Joiner & Leaver Procedure

• Account created (Microsoft 365 / Google), correct licence.
• Role decided — RBAC group assigned. Access by role, not by cloning a colleague.
• Hardware provisioned: laptop encrypted, EDR installed, OS patched, MDM enrolled.
• MFA enrolment instructions ready.
• Welcome doc ready (tools, who's who, how to ask for help, link to Information Security Policy).

• MFA enrolled — authenticator app, not SMS.
• Password manager invited and accepted.
• Walked through: Acceptable Use, Password, AI Acceptable Use policies.
• Added to relevant Teams, SharePoint sites, shared inboxes.
• Email signature set up.

• 15-minute phishing & social engineering briefing.
• Access audit: confirmed they have only what they need.
• Added to the tools register.
• Signed acknowledgement of policies on file.

• Map every system they have access to.
• Identify files, dashboards, shared inboxes they own. Brief their manager on handover.
• Plan email forwarding — who, for how long.

• Microsoft 365 / Google account disabled (not deleted — you may need the mailbox).
• MFA enrolment revoked.
• All sessions signed out.
• Shared / admin passwords they knew are changed.
• Email forwarding set to manager.
• Company devices collected and reset; BYOD work container wiped.
• Building access (keys, fobs, alarm code) revoked.
• Removed from external supplier systems and SaaS tools.

• Shared-drive / SharePoint ownership reassigned.
• External SaaS deactivations completed (Xero, HubSpot, Mailchimp, etc.).
• Suppliers notified to update contact records.
• Tools register updated.

• Email forwarding turned off.
• Mailbox archived per retention.

Each joiner and leaver process is signed off by [Named Manager]. A copy of the completed checklist is filed against the employee record.