1. Document Control

• Document Title: Employee Onboarding and Offboarding Policy

• Document Identifier: POL-HR-001

• Version Number: v1.0

• Approval Date: <23 June 2025>

• Effective Date: <23 June 2025>

• Review Date: <23 June 2026>

• Document Owner: <Director of Human Resources>

• Approved By: <Executive Leadership Team>

2. Purpose

The purpose of this policy is to establish a consistent, secure, and compliant process for onboarding new employees and offboarding departing staff at . A structured onboarding process ensures new hires are properly vetted, equipped, and trained, while a disciplined offboarding procedure protects organizational assets, data, and compliance posture.

This policy aligns with SOC 2 Trust Criteria CC5.1 and CC5.2, which require organizations to establish and maintain effective onboarding and termination procedures that enforce access control, role assignment, and data protection. It also supports ISO/IEC 27001:2022 Controls A.6.1 (Screening), A.6.2 (Terms and conditions of employment), and A.6.3 (Termination and change of employment).

3. Scope

This policy applies to:

• All full-time, part-time, temporary, and contract employees

• Contractors and third parties with access to systems or data

• All onboarding and offboarding actions, including role assignments, access provisioning/deprovisioning, equipment handling, and training

The policy governs processes from pre-employment screening to exit interviews and includes all physical and logical assets used by personnel during employment.

4. Policy Statement

shall:

Onboarding:

1. Verify identity, qualifications, and background of all new hires before start date, including applicable criminal or reference checks.

2. Ensure employment agreements include clauses related to confidentiality, acceptable use, and security responsibilities.

3. Assign job roles, user accounts, access permissions, and company assets based on the principle of least privilege.

4. Provide mandatory orientation covering policies, code of conduct, security awareness, and job-specific responsibilities.

5. Document all onboarding steps and retain records in the employee’s personnel file.

Offboarding:

1. Initiate offboarding processes immediately upon notice of termination, transfer, or end of contract.

2. Revoke system access and collect all company-owned equipment and credentials no later than the employee’s last day.

3. Conduct exit interviews to capture feedback and remind departing personnel of their continuing confidentiality obligations.

4. Document the offboarding checklist, including access removal, data handover, and asset return.

All onboarding and offboarding actions must be tracked through a ticketing or HRIS platform and approved by relevant departments.

5. Safeguards

enforces the following procedural and technical safeguards:

6. Roles and Responsibilities

• Director of Human Resources: Oversees onboarding/offboarding policies, compliance, and system integration.

• HR Staff: Coordinate background checks, orientation, and maintain employment records.

• IT Department: Provision/deprovision access, assign/retrieve devices, and disable accounts promptly.

• Hiring Managers: Define access levels, approve equipment requests, and lead role-based training.

• Legal and Compliance: Ensure contracts and NDAs are signed and enforce post-employment obligations.

• All Employees: Comply with onboarding policies, security training, and return all assets upon departure.

7. Compliance and Exceptions

Audit checks are conducted quarterly to ensure:

• Timeliness and completeness of onboarding/offboarding checklists

• Correct access assignment and removal logs

• Proper documentation of background verification and agreements

Exceptions must be approved in writing by the Director of HR and the CISO, documented with a justification and mitigation plan, and reviewed semi-annually.

8. Enforcement

Violations of this policy may result in:

• Suspension of access rights

• Disciplinary action, including termination

• Legal action for breach of confidentiality or data misuse

• Contract penalties for non-compliant third-party vendors

Failure to complete onboarding steps may delay system access or employment confirmation. Incomplete offboarding processes may lead to security incidents or regulatory exposure.

9. Related Policies/Documents

• POL-ALL-001: Information Security Policy

• POL-ALL-015: Confidentiality Policy

• POL-HR-002: Background Screening Policy

• PRC-HR-001: Onboarding Checklist

• PRC-HR-002: Offboarding Checklist

• SOC 2 Trust Criteria: CC5.1, CC5.2

• ISO/IEC 27001:2022: A.6.1–A.6.3

10. Review and Maintenance

This policy will be reviewed annually or upon changes in HR technology, legal requirements, or internal processes. The HR Director is responsible for initiating the review and coordinating updates with IT, Legal, and Information Security. All changes must be approved by the Executive Leadership Team and communicated across departments.