It’s nearly always as simple as this. I got flamed on here for suggesting that Twitter just needs to follow NIST or similar standards to avoid the hack they had last year instead of hitting expert security researchers.

The offboarding checklist is not enough. You should have regular cleanup procedures which synchronize accesses with the main source of truth as well. There are too many exceptions and just human errors for a time constrained checklist execution to be enough.

Checklist is a 90% solution which might help here. Or it might have been the case where the checklist failed.

Invalidating credentials should be a one-stop-shop action. There shouldn’t be “invalidate their email, invalidate their VPN, invalidate their corporate login...”

Exactly. If everything is based on SAML SSO this is easy. If you manage multiple user databases for access control it’s a bit harder.

This is a requirement for ISO 27002. Just had to implement an offboarding checklist recently.

Can you explain this? I thought ISO 27002 was implementation guidance for ISO 27001. No mandatory requirements even the Annex A controls themselves aren’t mandatory.

Good point. At the company where I work, we have an ISO compliance team that converts that guidance into mandatory requirements. So the authority is coming from company policies rather than ISO itself.

Correct. Most companies won’t interpret and just mandate the guidance recommendations.