PARKINSONHOWE

TISAX 5.1.2 – Secure Use of Network Services

Tisax Consultancy

General Guidance for Organisations Working Toward a TISAX Label

The Problem

Many organisations have robust technical controls for secure communications. However, TISAX demands more than just technical safeguards. It requires a process that is fully documented. This process should be based on information classification. It must be applied consistently to every network service used for data transfers. Therefore, meeting these expectations calls for detailed planning and clear documentation at every step.

Common gaps include:

  • Clear documentation of network services, but no defined procedures linking information classification to permitted transfer methods (e.g., which services may be used for Confidential data).
  • Encryption is used in most areas. However, email is not guaranteed to be encrypted. This is especially true when using opportunistic TLS with an unencrypted fallback.
  • No controls aimed at preventing incorrect recipients, such as recipient verification, address‑checking steps, or user prompts.
  • Secure remote access solutions are in place. However, there is no evidence of periodic verification. Review activities are not conducted to ensure their continued effectiveness.
  • No explicit rules for ensuring correct transfer, such as approval processes or checks for sensitive data exchanges.

Because of these issues, organisations cannot always guarantee that data transfers meet TISAX requirements every time. As a result, they may only achieve partial conformity when assessed, which can impact their overall security rating.

Solution

To fulfil TISAX 5.1.2, organisations need a structured approach guided by information classification for all network-based data transfers. This approach should be clear, practical, and easy to follow for staff at every level. The process involves several important steps:

  • Creating clear classification‑based procedures that describe:
    • What transfer methods are permitted for each information class?
    • What methods are prohibited for highly confidential or personal data?
    • When forced encryption must be used.
  • Ensure all network services use encryption methods that guarantee data is always protected in transit. Do not rely on optional or opportunistic protection, where encryption is only used if both ends support it.
  • Introducing measures to prevent misaddressing and incorrect transfers, such as:
    • Recipient confirmation prompts
    • DLP-style warnings
    • Dual approval for sensitive transfers
    • Clear user verification steps
  • Establishing a process for verification of remote access controls, including:
    • Periodic testing
    • Review of logs and access history
    • Checks confirming that encryption, MFA, and access termination are functioning correctly.
  • Documenting all procedures so they clearly map to the organisation’s information classification model.

By using this integrated approach, organisations can ensure that all data transfers are predictable, compliant with TISAX, and secure. Additionally, it helps staff understand their responsibilities, making security a shared priority.

Deliverables

Organisations must create a thorough, audit-ready set of documents and records. These materials clearly demonstrate that all TISAX requirements are met and provide evidence during assessments. Key deliverables include:

Policies & Procedures

  • A classification-based Network Services Use Procedure that defines:
    • Permitted transfer methods by classification (e.g., VPN, secure portals, encrypted email).
    • Prohibited methods and fallback rules.
    • Required encryption standards for each category.
  • A Data Transfer Procedure describing:
    • Address‑verification steps
    • Approvals for sensitive data transfers
    • How to validate the correct recipients
    • User responsibilities during data exchange

Technical Controls

  • Enforcement of:
    • TLS 1.2/1.3 or equivalent for all email flows
    • Forced encryption (no unencrypted fallback)
    • VPN for remote access
    • MFA + Conditional Access for cloud services
  • Correct addressing safeguards such as:
    • Autocomplete restrictions
    • Warning banners when sending externally
    • Mandatory review prompts for sensitive data

Registers & Documentation

  • An inventory of all network services involved in data transfer:
    • Protocol
    • Encryption level
    • Authentication method
    • Approved purpose
  • Records showing:
    • Remote access reviews
    • Encryption verification checks
    • Periodic testing of controls

User Awareness

  • Training informing staff about:
    • Correct transfer methods for each classification
    • The risks of misaddressing
    • Appropriate use of email and secure portals

Outcomes

When organisations put these measures in place, they accomplish several important outcomes:

  • A clear and predictable framework for choosing the correct data transfer method.
  • Strong and consistent encryption aligned with classification categories.
  • Reduced risk of accidental data exposure caused by misaddressed or insecure transfers.
  • Reliable assurance that remote access meets TISAX‑level security expectations.
  • Evidence that all network services are managed, documented, and periodically verified.

Together, these outcomes make the organisation’s security stronger and help it meet the TISAX 3.0 maturity requirements. Over time, this approach builds trust with partners and customers.

Benefits or Results

Following this approach provides:

  • Gain complete oversight and control of network information transfers.
  • Achieve consistently strong encryption and reduce communication weak points.
  • Prevent misdirected emails and incorrect file transfers effectively.
  • Minimise risk of TISAX nonconformities for transfers and remote access.
  • Builds confidence among partners, customers, and auditors.
BOOK A TISAX READINESS REVIEW
REQUEST A TISAX PROPOSAL