2020-04-01 by Immo Wehrenberg TISAX
The health and safety of employees is a top priority for every company, also with regard to information security. This is fully in line with the objective of information security, which is to protect all critical business processes of the organisation and its partners with regard to confidentiality and integrity, but also availability.
The novel Coronavirus (SARS-CoV-2) is a threat to persons as essential information carriers and as the basis of many critical business processes in the company. It is therefore not only necessary to maintain the management of information security in the current situation. Rather, an appropriate management system (ISMS) is to be understood, especially in this situation, as one of the essential control instruments for the executive board and management. It supports the decision makers in making informed and strategically correct decisions in every situation and then acting with the right priorities.
The first step is to assess the changed risk situation caused by the coronavirus pandemic – especially with regard to availability – and to derive and correctly prioritise necessary actions. The threat posed by the coronavirus creates direct and indirect risks for the availability of persons:
A reassessment of risks on the basis of a changed threat situation and measures derived from this is not only a regular but an absolutely necessary process and is explicitly demanded in the corresponding VDA ISA question 1.4.1. An example of this is the offer or even the order to shift work to the home environment in order to protect persons, prevent the spread of the disease, but also to reduce the risks with regard to the availability of persons.
This means continuing to assess the associated risks before implementing measures and, if necessary, deriving additional measures with the right priority. VDA ISA question 3.1.2 aims to take into account the increased risks in terms of confidentiality and integrity of information, e.g. due to processing in the employee's home, even in crisis situations.
In order to be TISAX-compliant, at least the following aspects must be considered:
This list makes no claim to completeness. You must also consider aspects beyond this in an appropriate manner.