General Guidance for Organisations Working Toward a TISAX Label
To earn a TISAX label, organisations must address the requirements of TISAX 6.0.3 – Handling of Identification Means. Because this control covers the entire lifecycle of identification means, clear processes for IT accounts, keys, cards, and cryptographic devices are vital. Moreover, without strong evidence, organisations regularly face difficulties proving maturity in assessments.
The Problem
Many organisations do not fully meet the expectations of TISAX 6.0.3 – Handling of Identification Means. Common issues include:
- No defined process for issuing, handing over, returning, or destroying identification items.
- Missing validity periods, renewal rules, or expiry tracking.
- No central register showing who holds which keys, access cards, tokens, or devices.
- No process for reporting or managing lost or stolen identification means.
- No controlled or authorised production of cards, keys, or tokens.
As a consequence, these gaps increase security risks and often result in partial or failed TISAX assessments. Furthermore, missing processes can make it harder to control sensitive assets.
Solution
In order to comply with TISAX 6.0.3 – Handling of Identification Means, organisations must establish and enforce a complete lifecycle for all types of identification means—physical, digital, and cryptographic. Such a process incorporates the following elements:
Identification Means Lifecycle Policy
Covering:
- Creation and authorised approval
- Secure production or issuance
- Handover and acknowledgement
- Defined validity periods and renewals
- Periodic review
- Return and revocation
- Destruction or disabling
- Handling loss or suspected compromise
Controlled Issuance
Only authorised staff may produce or issue:
- Access cards
- Keys
- Badges
- Tokens or USB authentication devices
Central Register
Maintain a full log of:
- Holder name
- Type of identification means
- Key or token IDs
- Issue/return dates
- Validity periods
- Loss or incident records
User Communication
Ensure users understand:
- Their responsibilities
- How to report loss or suspicious activity
- Expected behaviour and restrictions
HR & IT Integration
Embed lifecycle steps into onboarding and offboarding.
Never issue identification means without approval, and always collect them on exit.
By adopting this structured approach, organisations can clearly demonstrate maturity and show that they are ready for audits. In addition, it makes it easier to provide evidence during assessments.
Deliverables
Policies & Procedures
- Identification Means Lifecycle Policy
- Physical access control procedure
- Who can issue items
- Storage of unused items
- Logging and documentation rules
Registers & Documentation
- Central identification means register
- Revocation list or access‑rights update log for IT accounts and tokens
User Awareness Materials
- Staff guidance covering responsibilities, reporting steps, and prohibited behaviour
Supporting Controls
- Secure storage for unused cards and keys
- Authorisation workflows for all issuance
Outcomes
When organisations implement these measures, they gain several advantages:
- Full traceability and visibility of all identification means
- Clear accountability for approval, issuance, handling, and return
- Controlled, auditable lifecycle processes
- Reduced risk of unauthorised access
- Strong alignment with TISAX Maturity Level 3.0
- Fewer audit findings and faster assessment readiness
Benefits or Results
By taking this approach, organisations benefit in a variety of ways:
- A complete, auditable lifecycle for all identification means
- Better protection of buildings, systems, and sensitive information
- Fewer lost or unreturned items
- Stronger collaboration between HR, IT, and Facilities
- Higher TISAX compliance and improved client confidence
