Joiners & Leavers Checklists

Joiners and leavers checklists are simple practices that cover multiple information security practices supporting your CDR accreditation.

Joiners and leavers checklists are simple practices that cover multiple information security practices supporting your CDR accreditation.

The Consumer Data Right gives Australians control of their data. That enables innovation in new products and services to those consumers. To participate as a data recipient, there are five governance requirements and 24 information security requirements. These are independently audited by a qualified firm like AssuranceLab, and included in an assurance report for accreditation.

The Joiners and Leavers Checklists support one of the 24 information security requirements; Access Security. These checklists form a standard way of onboarding and offboarding your employees, including the access control related to those movements. They support cross-functional areas of the business, so the checklists are almost a necessity to ensure all required tasks are completed appropriately by the multiple parties involved.

From a Consumer Data Right (CDR) perspective, the relevance of these practices is ensuring access to systems, data, and the CDR Environment as a whole, are appropriately authorised before being provided and removed or adjusted when no longer required.

These checklists are organisational specific. You can start with an example or template but it needs to be aligned with your team's responsibilities, the systems and access that are relevant to your environment, and the specific steps related to your control activities.

The new joiner checklist often includes background checks, candidate approval, executing an employment contract, acceptance or sign off on the Acceptable Use Policy and Code of Conduct, approval of the system, data access, and office access, and any system and documentation updates required for the new employee like payroll and the organisation chart.

The leavers checklist is about removing all of what was set up in the joiners checklist. There are two critical objectives of this; (a) ensuring all systems, data and physical location access is removed, and (b) ensuring any “data” in the form of printed documents, removable media, BYOD devices the employees retain, or even knowledge the employee has from their role, are returned, destroyed, or otherwise attested to the ongoing confidentiality of that data beyond termination. 


The CDR Perspective

The joiners and leavers checklist relates to the access security requirements of the CDR Schedule 2. The “Movers” process should follow elements of the Joiners and Leavers checklists as they apply based on the nature of the role change. The CDR includes requirements for:

  • Joiners: Access rights to a system should be provided in line with the personnel's specific responsibilities. These rights should be approved by an appropriate person with sufficient knowledge of the system.
  • Movers: When a user moves to a different role that requires different access rights, that user's previous rights are revoked and new rights are provisioned in line with their responsibilities and approved by an appropriate person with sufficient knowledge of the system.
  • Leavers: When a user leaves the organisation, all access rights previously provisioned to them should be revoked in a timely manner. This includes access to applications, databases, infrastructure, and the network. A timely manner is at the discretion of the organisation, however in general, should not exceed 2 weeks.

Example Joiners Checklist


Details/Date Completed

Employment details

Employee Name

John Smith

First Day



Senior Developer


Jill Danski

Hiring Manager

Background check

MOJ Report issued 10/03/2021 – no convictions identified

Candidate approval

CEO approved 15/02/2021

Employment contract

Completed, Signed by CEO

System access req’s

JIRA, AWS – Developer access, Github, G-Suite

Welcome email/intro


Welcome lunch


Code of Conduct

Signed 12/04/2021

Acceptable Use Policy

Signed 12/04/2021

Security awareness training

Completed 15/04/2021


Set-up payroll

Completed 15/02/2021

Store contract

Completed 15/02/2021

Add to HR system

Completed 15/02/2021

Update org chart

Completed 15/02/2021

IT Administrator

Active Directory setup

Completed 18/02/2021

System access granted

Completed 18/02/2021

Laptop provided

Completed 18/02/2021

Other IT equipment

Completed 16/03/2021

Access card provided

Completed 16/03/2021

Add to distribution lists

Completed 18/02/2021

Hiring Manager

All tasks completed

Completed 19/03/2021

Example Leavers Checklist


Details/Date Completed

Employment details

Employee Name


Last day






Hiring Manager

Resignation received


Informed SLT and teams


Advised customer contacts


Handover meeting(s)


Exit interview


Leaving lunch


Thankyou email



Calculate final payroll


Remove from payroll


Remove from HR system


Update org chart


IT Administrator

Network access disabled


Email forwarding applied


System access removed


Laptop returned


IT equipment returned


Access card returned


Remove from distribution lists


Hiring Manager

All tasks completed


Employee Declaration

The employee declaration is to confirm that the employee:

  • Has returned all assets, access keys, documents, information or data;
  • That no access keys, documents, information or data has been shared with any other third-party, except where authorised by management or appropriate in the course of the role with while employed; and
  • Agrees that any access, documents, information or data related to that surfaces after the date of termination, will be returned immediately and not shared with any other parties.



Date of confirmation



About AssuranceLab

AssuranceLab is a modern cybersecurity audit firm that provides assurance reports (ASAE 3150, SOC 1/2). We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.