Watertight Offboarding in 12 Steps

Someone is leaving. In SMEs, this is where most data breaches begin. Here is a checklist that covers what you actually need to do — with deadlines, owners, and pitfalls.

For onboarding, business owners happily schedule 3 hours. For offboarding, it's often 20 minutes on the last day. That's where things go wrong.

The 12 steps — in order of importance

\n
1. Disable first, delete later. On the last working day: set the account to disabled, not deleted. You may still need to read emails or recover files.
\n
2. Revoke privileged access immediately. Global Admin, AWS root, accounting admin — those go straight away, not on the final day. See privileged access.
\n
3. Change shared passwords. Everything in your password vault this person had access to. Yes, all of it. See shared password management.
\n
4. Set up email forwarding. To the manager or successor, for 30 days. See email forwarding after departure.
\n
5. Set an auto-reply. "I no longer work here. Please contact X."
\n
6. Collect the laptop. See device retrieval.
\n
7. Disable MFA tokens. Authenticator apps, hardware tokens, SMS numbers.
\n
8. Revoke individual SaaS accounts. Everything not covered by SSO (see SaaS inventory).
\n
9. Hand over clients and projects. See client handover.
\n
10. Transfer vault items.
\n
11. 30 days later: archive email and delete the account. See the 30-day rule.
\n
12. Log what you did. One page per offboarding, kept as audit evidence.
\n

Who does what?

HR triggers the process. IT / office manager executes it. The line manager handles the client and project handover. Leadership signs off on steps 1–3 (the high-impact ones).

Make it a process, not just a checklist

Set it up as a process in your tool, with each step assigned an owner, an SLA, and required evidence.

Further reading: legal framework, onboarding-offboarding parity, script for the last working day.