Use this step-by-step checklist every time someone leaves your organization — whether voluntarily or not.

Start with the Obvious:

• Disable their company email and user accounts (Google/Microsoft/SSO)

• Revoke access to synced platforms: Slack, Teams, Dropbox, Google Drive, CRM, project tools

• Log out all active sessions across devices

• Remove their device(s) from MFA settings (authenticator apps, SMS numbers, recovery codes)

• Reset shared passwords: email inboxes, Canva, social media, scheduling tools

Then Audit What Most Businesses Miss:

• Remove access from personal phones and tablets with company apps installed

• Clear saved passwords and tokens in shared browsers or password managers

• Unlink from shared calendars, drive folders, internal wikis, and collaborative docs

• Check for app integrations or API tokens linked to their user credentials

• Review shared inboxes, email forwarding rules, and any automation they set up

• Remove them from informal team chats — like WhatsApp, Telegram, or Signal

• Review physical access: building keys, door codes, ID cards, or security fobs

Document and Improve:

Every offboarding is a chance to tighten your process. Make it repeatable and secure:

• Create a standard offboarding SOP

• Assign roles (HR, IT, supervisor) for each offboarding step

• Review quarterly for gaps or changes in your tech stack

💡 Pro Tip: Think Like a Hacker

Even if you trust the person leaving, the systems they touched might still pose a risk — either due to human error, negligence, or unknown access points.

The best way to protect your business is to treat every offboarding like a security exercise. What could they potentially still access? How could that affect your operations, clients, or compliance obligations?