Physical security is one of the elements assessed to obtain the TISAX label. During preparation for this activity, it is worth knowing 10 effective practices.
These practices will help avoid non-compliance during third-party audits and improve the physical security of the production facility.
Identification cards always in a visible place
Working in a production environment, most of us receive ID cards at the beginning of employment. These cards usually have a photo, name, surname, employee number, and the company logo.
This will help reduce or eliminate situations where an unauthorized person is present in the plant without supervision. Of course, we must approach this subject with common sense, which means that while at their workplace, employees should not wear their ID on a lanyard for safety reasons.
Do not use your ID card to allow other people to enter
Continuing the topic of ID cards, consider a scenario where you let others enter the plant using your ID card if they do not have one.
I know exactly what I’m talking about because, before the implementation of the TISAX label, I sometimes allowed other people to use my badge. This included, for example, a lady from the employment agency organizing a meeting with newly hired employees, a person coming for a job interview, or someone working in the canteen.
Fig. 1 – Do not use your ID card to allow other people to enter. A photo for the newsletter as an action to increase employee awareness.
Each of them should receive a one-time or temporary pass from the security guard at the entrance. This is important to prevent unauthorized people from entering the plant.
Physical security and communication for employees
Awareness raising is closely related to effective communication. In the plant where I currently work, we achieve this through daily and weekly meetings, as well as monthly communications with employees.
For my part, I have implemented the “TISAX EduLetter” section in our bi-weekly newsletter, which provides information that affects physical safety to all employees.
Check if is possible to use the ID guests to open doors from yellow or red zones
The topic of zones is closely related to the requirements set by TISAX. Access to yellow zones (e.g., HR, payroll) and red zones (e.g., IT zone, server room) should be limited to a minimum.
While preparing for TISAX certification, we should check whether guest ID cards can open rooms in yellow and red zones.
External auditors will certainly check this during the audit.
Server room silent alarm
Using a silent alarm is not obligatory but is a great measure that increases the reaction time of security staff in the event of unauthorized access to the red zone.
This is a common point where certification bodies issue non-compliance. It pertains to the lack of instructions and identification of individuals in the server room. Most server rooms are identified as red zones.
It is worth addressing this by preparing a short instruction explaining what activities a visitor can perform in this area.
Closing the door between defined zones
Surely you’ve seen action movies where a person uses an ID card to enter a room, then passes through without ensuring the door is closed, allowing a bad character to slip in unnoticed.
Such a situation can also occur in a production plant. This is an interesting example to increase employee awareness about moving between zones. If we walk between zones (green, yellow, red), we often use ID cards to open doors.
It is important at this stage to check that the door is closed after passing through. This eliminates the situation where an unauthorized person follows us into an unauthorized zone.
Physical Security vs. verification of the operation of cameras
Industrial cameras are very effective for increasing the security of infrastructure and employees, provided they work properly.
Why am I bringing up this topic? Nowadays, with rising energy prices, everyone is looking for savings. In factories, this involves shutting down specific production lines and cameras monitoring them. And now the best part.
Additionally, to meet GDPR requirements, we should display information about monitoring in a visible place for anyone entering our plant.
Time shift between recording and real-time data
When verifying camera operation, check the time shift between what the camera records and what security personnel observe on the monitor screen. This is important because security personnel will face delays if this is the case.
For example, an unauthorized person could jump over a fence and enter the plant before security realizes it.
Does camera “see” what it should?
The last point worth checking concerns the operating range of the cameras. During an audit at another facility, which I attended as an observer, the auditor noted that the camera did not “see” the loading area.
This was due to a ventilation system added to the façade after the camera had been installed. As a result, the camera “saw” the ventilation duct instead of the loading area.
For this reason, it is always worth checking the cameras’ operational range if there have been modifications to the building’s structure (for example, an added shed).
Physical security – summary
As you can see, many elements contribute to effective physical security. Like other elements of information security, they require appropriate planning.
If you are preparing your plant to receive the TISAX label, we cordially invite you to take advantage of our training offer. Additionally, an automatic, editable Excel form can be downloaded for free on the “Free Tools” page.
Document name: TISAX Implementation Checklist – Excel form
Dariusz Kowalczyk