diff --git a/README.md b/README.md
index 710febf..8497db1 100644
--- a/README.md
+++ b/README.md
@@ -53,7 +53,7 @@ cd groups/devnso-adp-argocd
 ln -s ../../max.musterman@netgo.de.gpg.pub
 ```
 
-## 3. Onboarding: [Existing User]: Configure sops config
+## 2. Onboarding: [Existing User]: Configure sops config
 
 Context: This repo stores the keys used to encrypt secrets in other repos; these "consumer" repos each contain a sops config `.sops.yaml` which manages access to the encrypted files (e.g. `secrets.yaml`)
 
@@ -104,7 +104,7 @@ devnso-adp-argocd
 
 At this point, the New User has been configured and can grant themselves access to any of the secrets files in this project.
 
-## 4. Onboarding: [New User] Configure SOPS
+## 3. Onboarding: [New User] Configure SOPS
 
 SOPS is used for encrypting secrets, e.g. credentials for various systems
 
@@ -128,7 +128,7 @@ Note: The `GPG_TTY` is necessary to have the password prompt appear. src: https:
 
 Note: `secrets.yaml` is just an example; the file can have any name
 
-## 5. Offboarding: [Existing User]: Archive Expired Keys (EOL)
+## 4. Offboarding: [Existing User]: Archive Expired Keys (EOL)
 
 To mark a key as expired:
 1. move it to the `archive/` dir