Run: IT Offboarding De-provisioning SOP

The IT administrator verifies the offboarding authorization against the HR or manager request. - Confirm the employee name, employee ID, department, and last working date. - Confirm whether the exit is planned, immediate, or emergency. - Confirm the effective time for access removal. - Record the request source and ticket number in the offboarding record. If the authorization is missing, incomplete, or inconsistent, the IT administrator escalates to HR and the manager before proceeding.

The IT administrator reviews the employee's access footprint and compiles a de-provisioning list. - Identify email, collaboration, VPN, SSO, HRIS, ERP, CRM, source control, cloud, and endpoint access. - Identify privileged roles, service accounts, delegated access, and shared mailbox permissions. - Identify physical access systems if IT administers badge or door access. - Record any exceptions, unknown systems, or inherited permissions. If a system owner cannot be identified, the IT administrator escalates to the manager and security team for ownership confirmation.

The IT administrator revokes access in each approved system and disables all authentication methods. - Disable the primary directory account or set the account to blocked, per policy. - Remove SSO assignments, application roles, and group memberships. - Revoke VPN, MFA, API tokens, SSH keys, and active sessions. - Remove shared mailbox access, delegated permissions, and admin roles. - Disable password reset channels and recovery methods where applicable. The IT administrator verifies that each critical system shows access removed. Any failed revocation is escalated immediately to the system owner and security team.

The IT administrator preserves business data and transfers ownership where required. - Export or archive email, files, chat records, and project data according to retention policy. - Transfer ownership of shared documents, repositories, and cloud resources to the designated manager or successor. - Confirm that business-critical data is not stored only in the employee's personal profile or local device. - Record the storage location, retention period, and responsible owner for each archived dataset. If data cannot be accessed, exported, or transferred, the IT administrator escalates to the system owner and records the deviation.

The IT administrator or designated coordinator collects company-owned assets from the employee. - Recover laptop, monitor, mobile device, peripherals, smart cards, badges, keys, and security tokens. - Verify serial numbers, asset tags, and condition against the inventory record. - Confirm charger, docking station, and other issued accessories are returned where applicable. - Document missing, damaged, or unreturned items as a non-conformance. If any asset is missing or damaged beyond normal wear, the coordinator escalates to HR, the manager, and security according to policy.

The IT administrator removes the employee's device trust and remote access artifacts. - Remove the device from endpoint management, conditional access trust, and device compliance assignments as applicable. - Revoke device certificates, remote management profiles, and saved VPN profiles where policy requires it. - Clear local cached credentials and corporate profiles when the device is returned. - Confirm that any remote wipe or lock action is completed if the device is not returned on time. If the device is lost, stolen, or unreachable, the IT administrator escalates to security and follows the incident response process.

The IT administrator completes the offboarding audit record and submits it for review. - Attach evidence of access revocation, asset return, and data transfer actions. - Record any deviations, exceptions, or unresolved items with owner and due date. - Confirm the ticket is closed only after all required steps are complete or formally accepted. - Store the record according to the organization's documented information retention requirements. The supervisor or designated reviewer verifies the record for completeness and approves closure.