December 16, 2021

sasadmin

Sofema Aviation Services (SAS) www.sassofia.com considers the forthcoming requirements related to European Union Aviation Safety Agency Opinion No 03/2021

Note 1 – An EASA Opinion is the source for Implementing Rules (when ratified by the European Commission (EC)) unless issued under delegated authority re 2018/1139.

Note 2 – An EASA Decision is the source for Acceptable Means of Compliance (AMC) and Guidance Material (GM) known also as “soft law” when issued directly by EASA.

Introduction to Forthcoming Requirements

EASA proposes the introduction of a process to identify and manage information security risks affecting aviation information and communication technology systems and data.

  • To be able to detect information security events
  • Identifying those which are considered information security incidents,
  • Able to respond to, and recover from, those information security incidents to a level commensurate with their impact on aviation safety.

EASA Use of Terminology – Information security risk

  • Means the risk to organizational civil aviation operations, assets, individuals, and other organisations due to the potential of an information security event.
  • Information security risks are associated with the potential that threats will exploit vulnerabilities of an information asset or group of information assets.

Applicability – Applies to the following Aviation Business Areas

  • Competent authorities
  • Organisations in all aviation domains

o   Production & Design organisations,

o   Air operators,

o   Maintenance organisations,

o   Continuing airworthiness management organisations (CAMOs),

o   Training organisations,

o   Aero-medical centres,

o   Operators of flight simulation training devices (FSTDs),

o   Air traffic management/air navigation services (ATM/ANS) providers,

o   U-space service providers and single common information service providers,

o   Aerodrome operators and apron management service providers),

Proposes a new Implementing Regulation and a new Delegated Regulation (depending on the specific aviation domains covered) regarding information security management systems for organisations and competent authorities.

  • Shall include high-level, performance-based requirements, and shall be supported by acceptable means of compliance (AMC), guidance material (GM), and industry standards.

Forthcoming Regulation In Detail EASA Part IS (Information Security)

Requirement for Regulatory Authorities – Part-IS.AR (Authority Requirements):

IS.AR.I00 Scope

IS.AR.200 information security management system (ISMS) ISAR2OS Information security risk assessment

IS.AR210 Information security risk treatment

IS.AR21S Information security incidents — detection, response, and recovery

ISAR.220 Contracting of information security management activities

ISAR.225 Personnel requirements

IS.A11.230 Record-keeping

ISAR235 Continuous improvement

Requirements for Industry – Part-IS.OR (Organisation Requirements):

IS.OR.100 Scope

IS.OP.200 Information security management system (ISMS)

IS.012.205 Information security risk assessment

IS.012.210 Information security risk treatment

IS.OR.215 Information security internal reporting scheme

IS.OR.220 Information security incidents — detection, response, and recovery IS.OR.225 Response to findings notified by the competent authority

IS.OR.230 Information security external reporting scheme

IS.OR.235 Contracting of information security management activities

IS.OR.240 Personnel requirements

IS.OR.245 Record-keeping

IS.OR.250 Information security management manual (ISNLM)

IS.OR.255 Changes to the information security management system

IS.011.260 Continuous improvement

Next Steps

Sofema Aviation Services (www.sassofia.com) & Sofema Online (www.sofemaonline.com) are now taking reservations for the following course: EASA Compliant Organizational Cyber Security Responsibilities – 1 Day

Please email team@sassofia.com for details

Share this with your network:

Tags:

aviation safety, EASA, AMC, Air Traffic Management, Air Operators, Guidance Material, Aerodrome, Cyber Security, Acceptable Means of Compliance, Aviation Operations, Civil Aviation, Aviation Cyber Security, Aviation Regulatory Requirements, Maintenance organisations, EASA Part IS, European Union Aviation Safety Agency