This is the part 3 of the series about the TISAX label: TISAX getting started: A Deep Dive into the ISA Assessment Workbook (part 1).

 

ISA VDA 6.0.3 (part 3) — Information Security Sheet: Human Resources, Physical Security, Identity and Access Management

Chapter 2 — Human Resources

This chapter addresses the people dimension of information security: how the organization selects staff for sensitive roles, contractually binds them to security obligations, trains and raises awareness among them, and manages the risks associated with working outside the office.

Note: Chapter 2 in ISA 6.0.3 contains only one structural level beneath the chapter header. Controls are numbered in the format 2.1.x but there is no separately titled subchapter 2.1 header. The implicit grouping covers general HR security measures.

2.1.1 — To what extent is the qualification of employees for sensitive work fields ensured?

The organization must identify which roles are sensitive from an information security perspective, define the qualification requirements for those roles, and verify the identity of candidates before hiring. The should-level extends this to personal suitability checks — interviews, reference checks, or more rigorous methods depending on the role’s sensitivity. There are no additional requirements at high or very high protection need levels.

Evidence includes a list or classification of sensitive roles, defined job profiles with security-relevant criteria, and records of identity verification performed during hiring.

2.1.2 — To what extent is all staff contractually bound to comply with information security policies?

Every employee must be under a non-disclosure obligation and must be formally committed to complying with information security policies. The should-level adds an expectation that the NDA extends beyond the employment period, that security aspects are embedded in employment contracts, and that there is a procedure for handling violations.

Evidence includes employment contract templates containing NDA clauses and information security obligations, and any documented procedures for managing breaches of these obligations.

2.1.3 — To what extent is staff made aware of and trained with respect to the risks arising from the handling of information?

All employees must receive training and awareness activities related to information security. The should-level defines a minimum scope for that training: the organization’s information security policy, how to report security events, how to respond to malware, how to handle user accounts and passwords, and physical security measures. Training must be refreshed at regular intervals.

Evidence includes a training concept or awareness program, training records showing which employees completed which modules, and records of the training schedule and frequency.

2.1.4 — To what extent is mobile work regulated?

Working outside defined security zones — home offices, client sites, travel — introduces risks that must be addressed by specific requirements. The must-level requires that the organization has determined and implemented requirements covering secure access to and handling of information in both electronic and physical form during remote work. The should-level adds considerations for travel-specific risks, including measures for travel to security-sensitive countries. For high protection needs, protective measures against overhearing and visual exposure — such as privacy screens and secure communication practices — must be implemented.

Evidence includes a teleworking or remote work security policy, records showing the policy has been communicated to staff, and for high protection needs, documented technical and organizational measures against visual and acoustic compromise.

Chapter 3 — Physical Security

This chapter addresses the physical layer of information security: the security zones where information is processed, the hardware and media that carries it, and the mobile devices used to access it outside secure perimeters.

Note: Like chapter 2, chapter 3 contains no separately titled subchapter. Controls run directly as 3.1.x.

3.1.1 — To what extent are security zones managed to protect information assets?

A security zone concept must exist that maps protection requirements to physical areas — offices, server rooms, delivery zones, reception areas. The concept must define what protective measures apply in each zone, and zones must be demarcated with visible or enforced perimeters. The should-level adds expectations for access rights management procedures, visitor management policies, and rules for using mobile IT devices inside secure zones. For high protection needs, measures against overhearing and visual exposure inside or near sensitive zones must be implemented.

Evidence includes the security zone documentation, access control records, visitor logs, and for high protection needs, records of anti-eavesdropping or visual screening measures.

3.1.2 — Superseded by 1.6.3, 5.2.8, and 5.2.9

This control is no longer active in ISA 6.0.3. Its content has been redistributed into crisis management (1.6.3), IT continuity planning (5.2.8), and backup and recovery (5.2.9). No assessment is performed against 3.1.2 as a standalone control.

3.1.3 — To what extent is the handling of supporting assets managed?

Physical assets that support information processing — servers, workstations, storage media, paper — must have defined requirements covering their entire lifecycle: transport, storage, repair, loss reporting, return, and secure disposal. The should-level is not populated for this control. For high protection needs, supporting assets must be disposed of in accordance with recognized standards — for example, ISO 21964 at Security Level 4 or equivalent — to prevent data recovery from discarded equipment.

Evidence includes a hardware and media lifecycle policy, disposal records, and for high protection needs, certificates of secure destruction.

3.1.4 — To what extent is the handling of mobile IT devices and mobile data storage devices managed?

Mobile devices and removable storage must meet defined security requirements covering encryption, access protection such as PIN or password, and appropriate marking. The should-level adds device registration and user communication about risks. For high protection needs, general encryption of mobile storage devices or the information stored on them is required. Where encryption is not technically feasible, equally effective compensating measures must be implemented.

Evidence includes a mobile device management policy, encryption configuration records, device inventory, and for high protection needs, evidence of encryption enforcement or compensating controls.

Chapter 4 — Identity and Access Management

This chapter covers the mechanisms by which the organization controls who can access what — from physical identification tokens to digital user accounts and the logic for granting or revoking rights.

4.1 Identity Management

This subchapter addresses physical and digital means of identification and the authentication procedures that verify a user’s identity before granting system access.

4.1.1 — To what extent is the use of identification means managed?

Physical and digital identification tokens — keys, access cards, cryptographic tokens, certificates — must be managed across their full lifecycle: creation, issuance, return, revocation, and destruction. Validity periods must be defined and traceability maintained, along with a process for handling lost means. The should-level expects these tokens to be produced only under controlled conditions. For high protection needs, validity periods must be actively limited to an appropriate duration, and a blocking strategy for lost tokens must be both defined and implemented as far as technically possible.

Evidence includes an identification means register, lifecycle management procedures, records of issued and returned tokens, and for high protection needs, proof of validity enforcement and loss response procedures.

4.1.2 — To what extent is the user access to IT services and IT systems secured?

Authentication procedures must be chosen based on a risk assessment that considers the attack surface of each system, including whether systems are directly internet-accessible. State-of-the-art authentication must be applied. The should-level requires strong passwords at minimum and stronger mechanisms for privileged users. For high protection needs, enhanced measures such as continuous session monitoring, automatic logout, and brute force prevention must be implemented based on the risk profile. For very high protection needs, access to data of very high classification must require strong two-factor authentication.

Evidence includes a risk assessment underpinning authentication choices, authentication configuration documentation, and at higher protection levels, records of enhanced access controls and monitoring.

4.1.3 — To what extent are user accounts and login information securely managed and applied?

User accounts must follow a clear lifecycle: creation, modification, and deletion all managed with oversight. Accounts must be unique and personal. Generic or shared accounts must be restricted to cases where traceability is genuinely not needed. Accounts must be disabled immediately when a user leaves or changes role. The should-level adds expectations around minimal default-privilege accounts, disabling of default manufacturer credentials, formal authorization procedures for creating accounts, and regular account reviews.

Evidence includes a user account management procedure, records of account creation and deactivation, and periodic access reviews.

4.2 Access Management

This subchapter addresses how access rights are granted, reviewed, and revoked — and how the organization ensures that rights remain aligned with actual need.

4.2.1 — To what extent are access rights assigned and managed?

Access rights must be managed based on the need-to-know and least privilege principles. The process for requesting, approving, and revoking rights must be defined. Rights must be revoked when no longer needed. The should-level expects role-based access control, with rights assigned to roles rather than individuals where possible, and regular reviews to identify stale or excessive rights. For high protection needs, access rights must be approved by a designated internal information officer. For very high protection needs, data of very high classification must be stored in encrypted form so that even privileged users cannot access it without appropriate authorization, and access rights must be reviewed more frequently.

Evidence includes an access rights management procedure, role definitions, access review records, approval records, and at higher protection levels, encryption configuration and formal information officer sign-off records.

 

© Copyright 2026 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca - Security & Technology

---

Want to work with me on this topic?
Check Endpoint Cybersecurity to see the consulting services we offer.