Hichem in Getaround

TISAX Compliance: From Process to Policy

Building a policy-driven framework to unlock strategic partnerships.

In the world of IT infrastructure, it’s easy to get caught up in the day-to-day tickets and deployments. But the most impactful work often involves stepping back and building the frameworks that turn scattered processes into a mature, auditable system. A few years ago at Getaround, I was part of a project that perfectly illustrated this shift: preparing the company for TISAX compliance.

The Challenge: Earning a Seat at the Automotive Table

The business goal was straightforward and strategic: Getaround was aiming to forge partnerships with major automotive OEMs. To be considered a serious partner in that industry, however, you have to speak their language, and a huge part of that language is information security. We needed to demonstrate our maturity, and that meant preparing for a TISAX (Trusted Information Security Assessment Exchange) assessment, the industry’s gold standard.

Executive leadership moved quickly, forming a task force that included our CTO, Legal Counsel, and an external security partner. My role was clear: as the IT stakeholder, I was responsible for taking our existing IT systems and processes, formalizing them, and ensuring they met the rigorous TISAX standards. This wasn’t about a single tool or technology; it was about building a foundation of governance from the ground up.

Building the Foundation: A Policy-Driven Approach

Our first step was an honest look in the mirror. Working alongside our external CISO and internal team, we conducted a gap analysis to see where our current practices stood against the TISAX requirements. We weren’t starting from zero, but many of our processes were informal or lacked global consistency. The goal wasn’t just to pass an audit but to create a sustainable security posture.

We prioritized the quick wins first to build momentum, then moved to the heavier lifts. My core responsibility was to author and sponsor the official policies that would serve as our new rulebook. This meant documenting what we already did well, defining new standards where we had gaps, and then rolling out these policies across a global organization.

I was the official sponsor for a number of critical IT policies, including:

  • Access Management Policy: Defining a least-privilege model for who gets access to what, and why.
  • IT Asset Management: Creating a formal lifecycle for every piece of hardware, from acquisition to secure disposal.
  • Full Disk Encryption Policy: Mandating encryption across all company devices to protect data at rest.
  • Network Management Policy: Establishing secure configuration standards for our entire network infrastructure.
  • Business Continuity Plan: Outlining our strategy for keeping critical systems running when things go wrong.

This was a collaborative effort, involving deep dives with various departments to ensure the policies were not only compliant but also practical for day-to-day operations.

The Result: A Framework for Future Growth

This project was far more than a paper exercise. The outcome was a set of roughly ten robust IT policies that were implemented globally, taking into account regional regulations like GDPR. We moved from tribal knowledge and ad-hoc procedures to a clear, documented, and enforceable set of security controls.

The immediate result was that we successfully positioned Getaround as a mature, security-conscious partner, ready for the rigors of the automotive industry. But the long-term impact was even greater.

The GRC (Governance, Risk, and Compliance) framework we built for TISAX laid the essential groundwork that enabled Getaround to achieve the prestigious ISO 27001 certification a few years later.

Key Takeaway

This project reinforced a core belief of mine: proactive governance isn’t a roadblock; it’s a business accelerator. By treating compliance as an opportunity to mature our internal processes, we didn’t just earn a certification. We built a more resilient, secure, and scalable IT foundation that could support the company’s ambitious goals.

I’m always interested in hearing how other teams have tackled similar GRC challenges. What has your experience been with turning informal processes into auditable policies?

Let me know your thoughts in the comments or connect with me on LinkedIn.