JML Process

Securing the Joiners, Movers and Leavers (JML) Process

Published 11 July 2024

Human beings are the often the weakest link when it comes to information security. This is particularly evident in the joiners, movers and leavers (JML) process, where effective and well-designed security measures are essential to reducing the information security risks inherent to the employee lifecycle.  

In this blog, we’ll cover how a mature JML process helps your organisation reduce security vulnerabilities, comply with legal and regulatory requirements, and improve the overall employee experience. 

Why Do I Need to Secure the JML Process? 

Effective JML controls can help reduce the impact and likelihood of information security risks stemming from the mismanagement of the employee lifecycle. These risks may include data breaches, insider threats and unauthorised access to sensitive and/or confidential information. Addressing these risks can also help you meet legal and regulatory requirements from various regulations and frameworks. For example, compliance with security standards such as ISO27001 and data protection regulations.  

The performance of JML activities should be closely monitored to identify areas of concern as well as opportunities for improvement. By implementing a well-defined JML process, you can maintain security, manage employee access to company resources, and reduce the risk of data breaches. 

How to Secure the JML Process 

The management of the employee lifecycle typically involves input from multiple functions across an organisation including Human Resources (HR), IT, and Finance. As a result, a consistent, collaborative and formalised approach must be followed to ensure that the mismanagement of employees does not introduce new information security risks and vulnerabilities into your organisation.  

An effective JML process will clearly articulate the roles and responsibilities of all key stakeholders involved in the employee onboarding and offboarding process, regardless of what function they operate it. All too often in the past, I have personally seen information security incidents occur due a lack of a unified and collaborative approach between functions. 

For example, HR being unaware of what assets require collection from departing employees because IT have not notified them. Similarly, IT not disabling access to corporate systems because they have not been notified by HR that an employee has left the organisation. These types of security incidents can be easily avoided with formalised JML workflows and checklists in place. It is even better if these processes can be automated.  

What Activities Do I Need to Consider in the JML Process? 

Onboarding and offboarding checklists are a useful way to ensure that all JML activities are completed, and in a timely manner. Here is a high level summary of the activities you should focus on:  

  • Screening: All new staff should be subject to pre-employment screening. Screening gives your organisation confidence in the staff you are hiring and helps verify their background, including work experience, education, and criminal history.  

  • Employment Contracts: All new staff should have to sign an employment contract that articulates requirements for information security, confidentiality, data protection, and the management of intellectual property.  

  • Training & Awareness: New and existing staff should have to complete mandatory training on topics such as company policies and procedures, how to report security incidents, threats and risks relevant to the organisation, and general guidance on their roles and responsibilities in protecting the organisation’s information and assets. 

  • Access Management: Activities and responsibilities should be clearly defined for assigning and revoking access to IT systems in a timely manner. These should apply to new hires, staff changing roles, and departing employees.  

  • Asset Management: There must be processes in place to ensure that staff are assigned all required assets during onboarding, and that these assets are collected as part of the offboarding process. For this to work properly, asset registers must be in place and kept up to date. 

  • Post Employment Responsibilities: As part of the offboarding process, departing employees should be made aware of their post-employment information security and data protection responsibilities. These should be documented in a formal agreement, such as the employment contract, and reiterated during an exit interview (if applicable). 

It is important to remember that the JML process does not just apply to full time staff. Contractors pose as much of a security risk to organisations (if not greater) and therefore, they should be subject to similar JML controls as those listed above.  

If you would like to hear more about how we can help you manage risks within your supply chain, please contact us at +44 (0)3308 285 881 or hello@bridewell.com.