Visitor Management

The TISAX visitor management requirement (VDA ISA 3.2.3) expects you to control and document non-employee access to sites and secure areas through registration, identity verification, visible identification, escort rules, and visitor access logs ¹. To operationalize it quickly, standardize intake, badge issuance, escorting, and logging across all facilities where sensitive information or systems could be exposed.

Key takeaways:

• You need a consistent workflow: pre-register (where possible), verify ID, issue badges, enforce escorts for secure areas, and log access ¹.
• Auditors look for proof in logs, badge controls, and evidence that escort rules are followed in practice, not just written in policy.
• Scope includes third parties and “friendly” visitors (customers, auditors, maintenance, temps), not only obvious contractors.

Visitor management is a physical security control with direct information security impact. A visitor without controls can photograph sensitive work instructions, overhear confidential discussions, enter restricted production or lab areas, plug into network ports, or access paper records. VDA ISA 3.2.3 sets a baseline: you must implement procedures that cover registration, identification, escort requirements, and access logging ¹. The operational challenge is consistency across locations, shifts, and “informal” visits.

This page translates the requirement into an execution-ready program a CCO, GRC lead, or site operations owner can put in place with minimal ambiguity. You’ll get (1) a plain-English interpretation, (2) a step-by-step procedure you can adopt as your standard operating process, (3) the evidence package to retain for assessments, and (4) common audit questions and failure modes.

Visitor management often fails for simple reasons: exceptions become the norm, the badge process is manual and inconsistent, escort requirements are unclear by area, or logs exist but don’t prove where the visitor actually went. Fix those, and you will satisfy the requirement while lowering real-world exposure.

Regulatory text

VDA ISA 3.2.3 (Visitor Management) requires you to “implement visitor management procedures including registration, identification, escort requirements, and access logging” ¹.

What the operator must do:

• Registration: Capture who the visitor is, who they are visiting, why they are onsite, and when they arrive/leave ¹.
• Identification verification: Validate identity at check-in using an acceptable method (for example, government-issued ID) and record that the check occurred ¹.
• Visitor badges: Provide visible identification so staff can distinguish visitors from employees ¹.
• Escort requirements: Define where escorting is mandatory (typically secure/restricted areas) and ensure it is followed ¹.
• Access logging: Maintain logs that can be reviewed later to reconstruct visitor activity and confirm controls were applied ¹.

Plain-English interpretation (what “good” looks like)

You need a controlled front door and controlled internal movement for anyone who is not an authorized employee. The minimum bar is: every visitor is known, identifiable, and traceable, and they cannot roam into sensitive areas without supervision. Logs must be complete enough to support incident response and assessment testing.

A practical interpretation that usually satisfies assessors:

• Visitors are pre-registered where feasible (meetings, planned maintenance).
• Walk-ins are still registered before access is granted.
• Identity is checked at arrival.
• Badges are unique to the visitor and time-bound.
• Restricted areas are clearly defined and enforced via escorting and/or physical access controls.
• Visitor entries and exits are logged, retained, and reviewable.

Who it applies to (entity and operational context)

Entities: Automotive suppliers and OEMs pursuing or maintaining TISAX alignment against VDA ISA controls ¹.

Operational scope: Any facility, site, or controlled area where a visitor could access:

• Confidential information (printed, on screens, on whiteboards).
• Sensitive production processes (prototype work, special tooling, test labs).
• Information systems (desks, shared terminals, network ports, wireless coverage).
• Physical records (quality documents, HR files, visitor logs themselves).

People in scope: All third parties and non-badged individuals, including customers, auditors, delivery drivers entering beyond a lobby, cleaning staff, maintenance technicians, temporary staff without standard employee credentials, interns (if treated as visitors operationally), and candidates.

What you actually need to do (step-by-step)

Below is a workflow you can implement as an SOP. Keep it simple; consistency beats complexity.

1) Define zones and escort rules (start here)

1. Map facility zones into at least: public, controlled, restricted/secure.
2. Write escort requirements per zone (example: “restricted areas require continuous escort by an authorized employee”).
3. Assign ownership: site security/reception owns check-in; area owners own escort compliance; GRC owns policy and evidence.

Deliverable: “Visitor Access & Escort Matrix” (areas × escort requirement × allowed visitor types).

2) Standardize pre-registration

1. Require hosts to pre-register expected visitors with: name, organization, date/time window, purpose, areas to be visited, and host/escort.
2. Add an acknowledgement step: host confirms visitor will follow site rules (photography restrictions, no tailgating, badge display).
3. Route exceptions (VIPs, customer tours, after-hours access) through a simple approval path.

Tip from the field: most programs break on tours and “quick drop-ins.” Treat tours as first-class use cases with a scripted process.

3) Implement check-in: registration + identity verification

1. At arrival, reception/security records arrival time and confirms the visitor matches the pre-registration (or creates a walk-in record).
2. Verify identity using your defined acceptable method and record that verification occurred ¹.
3. Confirm the visitor’s sponsor/host is present or reachable before granting access beyond the lobby.

Operational detail that helps in audits: train reception to reject “I’m here all the time” as a substitute for ID verification unless your procedure explicitly allows a controlled alternate method.

4) Issue and control visitor badges

1. Issue a visitor badge that is visibly distinguishable from employee badges (color, label, or format).
2. Badge should include, at minimum: “Visitor,” visitor name (or unique ID), date, and site.
3. Collect the badge at checkout; do not allow visitors to keep it.

If you use reusable badges, treat them as controlled items: store securely, track inventory, and retire damaged badges.

5) Enforce escorting in secure areas

1. Define who can escort (authorized employees, trained security).
2. Require escorts to stay with the visitor in restricted areas and prevent unsupervised access to sensitive assets ¹.
3. Build escort checks into operations:
   • Signs at entrances to restricted areas.
   • Local staff empowered to challenge unescorted visitors.
   • For high-risk areas, add badge readers or physical barriers so escorts can’t be bypassed casually.

6) Maintain access logs (and make them usable)

1. Log at least: visitor identity, company, host, check-in time, check-out time, badge ID, and areas approved/visited ¹.
2. Store logs in a controlled system (paper is acceptable if managed, but it is harder to search and audit).
3. Run periodic reviews for completeness and anomalies (missing check-out, repeated walk-ins, after-hours patterns). Document the review.

7) Train staff and test the process

1. Train reception, security, and frequent hosts on the exact workflow.
2. Conduct spot checks: walk the floor, look for unbadged people, test escort adherence.
3. Capture failures as corrective actions with owners and due dates.

8) Extend the control to third-party onsite services

For cleaning, maintenance, and other recurring third parties:

• Decide whether they are treated as visitors each time, or issued time-bound contractor badges with equivalent controls.
• If they need unescorted access, document risk acceptance and compensating controls (restricted schedules, area limitations, supervision model, or access control systems).

Required evidence and artifacts to retain

Auditors will ask for proof that the procedure exists and works day-to-day. Maintain an evidence pack per site:

Governance and design

• Visitor management policy/SOP covering registration, identification verification, badges, escorting, and logging ¹.
• Visitor Access & Escort Matrix (zone definitions and rules).
• Roles/responsibilities (RACI) for reception/security/hosts.

Operational records

• Visitor logs (sample sets covering normal days and special events).
• Badge issuance/return records (if separate from the visitor log).
• Escort acknowledgements or host attestations (if you use them).
• Exception approvals (VIP, after-hours, unescorted access).

Assurance

• Training records for reception/security and frequent hosts.
• Periodic log review records and follow-ups (corrective actions).
• Spot check results (challenge culture evidence).

Keep artifacts organized by facility and time period so you can answer sampling requests without scrambling. Daydream can help centralize evidence requests and map them directly to VDA ISA 3.2.3 so site teams upload the right artifacts once, then reuse them across assessments.

Common exam/audit questions and hangups

Expect these, and pre-answer them in your evidence pack:

1. “Show me the visitor procedure and where it is used.” Auditors will compare the written SOP to what reception actually does.
2. “How do you verify identity?” They will test whether verification is consistent or discretionary.
3. “Which areas require escorts?” Vague answers (“secure areas”) trigger follow-ups. Use a matrix tied to physical zones.
4. “How do you prevent badge reuse or tailgating?” If you can’t fully prevent it, show detection and response steps (challenge process, cameras, barriers where appropriate).
5. “Provide visitor logs for a sample period.” Missing check-outs and incomplete fields are common findings.
6. “How do you handle recurring third parties?” Cleaning and maintenance often bypass controls; document your approach.

Frequent implementation mistakes (and how to avoid them)

• Mistake: Treating “visitor” as only customers. Fix: define visitor as anyone without standard employee credentials, including auditors and service providers.
• Mistake: Logs exist but are not reviewable. Fix: standardize required fields and run documented periodic reviews; require check-out completion.
• Mistake: Escort rules are informal. Fix: zone-based matrix, signage, and explicit host responsibilities.
• Mistake: Badge design is ambiguous. Fix: make visitor badges visually distinct and time-bound; require display at all times.
• Mistake: Too many exceptions. Fix: write an exception workflow with approvals and compensating controls; track and review exceptions.
• Mistake: One site is strong, another is ad hoc. Fix: publish a global minimum standard and allow sites to add stricter local rules.

Risk implications (why assessors care)

Visitor management reduces:

• Confidentiality risk: visitors can view or capture sensitive information in offices, production, or labs.
• Integrity risk: unauthorized physical access can enable tampering with devices, prototypes, or records.
• Availability risk: unapproved access to critical areas can cause safety incidents or operational disruption.
• Investigation risk: without logs, you cannot reconstruct who was present if something goes wrong.

Even if your cyber controls are strong, physical access gaps can defeat them quickly (for example, unattended workstations, exposed network ports, or shoulder surfing).

Practical 30/60/90-day execution plan

Use this as an operator’s rollout plan. Adjust sequencing based on how many sites you have and whether reception is centralized.

First 30 days (stabilize the baseline)

• Publish a minimum visitor SOP aligned to registration, ID verification, badges, escorts, and logs ¹.
• Create the zone map and Visitor Access & Escort Matrix for each site.
• Standardize visitor log fields and roll out one format (paper or digital).
• Update badge design to be clearly distinguishable and time-bound.
• Train reception/security and a first wave of frequent hosts.

Days 31–60 (make it consistent and auditable)

• Expand pre-registration to all planned visits and recurring third parties.
• Implement an exception workflow for VIPs, after-hours access, and unescorted access needs.
• Start periodic log reviews; open corrective actions for missing check-outs and process deviations.
• Add signage at restricted areas and socialize the “challenge unbadged persons” expectation.

Days 61–90 (prove operating effectiveness)

• Run spot checks across shifts and entrances; document results and remediation.
• Test an incident scenario: retrieve logs for a time window and confirm you can identify who was where and with which host.
• Normalize the evidence pack per site so assessment sampling is quick.
• If you have multiple tools or spreadsheets, consolidate evidence collection in Daydream so sites respond to a single, mapped request set for VDA ISA 3.2.3.

Frequently Asked Questions

Do we need pre-registration for every visitor to meet VDA ISA 3.2.3?

The control requires registration, identification, escort requirements, and access logging ¹. Pre-registration is a practical way to strengthen registration for planned visits, but you still need a compliant process for walk-ins.

Can we use paper visitor logs, or does it have to be electronic?

VDA ISA 3.2.3 requires maintained visitor logs ¹. Paper can work if it is legible, complete, controlled against tampering, and retrievable for audits; electronic logs usually make reviews and sampling easier.

What counts as “identity verification” at check-in?

The requirement calls for identification verification as part of visitor management ¹. Define acceptable ID types and ensure reception records that the check occurred; auditors mainly look for consistency and traceability.

Do delivery drivers need to go through the full visitor process?

If drivers remain in a public loading area with no access to controlled or restricted zones, you can tailor the process. If they enter controlled areas or can see sensitive information, treat them as visitors with registration, identification, and logging, plus escorting as required ¹.

How should we handle cleaning crews or maintenance technicians who come frequently?

Treat them as third parties and decide whether to process them as visitors each time or issue contractor credentials with equivalent controls. If they need access to secure areas, apply escort rules or document compensating controls and approvals ¹.

What’s the most common reason this control fails in an assessment?

The written procedure often looks fine, but logs are incomplete (missing check-outs, missing host names) or escort rules are not enforced on the floor. Build periodic reviews and spot checks into the process so you can show operating effectiveness.

Footnotes

1. VDA ISA Catalog v6.0