IT Access Revocation Checklist for Trades & Construction
A comprehensive checklist for revoking all IT system access, recovering digital assets, and securing company data when an team member or contractor departs.
Compliant with Safe Work Australia requirements, state WHS legislation, and Building Code of Australia (NCC) documentation standards.
Complete Checklist
- 1Disable the team member's primary user account in the directory serviceCritical
- 2Revoke email access and set up an auto-reply or forwarding ruleCritical
- 3Remove access to all business applications and cloud servicesCritical
- 4Disable VPN and remote access credentialsCritical
- 5Remove the team member from all shared drives and collaboration platforms
- 6Transfer ownership of shared documents and files to the appropriate person
- 7Revoke access to financial systems and banking platforms
- 8Remove the team member from all email distribution lists and group chats
- 9Change any shared passwords or system credentials the team member had access toCritical
- 10Recover the company laptop, phone, and any other IT equipment
- 11Wipe company data from any personal devices used under a BYOD policy
- 12Archive the team member's email mailbox and files for retention purposes
- 13Deactivate the team member's phone extension and voicemail
- 14Update the IT asset register to reflect returned or reassigned equipment
- 15Confirm all access has been revoked and job card the completionCritical
Frequently Asked Questions
What should we do about shared passwords and accounts the team member knew?
Change all shared passwords and credentials immediately upon departure. This includes social media accounts, shared admin credentials, Wi-Fi passwords, and any system accounts that use shared logins. Implement a password manager and individual account access wherever possible to reduce dependency on shared credentials in the future.
When should IT access be revoked during the offboarding process?
For voluntary resignations, access is typically revoked at the end of the team member's last working day. For terminations, especially those involving misconduct or sensitive data, access should be revoked simultaneously with or immediately after the termination site meeting. Have IT prepared in advance so revocation can happen promptly when triggered.
How long should we retain a departed team member's email and files?
Best practice is to archive email and files for at least 12 months to handle any follow-up enquiries, legal matters, or business needs. Some industries have longer mandatory retention periods. Set up email forwarding to the departing team member's replacement during the transition period. Establish a clear data retention policy and follow it consistently.
Need help implementing these checks into your daily operations?
Our team can build custom checklists integrated into your daily operations workflow.