Prototype Physical Security

Prototype Physical Security (VDA ISA 3.1.1) requires you to protect prototype vehicles, components, and related design data with controlled restricted areas and active monitoring, backed by documented handling procedures. To operationalize it fast, define what counts as “prototype,” lock down where it can physically exist, control and log access, manage visitors, and retain evidence that proves the controls run every day. ¹

Key takeaways:

• Build a clear “prototype scope” and map every location and movement path where prototypes and design data can appear.
• Enforce restricted areas with badge access, visitor controls, and surveillance, then review logs for anomalies.
• Keep audit-ready artifacts: floor plans, access lists, camera coverage maps, visitor logs, chain-of-custody records, and incident documentation.

“Prototype physical security requirement” usually fails in execution for one reason: teams protect the building, but not the prototype lifecycle. VDA ISA 3.1.1 expects physical security measures that follow prototype vehicles, parts, and design data wherever they go, including dedicated restricted areas and monitoring. ¹

For a Compliance Officer, CCO, or GRC lead, the practical goal is simple: prevent unauthorized observation, access, removal, photography, or tampering of prototypes and sensitive design information, and be able to prove your protections with records. This is not only about locks and cameras. Auditors look for controlled zoning, strict access governance, visitor management discipline, and documented handling procedures that staff can actually follow.

This page translates VDA ISA 3.1.1 into an operator’s checklist: who it applies to, what to implement, which artifacts to retain, and what exam questions commonly trigger findings. If prototypes or prototype design data touch third parties (test tracks, logistics, model shops, labs, maintenance providers), you also need handoffs and contractual expectations so the security boundary does not end at your front door.

Regulatory text

Requirement (excerpt): “Implement physical security measures for prototype vehicles, components, and design data including restricted access areas and monitoring.” ¹

Operator interpretation: You must (1) create dedicated restricted areas for prototypes and related design information, (2) enforce controlled access, (3) manage and record visitors, (4) monitor the areas (typically with surveillance), and (5) document how prototypes and prototype components are handled so the process is repeatable and auditable. ¹

Plain-English interpretation (what “good” looks like)

• Prototypes only exist in approved places (rooms, bays, cages, lots, trailers, labs) that are explicitly designated as restricted.
• Only approved personnel can enter those places, based on role and need-to-know.
• Visitors and third parties do not “float” through prototype zones; they are checked in, escorted, and recorded.
• Monitoring exists and is used: camera coverage is planned, operational, and reviewable.
• Movement and handling of prototypes and key components are controlled and documented, including storage, transport, test events, maintenance, and disposal/scrap.

Who it applies to

VDA ISA 3.1.1 applies to:

• Automotive suppliers and OEMs that build, store, test, repair, transport, or otherwise handle prototype vehicles, prototype components, and prototype design data. ¹

Operational contexts where this requirement shows up:

• Prototype workshops, garages, dyno rooms, labs, tear-down areas, metrology rooms
• Test fleets and proving grounds
• Warehouses and parts rooms containing pre-series parts
• Engineering offices with physical design data (printouts, drawings, removable media)
• Logistics handoffs and third-party sites (test tracks, contract manufacturers, model shops)

What you actually need to do (step-by-step)

1) Define “prototype” and “prototype design data” for your environment

Create a short internal definition and scoping rule that staff can apply quickly:

• Prototype vehicles (including camouflaged and pre-series)
• Prototype components (powertrain, body panels, ECUs, sensors, bespoke assemblies)
• Design data in physical form (printouts, drawings, labeled packages, removable media) Then map where each category appears across facilities and events. This becomes your control scope.

Deliverable: Prototype Security Scope Statement + location/process inventory.

2) Establish restricted areas and physical zoning

Designate dedicated restricted areas for prototypes and their components. Common patterns:

• Prototype cage inside a warehouse with controlled entry
• Restricted prototype bay in a workshop with door controls
• Secured yard/lot with controlled vehicle entry and camera coverage
• Locked cabinets for small high-value components and physical design artifacts

Make boundaries obvious: signage, markings, and written rules for entry/escort. Auditors want to see that “restricted” is not informal.

Deliverables: Restricted Area Register, floor plan overlays, signage standard.

3) Implement access controls tied to authorization

Put access enforcement in place, typically badge readers or keyed controls, and back it with governance:

• Define roles allowed to access each restricted area.
• Maintain an approved access list (name, role, justification, approver).
• Remove access promptly when people change roles or leave.

Where fully automated access control is not feasible, use compensating controls such as staffed entry points, lock-and-key management with issuance logs, and strict escort rules. The point is controlled access, not a specific technology. ¹

Deliverables: Access control procedure, access list, joiner/mover/leaver checklist for restricted areas.

4) Visitor and third-party management for prototype zones

Prototype areas must have stricter visitor handling than general office space:

• Pre-approve visits when practical (purpose, attendees, areas allowed).
• Check-in with identity verification and visitor badge.
• Enforce escort requirements in restricted zones.
• Capture arrival/departure times and areas visited.
• Control personal devices where required by your risk posture (for example, no photography policy in prototype zones).

If third parties handle prototypes offsite, formalize expectations and evidence: what zones they use, how they control access, and how they monitor. This is where many organizations fail: the prototype goes to a third party, and your controls become assumptions.

Deliverables: Visitor SOP for restricted areas, visitor logs, third-party prototype handling addendum or requirements exhibit.

5) Monitoring and surveillance that is fit for purpose

VDA ISA 3.1.1 calls out monitoring; in practice that is usually surveillance cameras in and around restricted areas. ¹ Operationalize it:

• Document camera placement and coverage rationale (entrances, storage points, loading bays).
• Confirm cameras record and footage can be retrieved.
• Define who can access footage and under what conditions.
• Establish a review trigger (incident, anomaly, access mismatch) and a way to record that review happened.

Avoid “checkbox CCTV.” If you cannot explain coverage gaps or retrieve footage when asked, it will not support the control.

Deliverables: Camera coverage map, surveillance access procedure, retrieval test record, monitoring review log template.

6) Document handling procedures across the prototype lifecycle

Create written procedures that match real workflows:

• Receiving and labeling prototype components
• Storage rules (where, how locked, segregation)
• Movement between zones (authorization, sign-out/in)
• Transport and loading/unloading controls
• Test event controls (parking, covers, escort, photography restrictions)
• Disposal, scrapping, and return to OEM/customer requirements

Add a lightweight chain-of-custody record for high-risk items (who had it, where it was, when it moved, who approved).

Deliverables: Prototype handling SOPs, chain-of-custody form, transport checklist.

7) Train the people who touch prototypes

Train the roles that create risk:

• Prototype techs, test drivers, workshop staff
• Security/reception
• Engineers who print or carry design artifacts
• Logistics staff and site coordinators

Training must cover: where prototypes can be, how to admit someone, what to do if someone tailgates, how to report suspicious activity, and what evidence to record.

Deliverables: Training deck, attendance records, quick reference guide posted at restricted entries.

8) Test the control and fix gaps

Run simple tests:

• Attempt entry with unauthorized badge (with permission).
• Try a “lost visitor” scenario at the boundary.
• Retrieve camera footage from a specific date/time.
• Trace a component from receipt to storage to use to return.

Record findings and remediation actions; auditors reward honest control testing with closure evidence.

Deliverables: Test scripts, results, remediation tickets.

Required evidence and artifacts to retain

Keep evidence that proves both design and operation:

Program design

• Prototype scope definition and asset/process inventory
• Restricted area register and annotated floor plans
• Access control policy/procedure for prototype zones
• Visitor management procedure for restricted areas
• Surveillance plan (camera map, access rules)
• Prototype handling SOPs (storage, movement, transport, disposal)

Operational records

• Current and historical access lists and approvals
• Door/access logs or manual entry logs (where applicable)
• Visitor logs for restricted zones and escort records
• Camera system health checks and footage retrieval tests
• Chain-of-custody / sign-out logs for prototype components
• Incident reports and investigation notes tied to monitoring

Common exam/audit questions and hangups

• “Show me every restricted area where prototypes can exist, and the control boundary for each.”
• “Who has access, why, and who approved it?”
• “How do you prevent visitors or unapproved staff from entering prototype zones?”
• “Demonstrate monitoring: where are cameras, how do you retrieve footage, and who is authorized?”
• “Walk through a real prototype movement. Where is it recorded?”
• “How do your controls extend to third parties handling prototypes or prototype components?”

Hangups that trigger findings:

• Prototype areas exist informally (everyone “knows” where they are).
• Access lists are stale, with no clear approval basis.
• Visitor logs are incomplete or do not identify restricted-area access.
• Cameras exist but coverage is not documented, or footage retrieval is unreliable.

Frequent implementation mistakes (and how to avoid them)

1. Treating prototypes as “just another asset class.”
   Fix: build a lifecycle map. Storage is only one step; movement and testing are where leakage happens.

2. Over-scoping restricted areas so operations route around them.
   Fix: align zoning with how work is done. Create small, enforceable restricted zones close to the workflow.

3. No operational proof.
   Fix: design artifacts are not enough. Keep access approvals, logs, and chain-of-custody records that show daily control use. ¹

4. Ignoring physical design data.
   Fix: include printouts, drawings, labeled packaging, and removable media in handling procedures and restricted storage.

5. Third-party blind spots.
   Fix: require third parties to follow equivalent restricted-area and monitoring expectations for any prototype custody, and collect evidence during onboarding or periodic reviews.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement. Practically, failures here create concentrated risk: prototype loss, unauthorized photography, competitor intelligence, customer trust damage, and contractual disputes. For many automotive programs, prototype exposure becomes a customer escalation fast because it is visible and hard to contain once leaked.

Practical 30/60/90-day execution plan

First 30 days (stabilize and define)

• Publish prototype scope definition and prototype location inventory.
• Stand up a restricted area register with interim controls (signage, escort rules, lock-and-key discipline).
• Freeze and clean access: compile current access lists and require manager validation.
• Implement or tighten visitor handling for restricted zones (single process, single log).

Days 31–60 (harden and document)

• Finalize restricted area boundaries with floor plans and controls by zone.
• Deploy or tune access control mechanisms (badges/keys) and formal approvals.
• Produce prototype handling SOPs and chain-of-custody records for high-risk components.
• Document surveillance coverage and perform a footage retrieval test, then store the evidence.

Days 61–90 (prove operation and extend to third parties)

• Run control tests (unauthorized entry attempt, visitor boundary test, trace a component movement).
• Train all in-scope roles; keep attendance and quick guides at entry points.
• For third parties with prototype contact, add prototype security requirements to onboarding and collect evidence of restricted areas and monitoring.
• Build a simple recurring review: access list review, visitor log spot checks, and monitoring health checks.

How Daydream fits (if you need to operationalize fast)

If you manage multiple sites and third parties, the hardest part is evidence consistency. Daydream can act as the system of record for prototype-zone controls by standardizing evidence requests (access lists, visitor logs, camera coverage maps, handling SOPs) and tracking closure when a site or third party gaps a requirement. Keep the control owner accountable without chasing documents in email.

Frequently Asked Questions

Do we need a dedicated prototype building to meet VDA ISA 3.1.1?

No. You need dedicated restricted areas and controlled access for prototypes and design data, plus monitoring and documented handling procedures. A restricted bay, cage, or segmented lab can meet the intent if boundaries and records are clear. ¹

What counts as “monitoring” under the prototype physical security requirement?

The requirement calls for monitoring, commonly implemented with surveillance cameras covering restricted areas and entry points. What matters is that monitoring is planned, operational, and evidence-backed (coverage documentation and retrievable footage). ¹

How should we handle prototypes at third-party sites (test tracks, labs, model shops)?

Extend your prototype handling rules to the third party: restricted areas, access controls, visitor management, and monitoring. Require proof during onboarding and keep it current, since your risk persists while they have custody.

Are paper drawings and printouts in scope?

Yes if they contain prototype design data. Treat them as controlled items: restricted storage, controlled printing/collection, and secure disposal aligned to your handling procedures. ¹

What evidence do auditors ask for most often?

Expect requests for restricted area documentation (floor plans/register), approved access lists, visitor logs for restricted zones, surveillance coverage and retrieval proof, and chain-of-custody or movement records for prototype components. ¹

We have cameras, but no one reviews footage. Is that a problem?

It can be. If you cannot show how monitoring supports detection and investigation (for example, footage retrieval tests and incident-based review records), cameras look decorative rather than a working control.

Footnotes

1. VDA ISA Catalog v6.0