Security Checklist

Employee IT Offboarding Checklist

Run this checklist on every departure. The average employee has 31 work-related accounts. Miss one, and it stays open indefinitely.

📋

How to use this checklist: Assign to your IT lead or operations manager. Complete Phase 1 on the employee's final day. Phases 2 and 3 have 24-hour and 30-day deadlines respectively. Sign off and file for your audit trail.

Employee Details

Employee Name

Role / Department

Last Working Day

Checklist Completed By

Phase 1

Immediate Actions

Day of departure: within 2 hours

Disable primary identity account

Disable the account in your identity provider (Microsoft Entra ID, Google Workspace Admin, or Okta). This blocks SSO-connected apps in one action. Do not delete yet.

Force sign-out of all active sessions

In Microsoft 365: Entra admin portal > Revoke sessions. In Google Workspace: User admin panel > Sign out of all sessions. This logs them out of personal devices immediately.

Revoke VPN and remote desktop access

VPN credentials are often managed separately from your identity provider. Revoke in your VPN console (Cisco, Fortinet, etc.) and disable any remote desktop user accounts.

Reset all shared account passwords

Change passwords on: social media accounts, shared departmental inboxes, shared folders, and any other credentials the employee had access to. Check your password manager for the full list.

Deactivate physical access

Disable building access card, server room codes, and alarm PIN. Collect any physical keys issued to the employee.

Phase 2

Access Cleanup

Within 24 hours

Revoke OAuth grants

In your Google or Microsoft admin portal, review and revoke third-party app permissions. OAuth grants persist after account disable and are the most common source of ghost access.

Audit shadow IT accounts

Search the employee's email archive for sign-up confirmations and password reset emails from business tools. Reset or close each account found. Common finds: project tools, design apps, CRMs, AI tools.

Transfer ownership of critical assets

Before closing the account, transfer ownership of: domain registrations, DNS management, AWS/Azure root access, social media admin roles, project management workspaces, shared password manager entries.

Review pre-departure access logs

Check activity in the 5-7 days before departure. Flag: large file downloads, bulk CRM exports, access outside normal hours. If sensitive client data was accessed unusually, assess your obligations under the Australian Privacy Act.

Secure the email account

Convert to a shared mailbox (Microsoft 365) or set up delegation (Google Workspace). Forward to manager. Set an auto-reply directing contacts to the replacement. Do not delete yet.

Remove from email groups, Slack, and calendars

Remove from distribution lists, Slack/Teams workspaces, shared calendars, and any communication channels with access to internal or client information.

Phase 3

Closeout

Within 30 days

Reclaim all licensed SaaS seats

Remove from all paid subscriptions and reclaim the licence. Audit your full SaaS list against your password manager. Unreclaimed seats are a direct ongoing cost.

Archive and close the email mailbox

After 30-90 days of forwarding, archive the mailbox in line with your data retention policy. Delete the account only after confirming all data has been transferred.

Recover and wipe company devices

Collect laptop, phone, and any other company hardware. For BYOD devices, use your MDM to remotely wipe the corporate data partition (this does not erase personal data). Wipe and re-image collected hardware before redeployment.

Document and file the completed checklist

Record: every access point revoked, the date revoked, and who completed each step. File alongside the employee's HR record. This is your audit trail for compliance purposes.

Sign-off

Completed By (Name)

Date Completed

Notes / Exceptions