Skip to content
Archived content. You are viewing v1 of SME Digital Advisor — the original multi-section site (risks, scenarios, policies, OWASP, flashcards). Go to current site →

Procedure

Joiner & Leaver Procedure

Same checklist, every time.

Most access problems start with inconsistent joiner and leaver processes. This is a procedure, not a policy — a checklist that runs every time someone joins or leaves.

How to use this: The bracketed items like [Company Name] are placeholders — replace them with your own details. Edit the wording to suit your business. This is a starter, not legal advice.

New joiner — pre day-1

  • Account created, correct licence.
  • Role decided — RBAC group assigned.
  • Hardware provisioned: laptop encrypted, EDR installed, OS patched, MDM enrolled.
  • MFA enrolment instructions ready.
  • Welcome doc ready.

New joiner — day 1

  • MFA enrolled — authenticator app, not SMS.
  • Password manager invited.
  • Walked through key policies.
  • Added to relevant Teams, SharePoint sites, shared inboxes.

New joiner — first week

  • 15-minute phishing brief.
  • Access audit.
  • Added to the tools register.
  • Signed policies on file.

Leaver — one week before

  • Map every system they have access to.
  • Identify what they own.
  • Plan email forwarding.

Leaver — day of departure

  • Microsoft 365 / Google account disabled (not deleted).
  • MFA enrolment revoked.
  • All sessions signed out.
  • Shared / admin passwords changed.
  • Email forwarding set.
  • Company devices collected.
  • Building access revoked.
  • Removed from external SaaS and supplier systems.

Leaver — within a week

  • Shared-drive ownership reassigned.
  • External SaaS deactivations completed.
  • Suppliers notified.
  • Tools register updated.

Leaver — after 30 days

  • Email forwarding turned off.
  • Mailbox archived per retention.

Sign-off

Each joiner and leaver process is signed off by [Named Manager].

Tips for adoption

  • Use the same checklist every time.
  • Disable, don't delete.
  • Audit external SaaS — the most commonly forgotten.