Physical site and facility protections

The physical site and facility protections requirement means you must prevent unauthorized physical access to locations where sensitive automotive information and prototypes are stored, processed, or handled, and you must be able to prove those controls operate. Operationalize it by defining protected zones, controlling entry, monitoring access, securing assets, and retaining audit-ready evidence aligned to TISAX expectations ¹.

Key takeaways:

• Define “where sensitive work happens” first, then apply layered controls by zone (perimeter, building, room, cage, cabinet).
• Auditors look for operational proof: access logs, visitor records, badge reviews, monitoring coverage, and exception handling.
• Prototypes require tighter handling than standard office areas: storage, movement, and “no-photo/no-device” rules must be enforceable.

Physical security is a control family that fails quietly until it fails loudly. For TISAX-scoped organizations, the “physical site and facility protections requirement” focuses on protecting facilities that handle sensitive automotive information and prototypes ¹. That scope matters: a single lab, garage bay, test track office, print room, or prototype storage cage can drive the assessment outcome even if the rest of the building is low risk.

CCOs and GRC leads usually inherit this requirement across multiple owners: Facilities, Corporate Security, IT, Engineering, Reception, and sometimes third-party building management. The fastest path to compliance is to treat it like an access-control system with clear boundaries and evidence: you define zones, restrict entry, monitor, respond to exceptions, and periodically validate that the process still works.

This page gives requirement-level implementation guidance you can run as a short project: what the requirement means in plain English, who it applies to, the steps to implement, what to retain for audit, and the exam questions that commonly cause delays in TISAX assessments.

Regulatory text

Provided excerpt (summary record): “Baseline implementation-intent summary derived from publicly available framework overviews; licensed standard text is not reproduced in this record.”
Implementation-intent summary: “Protect facilities handling sensitive automotive information and prototypes.” ¹

What the operator must do:
You must (1) identify the facilities and areas where sensitive automotive information and prototypes are present, (2) apply physical protections appropriate to the risk, and (3) maintain evidence that protections exist and operate consistently ¹. In practice, this means documented zones and rules, controlled access, visitor management, monitoring, secure storage, incident handling, and periodic reviews.

Plain-English interpretation of the requirement

If an unauthorized person can walk into the wrong room, take photos, plug into a device, remove a prototype part, or access sensitive project documentation, you are out of alignment with the physical site and facility protections requirement ¹. The control is not satisfied by “we have a locked front door.” You need a defensible, layered model that covers:

• Where sensitive assets exist (sites, rooms, cages, cabinets)
• Who can enter (role-based access, approvals, revocations)
• How access is monitored (logs, cameras where appropriate, guard checks)
• How exceptions are handled (lost badges, tailgating, visitors, after-hours access)
• How prototypes are protected end-to-end (storage, movement, disposal)

Who it applies to

Entity types: Automotive suppliers and automotive service providers pursuing or maintaining TISAX alignment, especially those handling OEM data, engineering details, test results, or prototypes ¹.

Operational context where this becomes “high attention”:

• Prototype build areas, garages, labs, and test environments
• Engineering offices with project rooms, war rooms, or locked cabinets
• Print/plot areas producing drawings or BOMs
• Data center rooms, network closets, and secure comms rooms (if in scope)
• Warehouses or staging areas where prototype parts or tooling are stored
• Any shared building where other tenants, cleaning staff, or third parties have routine access

What you actually need to do (step-by-step)

Step 1: Define scope and map “sensitive physical locations”

Create a Physical Security Scope Map that lists:

• Sites/addresses in scope
• Sensitive areas within each site
• What is handled there (prototype parts, vehicles, design docs, test results)
• Primary business owner and security/facilities owner

Practical tip: Don’t start with controls. Start with rooms and flows. Auditors will ask you to prove you know where the sensitive work occurs.

Step 2: Establish a zone model and minimum controls per zone

Define zones such as:

• Public zone (lobby, reception)
• Controlled zone (general office behind badge access)
• Restricted zone (engineering project rooms, prototype labs)
• High-restriction zone (prototype cages, secure storage, test articles)

For each zone, document minimum protections:

• Entry method (badge, key, guard)
• Visitor rules (escort required, sign-in/out)
• Monitoring (alarms, CCTV where permitted, door logs)
• Asset handling rules (no photos, no personal devices, secure cabinets)

Keep the zone model simple. A complicated taxonomy is hard to run and harder to evidence.

Step 3: Implement access control with joiner/mover/leaver discipline

Operational controls to implement:

• Access provisioning: role-based approvals for restricted areas; manager + area owner approval for prototype zones.
• Access revocation: immediate removal on termination; time-bound access for temporary staff.
• Periodic review: review who has access to restricted zones; record decisions and removals.

Evidence is the point. “We only allow engineers” is not evidence without an access list, approval trail, and review records.

Step 4: Run a visitor management process that stands up in an audit

Minimum visitor process for sensitive sites:

• Government-issued ID check or equivalent process per your risk model
• Visitor badges visually distinct from employee badges
• Sign-in/out logs (digital or physical), retained consistently
• Escort requirement for restricted and prototype areas
• Pre-registration for planned visits (OEM, auditors, third parties)
• Rules posted and enforceable (no photography where applicable)

Common assessor hangup: visitors signed in, but logs don’t show escort, area visited, or sign-out.

Step 5: Protect prototypes with “storage, movement, and exposure” controls

Treat prototypes as assets with chain-of-custody expectations:

• Secure storage: locked rooms, cages, cabinets, or dedicated bays with restricted access
• Controlled movement: check-out/check-in logs when prototypes or parts move between areas
• Exposure controls: “no photo/no recording” signage; controlled use of personal devices in restricted zones; screen/whiteboard hygiene in project rooms
• End-of-life controls: secure disposal or return process for prototype materials and related documentation

You do not need perfect controls everywhere. You need strong controls where prototypes and sensitive project information exist ¹.

Step 6: Monitor, respond, and document exceptions

Define what triggers a response:

• Tailgating reports
• Propped doors
• Lost or stolen badges/keys
• Unauthorized access attempts
• After-hours access anomalies
• Visitor process failures (unescorted visitor, missing sign-out)

Create a short Physical Security Incident Playbook: who to call, immediate containment steps, investigation notes, and corrective actions.

Step 7: Validate controls through inspections and tests

Run operational checks:

• Door/lock function checks
• Badge reader tests for restricted doors
• Spot-check visitor log completeness
• Camera retention/coverage checks (if used and permitted)
• Prototype storage spot checks vs. inventory list

Record results and track remediation. Assessors respond well to a visible control-testing habit.

Required evidence and artifacts to retain

Keep artifacts that prove both design and operation:

Design artifacts

• Physical security policy / standard (zones, rules, responsibilities)
• Site security plans and floor plans showing zones and entry points
• Access control procedures (provisioning, revocation, reviews)
• Visitor management procedure
• Prototype handling and storage standard
• Third-party access rules (cleaning crew, building maintenance, security guards)

Operational artifacts

• Badge/access lists for restricted zones and approval records
• Periodic access review records and resulting changes
• Visitor logs (sign-in/out, escort, areas visited where required)
• Security incident tickets and corrective actions
• Maintenance logs for locks/readers/alarms where applicable
• Training/awareness records for staff working in restricted/prototype areas
• Audit trail of exceptions (temporary badges, after-hours approvals)

Evidence should be consistent across sites. A single “weak site” can drive findings.

Common exam/audit questions and hangups

Use these as your internal readiness checklist:

1. “Show us your sensitive areas.” Can you produce an up-to-date map and explain why those areas are classified as restricted?
2. “Who has access and why?” Can you show approvals and last review outcomes?
3. “How do you handle visitors?” Do logs prove escorting and sign-out?
4. “How are prototypes stored and tracked?” Is there a controlled storage area and a movement record?
5. “What happens when a badge is lost?” Is there a documented response and evidence it was used?
6. “How do you know controls still work?” Can you show inspection/testing records and remediation tracking?

Frequent implementation mistakes (and how to avoid them)

• Mistake: Defining zones but not enforcing them.
  Fix: Tie zones to physical barriers (doors/cages) and an access list you review.
• Mistake: Visitor logs exist, but are incomplete.
  Fix: Make escort and sign-out mandatory fields; train reception and security; run spot checks.
• Mistake: Prototype protection relies on informal norms.
  Fix: Convert norms into a written prototype handling SOP and a simple check-in/out record.
• Mistake: Third-party building staff have broad access by default.
  Fix: Define “approved third-party access windows,” escort rules, and documented authorization.
• Mistake: No operational proof.
  Fix: Build an evidence calendar (access review cadence, inspection cadence, visitor log retention).

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement. Practically, the business risk is straightforward: physical compromise can cause IP loss, prototype leakage, confidentiality breaches with OEM partners, and safety risks if test assets are tampered with. In TISAX terms, weak physical controls often show up as “control exists on paper” findings because assessors ask for operational proof ¹.

Practical 30/60/90-day execution plan

Days 0–30: Baseline and quick wins

• Build the Physical Security Scope Map (sites, rooms, assets, owners).
• Define zone model and minimum controls per zone.
• Standardize visitor process across sites (templates, badges, sign-in/out).
• Identify prototype storage locations and apply immediate controls (locks, restricted access list, signage).
• Stand up an evidence folder structure (by site, by control, by month).

Days 31–60: Access governance and monitoring

• Implement joiner/mover/leaver workflow for restricted zones with approvals.
• Run first restricted-zone access review; document removals and exceptions.
• Implement prototype movement log for key areas (check-in/out).
• Create a physical incident playbook and start logging exceptions centrally.
• Train reception, security, and area owners on “what must be recorded.”

Days 61–90: Testing, normalization, and assessor readiness

• Run control tests (door checks, visitor log completeness checks, spot inventory).
• Close gaps with tracked remediation tickets.
• Perform a mock assessor walkthrough: “show me the zone, show me the log, show me the review.”
• Package evidence by control objective for fast retrieval during assessment.
• If you use Daydream, map each site and artifact to the physical site and facility protections requirement so your evidence is continuously audit-ready instead of rebuilt at assessment time.

Frequently Asked Questions

Do we need the same physical controls at every location?

No. You need controls appropriate to the risk and consistent protection where sensitive automotive information and prototypes are handled ¹. Document your zone model so differences between sites are intentional and defensible.

How should we handle shared buildings with other tenants or shared reception?

Treat shared spaces as public zones and put your controlled boundary at your suite entrance or internal secure corridor. Document how visitors transition from public to controlled zones and how escorting works.

Are cameras required for TISAX physical site and facility protections requirement?

The provided source summary does not mandate cameras ¹. If you use cameras, document coverage, retention approach, and how footage supports incident response; if you don’t, document alternative monitoring and detection methods.

What’s the minimum we need for prototype protection?

Secure storage with restricted access, a clear rule set (photos/devices/escorts), and a record of who accessed or moved prototypes are the baseline building blocks. Keep it simple enough that teams actually follow it.

How do we prove “operation” during an assessment?

Produce time-bound records: access lists with approvals, periodic access reviews, visitor logs with sign-out, incident records, and inspection/testing logs. Auditors reward consistent records more than perfect narratives.

Can third parties (cleaning, maintenance, contractors) enter restricted zones?

Yes, but treat them as controlled access: documented authorization, time-bound access where possible, and escort rules for restricted/prototype areas. Retain the authorization and visitor/escort record.

Related compliance topics

• 2025 SEC Marketing Rule Examination Focus Areas
• Access and identity controls
• Access Control (AC)
• Access control and identity discipline
• Access control lifecycle management

Footnotes

1. ENX TISAX overview