administrative

IT Offboarding De-provisioning SOP

IT offboarding de-provisioning SOP for closing employee access, preserving business data, and collecting devices with audit-ready verification.

Fill it now — Free Get Started

Customize with AI → Live preview →

Trusted by frontline teams 15 years of frontline software AI customization in seconds

Built for: Saas · Manufacturing · Healthcare · Financial Services · Professional Services

9:41

Standard Operating Procedures

1 Steps

Verify the offboarding authorization Identify all accounts, systems, and access paths Revoke user access and disable authentication methods Preserve business data and transfer ownership Collect company-owned devices and credentials Remove endpoint trust and remote access artifacts Complete the offboarding audit record

Overview

This IT Offboarding De-provisioning SOP template covers the controlled removal of a departing person's access across identity providers, business applications, endpoint tools, remote access services, and physical company assets. It also includes the preservation of business data, transfer of ownership for files and shared resources, and completion of an audit record that shows what was removed, when, and by whom.

Use this template when an employee, contractor, or privileged user leaves the organization, changes roles, or loses a need-to-know access path. It is especially useful when multiple systems are involved, when the exit is time-sensitive, or when you need evidence for internal audit, ISO 9001 documented information practices, or security review. The structure helps prevent common gaps such as leaving SSO, VPN, API tokens, mobile device trust, or local admin rights active after the primary account is disabled.

Do not use this SOP as a generic HR exit checklist or as a replacement for legal hold, disciplinary, or asset recovery procedures. If the person still needs temporary access for transition work, the SOP should be adjusted to preserve only the approved exceptions and document the expiration date. If the environment includes regulated systems, privileged accounts, or shared service credentials, add role-specific verification and escalation rules before execution.

Standards & compliance context

The audit trail supports ISO 9001:2015 documented information expectations by showing who performed each step, when it occurred, and what evidence was retained.
The access removal sequence aligns with common ITIL service closure and identity lifecycle practices by closing the request, verifying completion, and documenting exceptions.
Where hazardous or regulated operations depend on system access, the verification and escalation steps help demonstrate controlled removal of permissions consistent with OSHA-style procedural discipline.
If your organization uses security or privacy controls, the data preservation and ownership transfer steps help support retention, least-privilege, and non-conformance handling.

General regulatory context for orientation only — verify current requirements with counsel or the relevant agency before relying on this template for compliance.

What's inside this template

Steps

This section matters because it turns offboarding into a controlled sequence with clear actors, verification points, and evidence.

Verify the offboarding authorization
The IT administrator verifies the offboarding authorization against the HR or manager request. - Confirm the employee name, employee ID, department, and last working date. - Confirm whether the exit is planned, immediate, or emergency. - Confirm the effective time for access removal. - Record the request source and ticket number in the offboarding record. If the authorization is missing, incomplete, or inconsistent, the IT administrator escalates to HR and the manager before proceeding.
Identify all accounts, systems, and access paths
The IT administrator reviews the employee's access footprint and compiles a de-provisioning list. - Identify email, collaboration, VPN, SSO, HRIS, ERP, CRM, source control, cloud, and endpoint access. - Identify privileged roles, service accounts, delegated access, and shared mailbox permissions. - Identify physical access systems if IT administers badge or door access. - Record any exceptions, unknown systems, or inherited permissions. If a system owner cannot be identified, the IT administrator escalates to the manager and security team for ownership confirmation.
Revoke user access and disable authentication methods
The IT administrator revokes access in each approved system and disables all authentication methods. - Disable the primary directory account or set the account to blocked, per policy. - Remove SSO assignments, application roles, and group memberships. - Revoke VPN, MFA, API tokens, SSH keys, and active sessions. - Remove shared mailbox access, delegated permissions, and admin roles. - Disable password reset channels and recovery methods where applicable. The IT administrator verifies that each critical system shows access removed. Any failed revocation is escalated immediately to the system owner and security team.
Preserve business data and transfer ownership
The IT administrator preserves business data and transfers ownership where required. - Export or archive email, files, chat records, and project data according to retention policy. - Transfer ownership of shared documents, repositories, and cloud resources to the designated manager or successor. - Confirm that business-critical data is not stored only in the employee's personal profile or local device. - Record the storage location, retention period, and responsible owner for each archived dataset. If data cannot be accessed, exported, or transferred, the IT administrator escalates to the system owner and records the deviation.
Collect company-owned devices and credentials
The IT administrator or designated coordinator collects company-owned assets from the employee. - Recover laptop, monitor, mobile device, peripherals, smart cards, badges, keys, and security tokens. - Verify serial numbers, asset tags, and condition against the inventory record. - Confirm charger, docking station, and other issued accessories are returned where applicable. - Document missing, damaged, or unreturned items as a non-conformance. If any asset is missing or damaged beyond normal wear, the coordinator escalates to HR, the manager, and security according to policy.
Remove endpoint trust and remote access artifacts
The IT administrator removes the employee's device trust and remote access artifacts. - Remove the device from endpoint management, conditional access trust, and device compliance assignments as applicable. - Revoke device certificates, remote management profiles, and saved VPN profiles where policy requires it. - Clear local cached credentials and corporate profiles when the device is returned. - Confirm that any remote wipe or lock action is completed if the device is not returned on time. If the device is lost, stolen, or unreachable, the IT administrator escalates to security and follows the incident response process.
Complete the offboarding audit record
The IT administrator completes the offboarding audit record and submits it for review. - Attach evidence of access revocation, asset return, and data transfer actions. - Record any deviations, exceptions, or unresolved items with owner and due date. - Confirm the ticket is closed only after all required steps are complete or formally accepted. - Store the record according to the organization's documented information retention requirements. The supervisor or designated reviewer verifies the record for completeness and approves closure.

How to use this template

1. The coordinator verifies the offboarding authorization, confirms the effective date, and records any approved exceptions before work begins.
2. The IT owner identifies every account, system, token, device, and access path tied to the person, including SSO, VPN, email, cloud apps, and local admin rights.
3. The operator revokes access in the approved sequence, disables authentication methods, and verifies that each critical system no longer accepts the user's credentials.
4. The data owner preserves required business records, transfers file and mailbox ownership, and documents any legal hold or retention requirement.
5. The asset custodian collects company devices and credentials, removes endpoint trust and remote access artifacts, and completes the offboarding audit record with evidence and escalation notes.

Best practices

Start with authorization verification before any account changes so the offboarding action is traceable and approved.
Search for hidden access paths such as SSO apps, service accounts, API keys, password vault entries, and mobile device trust records.
Disable authentication methods after the primary account is revoked so backup factors do not keep access alive.
Transfer ownership of shared mailboxes, files, calendars, and tickets before deleting the user profile to avoid data loss.
Collect laptops, badges, smart cards, and hardware tokens as separate assets rather than treating them as one return item.
Record the exact time of each revocation and verification step so the audit trail shows sequence and completion.
Escalate immediately if a privileged account, production system, or regulated data store cannot be confirmed closed.

What this template typically catches

Issues teams running this template most often surface in practice:

The primary account is disabled, but SSO-connected applications remain active.

VPN, remote desktop, or mobile device trust is left in place after the user leaves.

Shared mailbox, file, or calendar ownership is not transferred before deletion.

API tokens, app passwords, or service credentials are not rotated after offboarding.

Company laptops, badges, or hardware authenticators are not recovered or are returned without verification.

Local admin rights and endpoint certificates remain on managed devices after the account is closed.

The offboarding ticket lacks timestamps, approver identity, or evidence of verification.

Common use cases

SaaS Operations Manager Offboarding

Use this template when a SaaS operations manager leaves and has access to admin consoles, customer data, and shared workflow tools. It helps ensure privileged access is removed in the right order and that ownership of operational records is transferred before the account is closed.

Manufacturing Plant IT Exit

Use this template for plant employees who use shared terminals, badge readers, VPN, and endpoint-managed laptops. The procedure helps the team collect physical credentials, remove remote access artifacts, and document any systems that require a competent person to verify closure.

Healthcare Contractor De-provisioning

Use this template when a contractor with access to clinical or scheduling systems ends their engagement. It supports fast revocation, data preservation, and audit-ready evidence without leaving temporary access paths active.

Finance Privileged Admin Removal

Use this template for administrators with elevated access to production systems, password vaults, or finance applications. The workflow emphasizes verification, escalation, and proof that all authentication methods and trust artifacts were removed.

Frequently asked questions

What does this IT offboarding de-provisioning SOP cover?

It covers the full closeout of a departing worker's IT access, including authorization verification, account discovery, access revocation, data preservation, device collection, and audit record completion. It is meant for employee exits, contractor offboarding, and role changes that require access removal. The template focuses on what IT must do and document, not on HR interview steps.

Who should run this SOP?

IT service desk, identity and access management, endpoint management, and a manager or HR partner usually share the workflow. A competent person should confirm the authorization before any access is removed, and security or system owners should handle exceptions. If the offboarding touches regulated systems, the control owner should review the final record.

How often is this procedure used?

It is used whenever a person leaves the organization, changes roles, or loses a privileged access path that should no longer remain active. Many teams run it as a same-day or near-real-time process for involuntary exits and as a scheduled process for planned departures. The template can also support periodic access reviews when you need to clean up stale accounts.

Does this template help with compliance requirements?

Yes. It supports ISO 9001 documented information practices by requiring traceable records, and it aligns with common access-control expectations in security and audit programs. If your environment includes OSHA-regulated operations, hazardous procedures, or shared systems, the audit trail helps show that access was removed in a controlled way. It also fits general ITIL-style service closure and change tracking.

What are the most common mistakes when using an offboarding SOP?

The biggest mistake is revoking only the primary login while leaving SSO, VPN, email forwarding, API tokens, or local admin rights active. Another common miss is failing to transfer ownership of files, shared mailboxes, and service accounts before deletion. Teams also forget to collect badges, laptops, and authentication devices, which leaves residual trust in place.

Can I customize this for contractors, interns, or privileged admins?

Yes. You can add role-based branches for contractors, interns, system administrators, or users with production access. Many teams add separate verification steps for privileged accounts, remote access tools, and shared credentials. You can also tailor the evidence fields to match your ticketing, IAM, or endpoint management tools.

How does this compare with an ad-hoc offboarding checklist?

An ad-hoc checklist often misses hidden access paths and does not prove who approved each action. This SOP gives you a repeatable step sequence, clear actors, verification points, and an audit record that can be reviewed later. That makes it easier to hand off between HR, IT, security, and managers without losing control of the process.

What integrations does this SOP usually connect to?

It commonly connects to identity providers, HRIS systems, endpoint management, ticketing platforms, email, VPN, and cloud admin consoles. Many teams also link it to asset inventory, password vaults, and access review logs. The template works well when you need one record that ties all of those systems together.

Related templates

Sop

Cash Drawer Open & Count

Cash Drawer Open & Count is the SOP for verifying a drawer, counting the starting bank, recording...

Sop

Fire Evacuation Procedure

A fire evacuation procedure that tells each role exactly what to do from alarm to accountability....

Forms

Employee Onboarding Form

Employee Onboarding Form for collecting new hire details, tax references, direct deposit, emergen...

Inspections

Forklift Daily Pre-Shift Inspection

Forklift Daily Pre-Shift Inspection template for recording pre-use checks, defects, and out-of-se...

Hr Policy

Anti-Harassment & Anti-Discrimination Policy

Anti-Harassment & Anti-Discrimination Policy template for defining prohibited conduct, reporting ...

Workspace

Customer Onboarding

Customer Onboarding workspace template for guiding a new customer from kickoff through launch and...

Ready to use this template?

Get started with MangoApps and use IT Offboarding De-provisioning SOP with your team — pricing built for small business.

Get Started Customize with AI

Type: compliance Category: Administrative Difficulty: Intermediate Time: 45 min IT Administrator Service Desk Analyst HR Specialist Security Analyst Manager Corporate office Remote workforce Data center Branch office

Before you start

Prerequisites:

Approved offboarding request from HR or manager
Employee exit date and final working time confirmed
Asset inventory record available
Access ownership list available for the employee
Offboarding authorization completed

Tools needed: Identity and access management admin console Endpoint management console Asset inventory system Ticketing system Offboarding checklist Secure file transfer or data archive tool

References:

ISO 9001:2015 §7.5 Documented Information — Standard
Complete IT onboarding and offboarding checklist for 2026 — Other
IT Offboarding Checklist: 2026 Technical Staff Offboarding — Other
SOC 2 Asset Onboarding And Offboarding: A Walkthrough (2026) — Other

Supervisor approval required after each run

Verify the offboarding authorization verification
4 min

The IT administrator verifies the offboarding authorization against the HR or manager request. - Confirm the employee name, employee ID, department, and last working date. - Confirm whether the exit is planned, immediate, or emergency. - Confirm the effective time for access removal. - Record the request source and ticket number in the offboarding record. If the authorization is missing, incomplete, or inconsistent, the IT administrator escalates to HR and the manager before proceeding.

Outcome: The offboarding request is approved, the employee identity is confirmed, and the exit effective time is documented.
2

Identify all accounts, systems, and access paths
7 min

The IT administrator reviews the employee's access footprint and compiles a de-provisioning list. - Identify email, collaboration, VPN, SSO, HRIS, ERP, CRM, source control, cloud, and endpoint access. - Identify privileged roles, service accounts, delegated access, and shared mailbox permissions. - Identify physical access systems if IT administers badge or door access. - Record any exceptions, unknown systems, or inherited permissions. If a system owner cannot be identified, the IT administrator escalates to the manager and security team for ownership confirmation.

Outcome: A complete access list exists for all known business systems, privileged roles, and shared resources tied to the employee.
3

Revoke user access and disable authentication methods
10 min

Delayed de-provisioning can create unauthorized access risk. Complete revocation at the approved effective time and verify each critical system.

The IT administrator revokes access in each approved system and disables all authentication methods. - Disable the primary directory account or set the account to blocked, per policy. - Remove SSO assignments, application roles, and group memberships. - Revoke VPN, MFA, API tokens, SSH keys, and active sessions. - Remove shared mailbox access, delegated permissions, and admin roles. - Disable password reset channels and recovery methods where applicable. The IT administrator verifies that each critical system shows access removed. Any failed revocation is escalated immediately to the system owner and security team.

Identity and access management admin console

Outcome: The employee can no longer authenticate to company systems, and all assigned access paths are disabled or removed.
4

Preserve business data and transfer ownership
8 min

The IT administrator preserves business data and transfers ownership where required. - Export or archive email, files, chat records, and project data according to retention policy. - Transfer ownership of shared documents, repositories, and cloud resources to the designated manager or successor. - Confirm that business-critical data is not stored only in the employee's personal profile or local device. - Record the storage location, retention period, and responsible owner for each archived dataset. If data cannot be accessed, exported, or transferred, the IT administrator escalates to the system owner and records the deviation.

Outcome: Business data is retained, transferred, or archived according to policy without loss of required records.
5

Collect company-owned devices and credentials
7 min

The IT administrator or designated coordinator collects company-owned assets from the employee. - Recover laptop, monitor, mobile device, peripherals, smart cards, badges, keys, and security tokens. - Verify serial numbers, asset tags, and condition against the inventory record. - Confirm charger, docking station, and other issued accessories are returned where applicable. - Document missing, damaged, or unreturned items as a non-conformance. If any asset is missing or damaged beyond normal wear, the coordinator escalates to HR, the manager, and security according to policy.

Asset inventory system Offboarding checklist

Outcome: All assigned company assets and physical credentials are returned, or exceptions are documented and escalated.
6

Remove endpoint trust and remote access artifacts
5 min

The IT administrator removes the employee's device trust and remote access artifacts. - Remove the device from endpoint management, conditional access trust, and device compliance assignments as applicable. - Revoke device certificates, remote management profiles, and saved VPN profiles where policy requires it. - Clear local cached credentials and corporate profiles when the device is returned. - Confirm that any remote wipe or lock action is completed if the device is not returned on time. If the device is lost, stolen, or unreachable, the IT administrator escalates to security and follows the incident response process.

Outcome: The device is removed from management, trusted device records are cleared, and remote access artifacts are invalidated.
Complete the offboarding audit record verification
4 min

The IT administrator completes the offboarding audit record and submits it for review. - Attach evidence of access revocation, asset return, and data transfer actions. - Record any deviations, exceptions, or unresolved items with owner and due date. - Confirm the ticket is closed only after all required steps are complete or formally accepted. - Store the record according to the organization's documented information retention requirements. The supervisor or designated reviewer verifies the record for completeness and approves closure.

Outcome: The offboarding record contains access removal evidence, asset return status, data transfer status, and escalation notes where applicable.