Perimeter Security

Perimeter security is a requirement you can operationalize quickly if you treat it like a facility control with clear scope, standard designs, and repeatable evidence. VDA ISA 3.2.1 is explicit about the control set: fencing (or equivalent boundary barriers), access gates, lighting, and surveillance for facilities handling confidential information (VDA ISA Catalog v6.0). The assessment question is rarely “do you have a fence?” and more often “did you define what you’re protecting, put controls on every path into it, and can you prove the controls are working?”

For most automotive suppliers and OEMs, “confidential information” shows up in more places than the server room: prototype parts storage, engineering labs, print rooms, receiving/dispatch, and any office where sensitive customer documents are processed. The operational trick is to map those areas to physical boundaries, then make the perimeter controls measurable: coverage maps, access lists, inspection logs, and video retention/requests.

This page gives requirement-level guidance you can execute: who must comply, what to implement, how to test it, what evidence to retain, and how to avoid the common audit hangups that derail perimeter security attestations under VDA ISA 3.2.1.

Regulatory text

Requirement excerpt: “Establish physical perimeter security including fencing, access gates, lighting, and surveillance for facilities handling confidential information.” (VDA ISA Catalog v6.0)

Operator interpretation (what the assessor expects):

• You identified the facilities (and specific zones) that handle confidential information.
• The facility boundary has physical barriers (fence/wall/controlled building envelope), controlled entry points (gates/doors with authorization), lighting sufficient to deter and support cameras/guards, and surveillance that covers likely approach and entry routes (VDA ISA Catalog v6.0).
• The controls are not “installed and forgotten.” You maintain them, test them, investigate anomalies, and retain evidence.

Plain-English interpretation

Perimeter security is about stopping unauthorized people before they reach spaces where confidential information is processed or stored. Your perimeter must be hard to bypass, hard to enter unnoticed, and easy to investigate after the fact. That means:

• A clear boundary (fence, walls, controlled building shell).
• A small number of controlled entry/exit points (gates, doors, loading bays) with authorization rules.
• Lighting that removes hiding places and supports video capture.
• Cameras (or equivalent surveillance) positioned so you can reconstruct what happened around entrances and vulnerable segments (VDA ISA Catalog v6.0).

Who it applies to

Entity types: Automotive suppliers and OEMs (VDA ISA Catalog v6.0).

Operational contexts that typically fall in scope:

• Any site that stores or processes customer-confidential information (engineering drawings, quality records, prototypes, test results).
• Mixed-use facilities where only certain areas are sensitive (e.g., office + production). In that case, you still need perimeter controls for the facility, and you often need additional internal physical security for sensitive zones. The perimeter requirement does not remove the need for interior zoning; it sets the baseline boundary protections (VDA ISA Catalog v6.0).

Common scoping decision you must document:

• What counts as the “facility handling confidential information”: the whole building, a campus, or a segregated area within a larger shared site. Pick one per location, document it, and make the control design match the choice.

What you actually need to do (step-by-step)

1) Define and document the perimeter per site

• Create a site perimeter statement: boundary description, included buildings, excluded areas, and the reason for any exclusions.
• Produce a perimeter map (site plan or annotated floor plan) marking:
  • Property line vs controlled boundary (they may differ)
  • All vehicle and pedestrian entry points
  • Loading docks, emergency exits, roof access, stairwells, and any “informal” paths (e.g., gaps between buildings)

Deliverable: “Perimeter & Entry Point Register” tied to the site map.

2) Implement barrier controls (fencing / controlled building envelope)

• Confirm the barrier is continuous or has compensating controls where continuity is impossible.
• Pay attention to common bypass routes:
  • Gaps under/around fences
  • Adjacent structures that allow climbing over
  • Uncontrolled side doors and propped exits
• If the “perimeter” is the building itself (no yard), treat exterior doors, windows, and service entrances as the perimeter boundary and control them accordingly.

Evidence tip: Take date-stamped photos of boundary segments and vulnerable points and tie them to the map.

3) Control access gates and entry points

For each gate/entry point, define:

• Authorized populations (employees, contractors, third parties, visitors) and how they are approved.
• Authentication method (badge, guard check, visitor pass process).
• Operating mode (business hours vs after hours).
• Tailgating prevention where feasible (procedural or physical).

Minimum operational requirements you should set internally:

• A documented process for issuing, changing, and revoking physical access.
• A visitor handling process for entry at controlled points.
• A way to review access exceptions (lost badges, forced doors, gate held open).

4) Provide adequate perimeter lighting

Lighting is both a deterrent and an enabler for surveillance quality. Implement lighting at:

• Vehicle and pedestrian gates
• Parking approaches and walkways to entrances
• Loading docks and side entrances
• Dark corners and fence lines that create concealment

Operational control: Add lighting checks to facilities inspections. Track outages and repairs like security issues, not cosmetic issues.

5) Deploy surveillance that supports detection and investigation

Per the requirement, surveillance is part of “establish perimeter security” (VDA ISA Catalog v6.0). Make it auditable:

• Place cameras to cover entrances, gates, loading docks, and vulnerable perimeter segments.
• Keep a camera coverage map (what each camera covers, field of view, and purpose).
• Define who can access footage, how requests are logged, and how evidence is preserved after incidents.

Practical rule: If you cannot explain what a camera is for and what it captures, it will not carry weight in an assessment.

6) Validate the controls with periodic checks

Build a simple testing routine that produces records:

• Perimeter walk-down inspections (barrier condition, signs of tampering, gate function).
• Spot checks: doors secure, emergency exits alarmed, gates not bypassed.
• Camera checks: image quality at night, time sync, recording status.
• Lighting checks: outages, coverage gaps.

7) Connect perimeter security to incident response

Perimeter controls must feed investigations:

• Define what events trigger review (forced entry, trespassing, missing assets, suspicious activity).
• Maintain an incident log that references footage requests, access log review, and corrective actions.

Required evidence and artifacts to retain

Keep evidence per site, organized for fast assessor review:

Design & scope

• Perimeter definition statement and site map annotated with boundary and entry points
• Inventory of entry points (gates/doors/loading docks), with control type and owner

Operation

• Physical access authorization procedure (badges, contractors, visitor processing)
• Visitor logs (where used) and access exception records (lost badge, temporary access)
• Inspection logs: perimeter walk-downs, gate function checks, lighting checks
• Maintenance tickets for repairs (fence damage, lock replacement, lighting repair)

Surveillance

• Camera inventory and coverage map
• Recording status checks and maintenance records
• Footage access/request log (who requested, why, approval, outcome)
• Evidence preservation notes for incidents

Assurance

• Findings register for physical security issues and documented remediation
• Any risk acceptance for unavoidable gaps, with compensating controls documented

Common exam/audit questions and hangups

Assessors tend to focus on:

• Scope clarity: Which facilities “handle confidential information,” and how do you know?
• Coverage gaps: Are there unmonitored or poorly controlled entry points (side doors, loading docks, emergency exits)?
• Night readiness: Does lighting and camera quality still work after dark?
• Access governance: Who approves badge access for employees and third parties, and how is removal handled?
• Evidence quality: Can you produce maps, inventories, logs, and maintenance records without rebuilding them during the audit?

Frequent implementation mistakes (and how to avoid them)

1. Mistake: Treating perimeter security as “a fence exists.”
   Fix: Document the perimeter and every entry path, then show how each is controlled (VDA ISA Catalog v6.0).

2. Mistake: Camera sprawl with no accountability.
   Fix: Maintain a camera purpose/coverage map and a simple health-check log.

3. Mistake: Ignoring loading docks and contractor entrances.
   Fix: Put docks on the entry-point register and align procedures for deliveries, after-hours access, and escorts.

4. Mistake: Lighting owned by facilities with no security SLA.
   Fix: Classify perimeter lighting outages as security-impacting and track remediation.

5. Mistake: Missing deprovisioning for third parties.
   Fix: Tie physical access removal to offboarding for employees and third parties; audit badge lists against active rosters.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement. Practically, the risk is straightforward: perimeter failures create direct paths to theft of prototypes, unauthorized access to production systems, loss of confidential customer data in paper form, and safety incidents. For TISAX assessments, weak perimeter security also undermines confidence in broader physical security claims because it suggests controls are not implemented consistently across facilities (VDA ISA Catalog v6.0).

Practical execution plan (30/60/90-day)

Use this as a fast operational rollout. Adjust sequencing based on construction lead times.

First 30 days (stabilize scope and obvious gaps)

• Assign a site owner for perimeter security (Facilities + Security, with CCO/GRC oversight).
• Produce a perimeter map and entry-point register for each in-scope site.
• Identify and correct “easy bypass” issues: propped doors, broken locks, missing signage at controlled entrances.
• Start inspection logging for fence/doors/gates and lighting outages.
• Create a camera inventory and verify recording is functioning at key entrances.

By 60 days (standardize controls and evidence)

• Formalize access governance: approvals, visitor processing, contractor access rules, deprovisioning triggers.
• Build camera coverage maps and align placements to entries and vulnerable segments.
• Define footage access/request logging and incident evidence preservation steps.
• Establish a maintenance workflow for perimeter issues and track remediation to closure.

By 90 days (prove effectiveness and audit readiness)

• Run a perimeter tabletop or walkthrough: simulate a suspicious entry, confirm who checks footage, who reviews access logs, and how actions are recorded.
• Perform a documented night check for lighting/camera quality.
• Consolidate artifacts into an audit-ready folder per site (maps, registers, logs, maintenance records).
• If you manage many sites, consider using Daydream to standardize control checklists, centralize evidence collection, and keep assessor-ready packages consistent across locations.

Frequently Asked Questions

Does “perimeter” mean the property line fence, or the building boundary?

It can be either, as long as you define it per site and apply fencing/barriers, controlled entry points, lighting, and surveillance to that boundary (VDA ISA Catalog v6.0). Document the choice and show how unauthorized access is prevented at every approach.

Our facility is in a shared industrial park. What counts as our perimeter?

Treat your controlled boundary as the building envelope and your controlled entrances if you do not own the external fencing. Compensate with strong door/gate control, visitor management, lighting at entrances, and surveillance coverage of approaches you control (VDA ISA Catalog v6.0).

Do we need cameras everywhere along the fence line?

The requirement calls for surveillance as part of perimeter security (VDA ISA Catalog v6.0), but it does not prescribe exact placement. Place cameras to cover entrances, gates, loading areas, and other likely intrusion routes, then keep a coverage map that justifies the design.

What evidence is most persuasive in a TISAX assessment?

Site maps with annotated perimeters and entry points, an entry-point control register, inspection and maintenance logs, and a camera inventory with coverage mapping. Assessors also look for records that show you review anomalies and fix issues.

How do we handle emergency exits without creating a perimeter hole?

Keep them alarmed or monitored, include them in inspections, and prohibit propping doors open except under controlled conditions. If an exit must be used for operational reasons, document the procedure and add compensating surveillance or staffing.

Who should own perimeter security: Facilities, Security, or GRC?

Facilities usually owns the physical infrastructure, Security owns monitoring and response, and GRC/Compliance owns the requirement mapping and evidence readiness. Put the RACI in writing so maintenance, access governance, and audit artifacts do not fall through gaps.