psjenkins/ISMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5eade2d99bef262cef5be6d01dc0bbbc9119b82e
ISMS/03-procedures/joiner-mover-leaver-procedure.md
Paul Jenkins 5eade2d99b Initial commit
2026-03-26 09:35:22 +00:00

3.1 KiB
Raw Blame History

Title: Joiner Mover Leaver Procedure Document ID: [PROC-JML-001] Version: 0.1 Draft Status: Draft Owner: CISO (Paul Jenkins) Approver: CISO (Paul Jenkins) Classification: Internal Effective date: [DD Month YYYY] Review date: [DD Month YYYY]

Joiner Mover Leaver Procedure

Purpose

This procedure defines how BlackDice should provision, change, and remove access when personnel join, change role, or leave.

Scope

This procedure applies to employees, contractors, temporary workers, and other individuals granted access to in-scope systems, services, information, or facilities.

Trigger / When Used

Use this procedure when:

  • a new starter requires access
  • an existing worker changes role, team, or privilege level
  • a worker leaves the organisation or no longer requires access
  • emergency access changes are needed due to risk or incident

Procedure Steps

  1. Receive an authorised joiner, mover, or leaver request from the appropriate manager or approved source.
  2. Confirm the individual's identity, status, start or end date, and the business justification for access.
  3. Determine the required access profile based on role, least privilege, and segregation considerations.
  4. Provision, modify, or remove access in relevant systems, including identity platforms, endpoints, cloud services, repositories, support systems, and facilities as applicable.
  5. Apply stronger controls or additional review for privileged, production, cloud administration, CI/CD, or customer-sensitive access.
  6. Confirm that access changes have been completed and notify the requester or manager.
  7. Record the activity and retain evidence of approval and completion.
  8. For leavers, ensure access removal is completed promptly and that any assigned assets or credentials are returned, revoked, or disabled.

Inputs

  • authorised access request
  • start date, role change date, or leaving date
  • approved role profile or access requirements
  • asset assignment information where relevant

Outputs / Records

  • access provisioning or deprovisioning record
  • approval evidence
  • updated account and access status
  • returned asset or credential record where relevant

Roles and Responsibilities

  • Managers must submit timely and accurate requests.
  • [Role] or designated administrators must process access changes and retain records.
  • System owners must support role-appropriate access where local approval is required.
  • Individuals subject to this procedure must return assets and comply with security obligations.

Escalation / Exceptions

Escalate immediately where:

  • privileged or sensitive access cannot be removed on time
  • employment or contractor status is unclear
  • emergency suspension of access is required
  • requested access exceeds normal role expectations

Exceptions must be documented, risk-assessed, and approved through the exception process.

Related Documents

  • Access Control Policy
  • Human Resources Security Policy
  • Identity and Authentication Standard
  • Access Review Procedure

Version Control

Version Date Description of Change Author
0.1 Draft [DD Month YYYY] Initial draft. [Name or Role]
Reference in New Issue View Git Blame Copy Permalink