After a period of 45 days of inactivity or at the end date of a formal relation with the organisation for which the account was provided, accounts are automatically blocked.
After 90 days the account is deleted or stripped of all authorisations.
Unblocking accounts follows the same approval process for requesting access as Joiner/Mover situations.
Specification
Account details can persist in logging if required by organisational retention periods.
Deletion of accounts should not lead to a deletion of logs that need to be retained or items that were assigned. In such cases, overwriting the identifier with a random ID is often advisable.
ISO 27001 & 27002:2022
A5.2,
A5.3,
A5.15,
A5.16,
A5.17,
A5.18,
A8.2
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
ID.01 Access rules