TISAX® Demystified – Episode 4

TISAX® Demystified Blog Ep. 3: Ensuring HR will follow a controlled process and coordinate with IT and the affected department regarding offboarding completion.

Goodbye Doesn’t Mean Good Riddance

(Chapter 2 – Human Resources Security, Part 2)

Most companies have some kind of hiring process.
Fewer have a proper way to say goodbye.

Which is a real problem in terms of security…

When someone leaves your company – whether they quit, retire, or get walked out – there is a small window to make sure the door really closes behind them. If it doesn’t, you’re not just dealing with a loose end – you’re leaving an open attack path. Not necessarily by the former employee, it’s just an open flank that needs closed in general.

What TISAX® Expects:

Chapter 2 doesn’t stop at onboarding. It wants to see offboarding done right – and documented.

That includes:

  • A formal process for revoking access – all of it
  • Deletion or return of devices, badges, tokens, keys
  • Exit interviews that cover information security topics
  • Awareness of contract obligations post-employment (e.g., NDAs still apply)
  • Logs or evidence that revocation actually happened

Where It Goes Sideways:

  • IT Department doesn’t know the person left until some random time later
  • Shared accounts still work
  • Physical keys never come back
  • VPN access or mobile device sync remains active
  • Nobody tracks what the employee had access to in the first place

What Should Be Done:

  • Build an offboarding checklist tied to your HR process
  • Notify IT before someone walks out, not after
  • Make sure access change logs and asset inventory logs are part of the exit process
  • Check if and communicate when NDAs or contracts mention obligations that continue after employment
  • Review access logs in the days after exit

If you only do one thing:

Take your last employee exit.

Look for that name on your organization’s VPN log, mailbox, chat tool, laptop inventory, shared folders – whatever systems they had access to.

Still in there? You’ve got work to do.

Next up:

Episode 5 – “What You Don’t Know You Have Can Hurt You”

We’ll shift gears into Chapter 3: Asset Management, and why an out-of-date inventory is one of the biggest security risks companies ignore.

Picture of Wolf von Schoen (Editor)

Wolf von Schoen (Editor)

Wolfram von Schoen is a German-American automation engineer and information security professional with 30+ years of experience in industrial operations, product development, and business systems consulting. He is the founder and president of the Granite State InfoSec Companies, specializing in Information Security Management Systems like ISO/IEC 27001 and TISAX®, and Business Continuity Management. A third term elected water commissioner and active Rotarian, he lives in New Hampshire and enjoys the outdoors and motorcycling.
Get in Touch