Sofema Aviation Services (SAS) www.sassofia.com considers the various requirements to be met for an organisation to demonstrate compliance with EASA Part-IS.D.OR – Information Security Management System(ISMS);(Commission Delegated Regulation (EU) 2022/1645 of 14 July 2022) amending Commission Regulations (EU) No 748/2012 and (EU) No 139/2014
Note regarding Compliance – Applicable from 16 October 2025.
IS.D.OR.205 – Information security risk assessment
The organisation shall identify all of its elements, that could be exposed to information security risks. That shall include:
- The organisation’s activities, facilities and resources, as well as the services the organisation operates, provides, receives or maintains;
- The equipment, systems, data and information that contribute to the functioning of the elements listed
- The organisation shall identify the interfaces that it has with other organisations, which could result in mutual exposure to information security risks.
- With regard to the elements and interfaces referred to, the organisation shall identify the information security risks that may have a potential impact on aviation safety.
o For each identified risk, the organisation shall:
- Assign a risk level according to a predefined classification established by the organisation;
- Associate each risk and its level with the corresponding element or interface identified
- The predefined classification shall take into account the potential occurrence of the threat scenario and the severity of its safety consequences.
- Based on that classification, and considering whether the organisation has a structured and repeatable risk management process for operations, the organisation shall be able to establish whether the risk is acceptable or needs to be treated per point IS.D.OR.210.
Note – assignment of the risk level shall take into account all relevant information
Review and update the risk assessment when:
- There is a change in the elements subject to information security risks;
- There is a change in the Organisational Interfaces
- There is a change in the information or knowledge used for the identification, analysis and classification of risks;
- There are lessons learnt from the study of information security incidents.
IS.D.OR.210 – Information Security Risk Treatment
Those measures shall enable the organisation to:
- Control the circumstances that contribute to the effective occurrence of the threat scenario;
- Reduce the consequences on aviation safety associated with the materialisation of the threat scenario;
- Avoid the risks. (Measures shall not introduce any new potential unacceptable risks to aviation safety.
Communication of Risk Assessment & Outcome Measures (IS.D.OR.240) – AM and interface organisations
- shall also inform interface organisations of any risk shared between both organisations.
IS.D.OR.215 – Information security internal reporting scheme
Establish an internal reporting scheme (IS.D.OR.230)
Scheme and process ref IS.D.OR.220 to:
o Identify which of the events are considered information security incidents or vulnerabilities with a potential impact on aviation safety;
o Identify the causes of, and contributing factors to, the information security incidents and vulnerabilities identified
o Address them as part of the information security risk management process in accordance with points IS.D.OR.205 and IS.D.OR.220;
- Ensure an evaluation of all known, relevant information relating to the information security incidents and vulnerabilities identified
- Ensure the implementation of a method to distribute internally the information as necessary.
- Contracted Organisations are required to report IS Events I.A.W contracted procedure
- Cooperate on investigations with any other organisation that has a significant contribution to the information security of its own activities.
- May Integrate that reporting scheme with other reporting schemes it has already implemented.
IS.D.OR.220 – Information security incidents – detection, response, and recovery
Based on the outcome of the risk assessment – shall implement measures to detect incidents and vulnerabilities that indicate the potential materialisation of unacceptable risks and which may have a potential impact on aviation safety.
Those detection measures shall enable the organisation to:
- Identify deviations from predetermined functional performance baselines;
- Trigger warnings to activate proper response measures, in case of any deviation.
- Implement measures to respond to any event conditions that may develop or have developed into an information security incident.
- Those response measures shall enable the organisation to:
o initiate the reaction to the warnings by activating predefined resources and course of actions;
o Contain the spread of an attack and avoid the full materialisation of a threat scenario;
o Control the failure mode of the affected elements defined in point IS.D.OR.205(a).
- The organisation shall implement measures aimed at recovering from information security incidents, including emergency measures, i
- Those recovery measures shall enable the organisation to:
o Remove the condition that caused the incident, or constrain it to a tolerable level;
o Reach a safe state of the affected elements defined in point IS.D.OR.205(a) within a recovery time previously defined by the organisation.
Next Steps
Follow this link to our Library to find & Download related documents for Free.
Sofema Aviation Services & Sofema Online to register for a training program enroll through the website or email team@sassofia.com with any questions or comments
Tags:
Risk Assessment & Outcome Measures, risk level, data and information, classification of risks, recovery time, security incidents, Commission Regulations, internal reporting scheme, AM and interface organisations, Risk Treatment, Compliance, EASA Commission Delegated Regulation (EU) 2022/1645, ISMS, Part - IS. D. OR, Information Security Management System (ISMS), Information Security, SAS blogs, Requirements, EASA