends |
| ISO 27001:2022 | Annex A.5.3 (Segregation of Duties), A.8.1 (User Endpoint Devices), A.9.2.1 (User Registration and De-registration) |
| NIST CSF 2.0 | Govern (GV) and Manage (GM) functions; Identify (ID) and Protect (PR) categories for access control lifecycle |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →