Paving the Road to ISO 27001: A TISAX Compliance Deep Dive
My approach to IT has always been grounded in the robust frameworks that govern enterprise-level security and operations. I’ve consistently drawn inspiration from standards like NIST to build processes that are not just efficient, but also secure and auditable. In 2020, this governance-first mindset became critical when Getaround embarked on the path to TISAX compliance.
The Strategic Imperative: Aligning with Automotive Industry Standards
TISAX (Trusted Information Security Assessment Exchange) is the gold standard for information security in the automotive industry.
For Getaround, preparing for the TISAX assessment was a strategic business imperative required to strengthen partnerships and operate with the highest level of trust within this ecosystem.
As a key IT stakeholder, my role was to architect and drive the implementation of the core policies and controls necessary to meet these rigorous standards.
I collaborated closely with a dedicated cross-functional team, our Legal Counsel, and a third-party audit partner to build a comprehensive information security framework from the ground up.
Building a Framework of Governance, Risk, and Compliance (GRC)
Our work began with a comprehensive gap analysis, measuring our existing IT systems against the stringent TISAX assessment criteria, which are heavily influenced by the ISO 27001 framework.
My leadership was central to authoring, sponsoring, and implementing a suite of policies that would serve as the foundation of our new GRC framework.
As the official Sponsor for IT topics, I took ultimate ownership of several core policies, including:
- Access Management Policy: Establishing a “least-privilege” access model based on NIST guidelines to define and verify user access to all critical systems.
- Full Disk Encryption Policy: Mandating and outlining the processes for encrypting all company devices to protect data at rest, a fundamental security control.
- Network Management Policy: Defining secure configuration standards for all network equipment to protect our data from unauthorized access and ensure network integrity.
- IT Asset Management Policy: Creating a formal lifecycle for all physical IT assets—from planning and acquisition to secure disposal—based on ISO standards and NIST best practices.
Beyond sponsoring these documents, I provided critical stewardship for other essential policies, including those for Business Continuity Planning, Data Backups, and the Responsible Use of IT Systems.
The Outcome: A Foundational Step Towards ISO 27001 Certification
Through this structured and policy-driven approach, we successfully established a mature, auditable information security program built on internationally recognized standards.
While our initial focus was TISAX, the comprehensive GRC framework, policies, and controls we developed were instrumental in paving the way for the company’s future success.
The foundational work performed by our team directly enabled Getaround to achieve the prestigious ISO 27001 certification a few years later.
This project was a testament to the power of proactive governance. By treating compliance not as a final destination but as a framework for operational excellence, we fundamentally strengthened the company’s security posture and built the necessary foundation for future security achievements.
It solidified my belief that a rigorous, policy-driven approach is the most effective way to manage risk and build trust in any regulated industry.