ELI5: What is Offboarding?
When you move away, you return your library books and your locker key. Vendor offboarding is the same — when a company stops working with an outside partner, it takes back all access, collects or deletes shared data, and disconnects everything.
Definition
Vendor offboarding is the formal process of terminating a third-party vendor relationship in a secure and organized manner. It includes revoking all access credentials and permissions granted to the vendor, retrieving or destroying any data the vendor held on behalf of the organization, ensuring secure data deletion per contract terms, and closing any integration points or network connections. Poor offboarding creates persistent access risks and potential data exposure.
Key Details
- Access revocation should occur on or before the contract termination date — not after the fact
- Data retrieval: all organizational data held by the vendor must be returned in a usable format or confirmed destroyed
- Secure data destruction: vendors should provide certificates of destruction for physical media and confirmation of data deletion for cloud data
- Vendor offboarding checklist should mirror the vendor onboarding checklist, reversing each step
- Exam tip: vendor offboarding is a third-party risk management control; unmanaged offboarding leaves “zombie accounts” and uncontrolled data with former vendors
Connections
- Parent: third-party-risk — offboarding is the final phase of the vendor lifecycle management process
- See also: vendor-assessment
- See also: service-level-agreements-slas