VND-008 Vendor Offboarding
Description
A documented offboarding procedure is followed when a vendor relationship ends. The procedure ensures: revocation of all vendor access, return or verified destruction of organisational data, termination of data processing activities, retention of contractual records, and formal confirmation of offboarding completion.
Rationale
Residual vendor access and orphaned data at third parties are a significant and frequently overlooked risk. Structured offboarding prevents data leakage and limits ongoing liability.
Framework Mappings (5)
| DSP-02 | Secure Disposal | partial |
| DSP-16 | Data Retention and Deletion | partial |
| GDPR-Art.28.3 | Data Processing Agreement (DPA) Requirements | partial |
| 5.22 | Monitoring, review and change management of supplier services | partial |
| 5.23 | Information security for use of cloud services | partial |
Evidence (2)
Completed vendor offboarding checklists confirming that access was revoked, data returned or destroyed, and offboarding activities were formally signed off.
Example: Vendor offboarding checklist completions (Jira / IT service desk) for vendors offboarded in the last 12 months — each showing: vendor name, termination date, access revocation confirmation (with ticket or IAM deactivation screenshot), data deletion/return confirmation from vendor, contractual record archival, and authorised sign-off
Test: Request offboarding records for 3 vendors offboarded in the last 12 months. Verify: (1) all access accounts were deactivated on or before the termination date, (2) data deletion or return was confirmed in writing by the vendor, (3) confirmation was reviewed against the contractual obligation (DPA clause), (4) checklist was signed off by an authorised owner.
Vendor offboarding procedure defining mandatory steps for terminating vendor relationships including access revocation, data handling, and record retention.
Example: Vendor Offboarding Procedure (Confluence / IT runbook), approved by CISO and Legal — containing: step-by-step checklist for access revocation (SSO, API keys, service accounts, VPN), data return/deletion instruction template, contractual record archive requirement, and mandatory sign-off from IT Security and Legal
Test: Request the vendor offboarding procedure. Verify: (1) procedure covers all credential types (SSO accounts, API keys, service accounts, VPN, physical access), (2) includes a data return or deletion step with written vendor confirmation requirement, (3) requires archive of contractual documents including DPA, (4) designates named approval authorities, (5) procedure is approved within 24 months.
Questions (2)
Does your organisation follow a documented offboarding procedure when a vendor relationship ends, covering access revocation, data return or destruction, and formal sign-off?
All vendor access credentials (SSO, API keys, service accounts, VPN) must be revoked on or before the termination date. The vendor must provide written confirmation of data deletion or return. Contractual documents including the DPA must be archived.
What does your vendor offboarding checklist include?
All six elements of a complete offboarding should be present. Absence of written vendor confirmation of data deletion is a common gap that creates ongoing liability.