TISAX 2.1.2 – Employment & Confidentiality Obligations

Scope & Objective Alignment

TISAX 2.1.2 – Employment & Confidentiality Obligations

General Guidance for Organisations Working Toward a TISAX Label

Organisations working toward a TISAX label often struggle to meet the expectations of TISAX 2.1.2 – Employment & Confidentiality Obligations. Many of Reaching the TISAX label is not always easy, especially for organisations grappling with the requirements of TISAX 2.1.2 – Employment & Confidentiality Obligations. Although employment-related security responsibilities are sometimes recorded, they are rarely applied or tracked in a consistent manner. Therefore, organisations frequently find it challenging to prove compliance during TISAX assessments.

The Problem

Many organisations assume they already fulfil employment-related security requirements. Nevertheless, reviewing their practices against TISAX 2.1.2 – Employment & Confidentiality Obligations often reveals missing or incomplete steps. For example, the following gaps frequently appear:

  • Confidentiality clauses exist but are not signed by all employees.
  • Information security responsibilities appear in policies but are not included in employment contracts.
  • Acceptable use, monitoring, and incident reporting expectations are unclear or not part of formal terms.
  • Evidence is inconsistent—templates exist, but signed acknowledgements do not.
  • HR processes are undocumented or incomplete, particularly for onboarding, offboarding, and managing violations.

As a result of these weaknesses, organisational maturity is reduced and passing a TISAX assessment becomes more difficult. Without thoroughly documented employee obligations, organisations often find compliance and information protection harder to demonstrate.

Solution

Meeting the expectations of TISAX 2.1.2 means embedding clear information security responsibilities throughout each stage of employment. Organisations benefit by developing a structured and repeatable approach, which must cover contracts, policies, acknowledgements, relevant processes, and supporting evidence.

Key actions include:

Employment Contracts

  • Add clear information security roles and responsibilities.
  • Include confidentiality obligations that continue after employment ends.
  • Define acceptable use and monitoring transparency.
  • Clarify incident reporting responsibilities.

Confidentiality Agreement

  • Provide a standalone NDA aligned to TISAX requirements.
  • Ensure every employee signs it, not only new starters.

Policy Acknowledgements

  • Ensure all employees sign acknowledgements for:
    • Acceptable Use Policy
    • Information Security Policy
    • Incident Reporting guidance
    • Monitoring and privacy information
  • Store acknowledgements in a traceable evidence library.

Violation & Escalation Process

  • Document how policy breaches are handled.
  • Include reporting routes, responsibility, and consequences.

Evidence Collection

  • Maintain proof for every employee:
    • Signed contracts
    • Signed confidentiality agreements
    • Policy acknowledgements
    • HR process records
    • Disciplinary documentation (where relevant)

Establishing these practices as standard helps organisations build a clear evidence trail. In turn, this supports successful TISAX assessments and enhances governance across the company.

Deliverables

Organisations working toward TISAX should prepare and maintain:

Contractual Documents

  • Employment contract clauses covering:
    • Confidentiality
    • Compliance with security policies
    • Acceptable use
    • Monitoring transparency
    • Incident reporting duties
    • Post‑employment obligations
  • A standardised Confidentiality Agreement aligned with TISAX expectations.

Employee Acknowledgements

A complete set of signed documents for every employee, including:

  • Acceptable Use Policy
  • Information Security Policy
  • Incident Reporting Process
  • Monitoring and privacy notices

Processes

A documented HR workflow covering:

  • Onboarding:
    • Contract signing
    • Policy distribution
    • Acknowledgement collection
  • Offboarding:
    • Access removal
    • Asset return
    • Exit confirmation of confidentiality
  • Policy‑violation and escalation process.

Evidence Set

A structured evidence library containing:

  • Signed contracts and NDAs
  • Signed policy acknowledgements
  • Disciplinary records
  • Reporting routes and HR procedures
  • Onboarding/offboarding documentation

Outcomes

When these measures are implemented, organisations achieve several important outcomes.

  • Clear and consistent security expectations for all employees.
  • Strong evidence showing staff understand and accept their responsibilities.
  • A predictable, repeatable HR process that ensures TISAX readiness year‑round.
  • Improved protection of confidential and client information before, during, and after employment.
  • Smoother TISAX assessments with fewer findings or non‑conformities.

Benefits or Results

By applying this guidance, organisations can achieve the following:

  • Strengthen compliance with TISAX 2.1.2 – Employment & Confidentiality Obligations.
  • Reduce the risk of non‑conformities and audit delays.
  • Improve legal protection by clarifying employee duties.
  • Build a transparent, trusted security culture.
  • Provide auditors with clear, traceable, and easy‑to‑validate evidence.
  • Demonstrate a mature, professional approach to information security.