PARKINSONHOWE

TISAX 3.1.4 – Mobile IT Devices & Mobile Data Storage Devices

Tisax Consultancy

To earn a TISAX label, organisations must meet the requirements of TISAX 3.1.4 for Mobile IT Devices and Mobile Data Storage Devices. Although many set basic controls, these often fall short. Sometimes, definitions are unclear, evidence is missing, or rules are not applied consistently. As a result, compliance gaps appear, bringing security risks and audit problems.

The Problem

Many organisations think they manage mobile devices well, yet they do not always fully meet TISAX 3.1.4 requirements. Usually, several common problems appear, such as:

  • USB sticks may be controlled, but other storage media (SD cards, portable hard drives) are overlooked.
  • Encryption and access protection may be defined, but device marking is missing—especially important when working on customer sites.
  • MDM is used, but no device register exists for laptops, phones, or tablets, reducing traceability.
  • Users are not warned when data protection is absent, such as when using unmanaged apps or unencrypted storage.
  • Templates exist, but organisations cannot prove they are being applied in practice.

Because of these gaps, organisations have weaker protection and less traceability. As a result, partial conformity often appears during TISAX assessments.

Solution

Meeting TISAX 3.1.4 requirements needs a clear and well-documented approach for all mobile IT devices and portable storage media. To succeed, organisations should focus on these elements:

Clear Device Requirements

Define the rules for all device types, including:

  • Encryption
  • PIN/password access protection
  • Physical marking
  • Approved use cases

Controls must apply to:

  • Laptops and phones
  • Tablets
  • USBs, SD cards, portable hard drives
  • Any device storing or processing business data

Formal Asset Register

Maintain a central mobile device register showing:

  • Device type
  • Serial number
  • Assigned user
  • Encryption status
  • MDM enrolment
  • Issue and return dates

By following this process, organisations gain complete traceability and can make audits much simpler. In addition, it becomes easier to provide evidence of compliance when needed.

User Notifications & Warnings

Implement processes that notify users when:

  • Encryption is unavailable
  • Apps are unmanaged
  • Storage occurs outside corporate control

Clear communication with users helps reduce accidental misuse. Moreover, it encourages responsible behaviour and supports ongoing compliance in the future.

Process Integration

Organisations should include these requirements in HR, IT, and security processes. As a result, enforcement remains consistent from onboarding to offboarding, reducing the risk of compliance gaps.

Deliverables

Policies & Procedures

Create and maintain:

  • A mobile device policy covering encryption, access control, marking, and customer‑site requirements
  • A mobile storage device policy for USBs, SD cards, and portable hard drives, including restrictions or prohibitions

Asset Management

Maintain an updated device register showing:

  • Device details
  • User assignments
  • Compliance status
  • Dates of issue and return

User Awareness & Acknowledgements

Provide training and communication materials covering:

  • Secure mobile use
  • Risks of unencrypted storage
  • Approved apps and services

Collect acknowledgements where appropriate.

Technical Enforcement (MDM)

MDM settings should enforce:

  • Encryption
  • Authentication
  • Auto‑lock
  • Remote wipe
  • Monitoring for non‑compliance

Outcomes

By implementing these measures, organisations achieve important outcomes:

  • Complete control over mobile IT devices and storage media
  • Consistent enforcement across departments
  • Full traceability and accountability
  • An informed workforce that understands risks
  • Alignment with TISAX Maturity Level 2.1 expectations

As a direct result, these outcomes strengthen the organisation’s security and support smooth, successful TISAX assessments. In addition, employees become more aware of their responsibilities.

Benefits or Results

When organisations adopt this approach, several key benefits emergel key benefits emerge:

  • Stronger protection for mobile devices and data
  • Fewer TISAX non‑conformities
  • A complete, traceable device inventory
  • More consistent employee behaviour
  • Greater confidence when working at customer sites
BOOK A TISAX READINESS REVIEW
REQUEST A TISAX PROPOSAL