Most access problems start with inconsistent joiner and leaver processes. This is a procedure, not a policy — a checklist that runs every time someone joins or leaves.
How to use this: The bracketed items like [Company Name] are placeholders — replace them with your own details. Edit the wording to suit your business. This is a starter, not legal advice.
New joiner — pre day-1
- Account created, correct licence.
- Role decided — RBAC group assigned.
- Hardware provisioned: laptop encrypted, EDR installed, OS patched, MDM enrolled.
- MFA enrolment instructions ready.
- Welcome doc ready.
New joiner — day 1
- MFA enrolled — authenticator app, not SMS.
- Password manager invited.
- Walked through key policies.
- Added to relevant Teams, SharePoint sites, shared inboxes.
New joiner — first week
- 15-minute phishing brief.
- Access audit.
- Added to the tools register.
- Signed policies on file.
Leaver — one week before
- Map every system they have access to.
- Identify what they own.
- Plan email forwarding.
Leaver — day of departure
- Microsoft 365 / Google account disabled (not deleted).
- MFA enrolment revoked.
- All sessions signed out.
- Shared / admin passwords changed.
- Email forwarding set.
- Company devices collected.
- Building access revoked.
- Removed from external SaaS and supplier systems.
Leaver — within a week
- Shared-drive ownership reassigned.
- External SaaS deactivations completed.
- Suppliers notified.
- Tools register updated.
Leaver — after 30 days
- Email forwarding turned off.
- Mailbox archived per retention.
Sign-off
Each joiner and leaver process is signed off by [Named Manager].
Tips for adoption
- Use the same checklist every time.
- Disable, don't delete.
- Audit external SaaS — the most commonly forgotten.