The Basics April 14, 2026 · 14 min read

Employee Offboarding IT Checklist: A Complete Guide

Use this employee offboarding IT checklist to revoke access, recover devices, and protect your business when an employee leaves. Step-by-step guide for SMBs.

employee offboarding it checklist - A clean, professional illustration showing an IT administrator at a desk reviewing a chec

An employee offboarding IT checklist is one of the most important security tools your small business can have — and one of the most commonly skipped. When an employee leaves, every minute their accounts stay active is a window of risk. Former employees account for a significant share of data breaches, and many of those incidents happen not because of malice, but because no one remembered to turn off the access.

Employee departures create immediate IT vulnerabilities. The moment someone gives notice, the clock starts ticking. Without a systematic process, you’ll find yourself scrambling: Did we remove their Dropbox access? Who had the admin password they might have known? Did anyone collect the company laptop? These aren’t hypothetical concerns — they’re the exact gaps that lead to costly security incidents.

This guide walks you through every step of the IT offboarding process, from the moment you receive a resignation to the final post-departure audit. Whether you have a part-time IT person or you’re the one handling tech yourself, this checklist gives you a practical, repeatable process you can use every time someone leaves your team.

A clean, professional illustration showing an IT administrator at a desk reviewing a checklist on a laptop. Icons representing email, cloud storage, keycards, and devices float nearby in a minimal flat-design style. Color palette is navy blue and white with orange accents, suited to a small business content site.

What Is an Employee Offboarding IT Checklist?

An employee offboarding IT checklist is a structured list of technical tasks that must be completed every time an employee leaves your company. Its purpose is simple: protect your business data, systems, and infrastructure when someone no longer works for you.

It’s worth separating this from general HR offboarding. HR offboarding covers things like final paychecks, benefits paperwork, exit interviews, and returning company property broadly. IT offboarding focuses specifically on the technical side — account access, software licenses, devices, credentials, and data. Both matter, but they require different people doing different tasks. Mixing them together is how things get missed.

Small businesses are especially vulnerable without a formal IT offboarding process. Large enterprises often have dedicated security teams, identity management software, and automated deprovisioning tools. Most small businesses don’t. That means a single forgotten login or unreturned device can create a serious exposure — and you might not find out until it’s too late.

A complete employee offboarding IT checklist covers four core areas:

  • Access: Email, software applications, cloud platforms, and administrative credentials
  • Devices: Laptops, phones, tablets, USB drives, and security tokens
  • Data: Backups, file transfers, email redirects, and knowledge documentation
  • Documentation: Audit trails, sign-offs, and confirmation records for every completed step

Start Before the Last Day: Notification and Preparation

The single biggest factor in a smooth IT offboarding process is lead time. The earlier your IT team or designated tech person knows about a departure, the better prepared they can be. Getting notified on an employee’s last day leaves almost no time to do anything systematically — and that’s when things get missed.

As soon as HR receives a resignation or makes a termination decision, IT should be looped in immediately. That notification should trigger a preparation phase before any access is actually revoked. Here’s what that looks like in practice:

  1. Pull a complete list of all software accounts and systems the employee has access to
  2. Identify all company-owned devices assigned to them
  3. Note any administrative privileges or shared credentials they may have held
  4. Flag any customer-facing roles that will require email redirects or handoffs
  5. Identify critical knowledge or undocumented processes that need to be transferred before departure

Coordination between HR, the departing employee’s manager, and IT is essential during this window. The manager knows what projects are in flight and what knowledge needs to be documented. HR owns the timeline and the employee relationship. IT owns the technical execution. Without all three communicating, gaps are almost guaranteed.

Build a departure timeline that stages the process. Most access revocation happens on or just before the final day, but preparation work — auditing accounts, backing up data, arranging device returns — should start as soon as possible. This staged approach lets the employee finish knowledge transfer tasks without giving them the opportunity to access systems after they’re gone.

Access Revocation: Accounts, Systems, and Credentials

A clean vertical flowchart illustrating the IT offboarding sequence: (1) HR Notifies IT → (2) Inventory Accounts and Devices → (3) Stage Access Revocation Timeline → (4) Revoke Primary Access on Final Day → (5) Recover Devices and Physical Credentials → (6) Back Up Data and Set Email Redirects → (7) Post-Departure Audit. Each step is in a rounded rectangle with directional arrows. Flat design, navy and white color scheme with orange step numbers.

Access revocation is the heart of any employee offboarding IT checklist. This is where most security vulnerabilities live, and where the most systematic approach is required. Don’t treat it as a single task — treat it as a prioritized sequence.

Start with the highest-risk access points first:

  1. Email account: Disable or suspend the account. This also cuts off password reset capabilities for any other system that uses that email address.
  2. Network and VPN access: Revoke remote access credentials so the employee cannot connect to internal systems from outside the office.
  3. Single sign-on (SSO) platforms: If you use a tool like Okta or Google Workspace as a central login hub, disabling the account here can cascade access revocation to connected apps automatically.

From there, work through the full list of systems and platforms. Here’s a comprehensive breakdown of what to address:

  • CRM systems (Salesforce, HubSpot, etc.)
  • HR and payroll software (Gusto, ADP, Rippling, etc.)
  • Cloud storage (Google Drive, Dropbox, OneDrive)
  • Collaboration tools (Slack, Microsoft Teams, Zoom)
  • Project management platforms (Asana, Monday.com, Trello)
  • Social media accounts and scheduling tools
  • Sales dashboards and analytics platforms
  • Company intranet or knowledge base
  • Financial software and banking portals
  • Any industry-specific software or licensed tools

One area that trips up a lot of small businesses is shared credentials and administrative privileges. If the departing employee had admin access to any system, or if they knew a shared team password, those credentials need to be reset immediately — even if the departure is completely amicable. You simply cannot assume that access won’t be used.

The timing question comes up often: should you revoke access before the employee’s last day or after? Best practice is to complete most revocations on or immediately before the final day. Revoking access too early can disrupt knowledge transfer during the notice period. Waiting too long creates a gap where a former employee can still log in. Get the timing right by coordinating with the employee’s manager on when knowledge transfer is complete.

According to the Cybersecurity and Infrastructure Security Agency (CISA), insider threats — including from former employees with lingering access — are among the most damaging and preventable security risks organizations face. A systematic access revocation process is your primary defense.

Device Recovery and Physical Security

Revoking digital access is only half the picture. Physical assets matter just as much. A former employee walking out with a company laptop still has everything that was stored locally on that device — even if you’ve disabled their cloud accounts.

Start by compiling a complete inventory of all company-owned hardware assigned to the departing employee:

  • Laptops and desktop computers
  • Company-issued smartphones
  • Tablets or other mobile devices
  • USB drives or external hard drives
  • Security tokens or hardware authentication keys (like YubiKeys)
  • Monitors, docking stations, or other peripherals — if company-owned

Once devices are collected, don’t just put them in a drawer. Every device should be wiped and re-imaged before reassignment or storage. This ensures no sensitive data from the former employee’s session is accessible to whoever uses the device next. Use your device management tools or work with your IT provider to handle this step properly.

Physical access is another layer most small businesses underestimate. Deactivate office keycards or building access badges on the employee’s final day. Change alarm codes if the employee had access to them. If they had keys to physical spaces, collect those as well. Don’t assume a friendly departure means you can skip this step — physical access controls exist for situations you can’t predict.

Document everything. When a device is returned, record it with a confirmation — a signed form, an email acknowledgment, or a timestamped note in your HR or IT system. This documentation protects you if questions arise later about what was or wasn’t returned.

Data Backup, Email Redirects, and Knowledge Preservation

Before you close any accounts, make sure you’ve protected the data inside them. This step is easy to rush — or skip entirely — when you’re focused on the security side of offboarding. But losing access to a departed employee’s work files, emails, or project documentation can create real operational problems.

Back up the departing employee’s data before accounts are deactivated. This includes:

  • Emails and calendar data
  • Files stored locally on their device
  • Documents saved in personal cloud folders
  • Any locally stored work that hasn’t been synced to shared drives

Transfer ownership of shared documents and project files to the appropriate team members. In Google Workspace and Microsoft 365, you can reassign file ownership without disrupting the files themselves. Don’t leave important documents orphaned in an account that’s about to be deleted.

For customer-facing employees, email redirects are non-negotiable. Set up a redirect from the departing employee’s email address to their manager or successor, and consider adding an auto-reply explaining who to contact going forward. Failing to do this means customers, vendors, and partners who email that address get nothing back — which can damage relationships and lose business.

Knowledge preservation is the piece of IT offboarding that’s hardest to systematize but often the most valuable. Before the employee’s final day, have them document any processes, system configurations, or institutional knowledge that only they know. This doesn’t have to be a formal manual — a screen recording walkthrough or a quick written summary is far better than nothing. The NIST Cybersecurity Framework emphasizes that continuity of operations depends on knowledge not being siloed in individuals, making this step both a security and a business resilience issue.

How to Build and Implement Your IT Offboarding Checklist

Having a list of steps is one thing. Having a process that actually gets followed every time someone leaves is another. Here’s how to build an employee offboarding IT checklist that works in practice, not just in theory.

Step 1: Audit your technology stack. Before you can offboard someone from your systems, you need to know what systems you have. Make a master list of every software tool, cloud platform, and application your business uses. Include tools that are only used by specific roles — not everyone uses the same systems. Update this list whenever you add or drop a tool.

Step 2: Create role-specific checklists. Not every offboarding task belongs to IT. Some tasks belong to HR, some to the departing employee’s manager, and some to the employee themselves during the notice period. Separate your checklist by owner so everyone knows exactly what they’re responsible for. Role-specific checklists reduce confusion and prevent tasks from falling through the cracks because everyone assumed someone else handled it.

Step 3: Use a system to assign, track, and confirm each task. A checklist on paper gets lost. Use a ticketing system, project management tool, or even a simple shared spreadsheet to track every offboarding action. Each task should have an assigned owner, a due date, and a confirmation field that gets marked when the task is complete. This creates your audit trail automatically.

Step 4: Conduct a post-departure audit. After the employee’s final day, run through the complete checklist one more time as a verification step. Check that all accounts have been disabled, all devices have been returned and wiped, and all documentation is on file. This final review catches anything that slipped through and gives you a clean record that the offboarding was completed properly.

According to SHRM, organizations that follow a structured offboarding process — including IT-specific steps — report fewer security incidents and smoother transitions than those that handle departures informally.

Common IT Offboarding Mistakes to Avoid

Even businesses with good intentions make predictable errors during IT offboarding. Here are the most common ones — and exactly how to fix them.

Mistake: IT is notified too late. When HR waits until the last day to loop in IT, there’s no time for a systematic process. You end up rushing through the checklist or skipping steps entirely. Fix this by establishing a formal policy: HR notifies IT the same day they receive a resignation or make a termination decision, no exceptions.

Mistake: Forgetting third-party SaaS tools. Most businesses use far more software than they realize — especially small businesses that have added tools organically over time. A rarely used project management app or a billing integration can easily be missed. Fix this by maintaining a living inventory of all your software subscriptions and accounts, updated in real time whenever something is added or removed.

Mistake: Overlooking shared credentials and admin-level access. Standard user accounts are easy to disable. But if the departing employee had admin access to your website, your email platform, or your banking portal, those elevated privileges need a separate review. Fix this by auditing administrative and shared access as a dedicated section of your IT offboarding checklist — separate from regular account deactivation.

Mistake: Skipping email redirects for customer-facing roles. It feels like a minor detail until a client emails your former sales rep and hears nothing back for a week. Fix this by making email transition a required, non-skippable step in the checklist for anyone who had external-facing communication responsibilities.

Mistake: No documentation or audit trail. If you can’t prove that offboarding was completed, it’s almost as bad as not doing it at all — especially if a security incident occurs later. Fix this by requiring a signed or timestamped confirmation for every task on the checklist. Every step should have a record of who completed it and when.

Key Takeaways

  • An employee offboarding IT checklist protects your business from security risks that arise when employees leave by systematically revoking access, recovering devices, and preserving data.
  • Notify IT as early as possible when an employee departs — lead time is the most important factor in a thorough offboarding process.
  • Revoke access in priority order: email first, then network and VPN, then cloud and SaaS applications.
  • Don’t overlook shared credentials, administrative privileges, or physical access like keycards and alarm codes.
  • Back up data and set up email redirects before deactivating accounts — especially for customer-facing employees.
  • Use role-specific checklists for IT, HR, and the departing employee’s manager to clarify ownership of each task.
  • Always conduct a post-departure audit and maintain documentation with timestamps and sign-offs for every completed step.
  • Small businesses are just as vulnerable as large ones — a simple, repeatable IT offboarding process is one of the best investments in security you can make.

What should be on an employee offboarding IT checklist?

An IT offboarding checklist should cover revoking email and network access, disabling logins to all SaaS and cloud applications, resetting shared credentials and admin passwords, recovering company devices, deactivating physical access badges, backing up the employee’s data, and setting up email redirects if needed. Every step should be documented with a timestamp and sign-off.

When should IT access be revoked when an employee leaves?

Most access should be revoked on or immediately before the employee’s final day. For sensitive roles, some organizations begin staging revocations earlier in the notice period. Final deactivation of email and network access should occur the moment employment ends. Avoid revoking access so early that it disrupts knowledge transfer during the notice period.

What happens if you forget to revoke a former employee’s access?

Unrevoked access is a serious security risk. Former employees could intentionally or accidentally access sensitive company data, customer information, or financial systems after leaving. Even if the departure was amicable, this creates a compliance liability. A documented IT offboarding checklist with a post-departure audit is the best way to prevent these gaps.

Do small businesses really need a formal IT offboarding process?

Yes. Small businesses are often more vulnerable than large enterprises because they lack dedicated security teams. A single missed account or unreturned device can expose customer data or proprietary information. A simple, repeatable IT offboarding checklist takes minimal time to follow and significantly reduces the risk of a costly security incident.

How do you handle IT offboarding for a remote employee?

For remote employees, coordinate a secure device return by mail or courier and confirm receipt before closing accounts. Use remote device management tools to wipe company data from laptops or phones if the device cannot be physically retrieved in time. All digital access revocation steps remain the same regardless of whether the employee worked on-site or remotely.

Conclusion: Make IT Offboarding a Standard Part of Every Departure

Every employee departure is a potential security event. That’s not a reason to panic — it’s a reason to have a plan. A well-built employee offboarding IT checklist turns a chaotic, easy-to-bot

Advertisement