Contracting Considerations for Cyber Risk Management (IS.I.OR.235)

Sofema Aviation Services (SAS) considers key aspects related to the Information and Cyber Risk organisational exposure resulting from contracting activities

To proactively manage cybersecurity risks through clear contractual arrangements, aviation organizations ensure they meet EASA requirements, mitigate risks, and contribute to overall aviation system security and safety.

Organizations should:

• Review existing contracts for compliance gaps related to cybersecurity.
• Embed cybersecurity contracting considerations into procurement and supplier management policies.
• Maintain continuous dialogue with external providers to enhance collective cybersecurity preparedness.

Background & Context – IS.I.OR.235 is part of the regulatory framework set by EASA under Regulation (EU) 2022/1645 (Information Security Management System – ISMS) focused specifically on aviation cybersecurity and information security.

• It highlights the importance of managing cybersecurity risks when organizations rely on external providers, contractors, or third-party suppliers.
• Effective cybersecurity risk management must extend beyond the organization’s internal borders, incorporating oversight and control over contracted external providers.

Key Elements of Contracting Considerations for Cyber Risk Management:

Clear Definition of Security Roles and Responsibilities:

• Clearly define each party’s cybersecurity-related obligations.
• Identify points of contact responsible for cybersecurity issues.
• Outline processes for incident reporting, escalation, and response.

Contractual Security Requirements:

• Ensure the inclusion of clear, measurable cybersecurity requirements aligned with organizational security policies and applicable regulatory frameworks.
• Requirements should reference recognized standards (ISO/IEC 27001, NIST, or EU cybersecurity standards relevant to aviation).

Compliance with EASA Cybersecurity Regulations:

• External providers must adhere to the requirements set out in Regulation (EU) 2022/1645, Annex II, including ISMS obligations.
• Contracts should explicitly state adherence to these regulatory requirements, ensuring external providers understand and comply fully.

Incident Management and Reporting Requirements:

• Contract terms should outline explicit cybersecurity incident detection, notification, response, and reporting responsibilities.
• External providers must promptly inform the contracting organization about suspected or actual cybersecurity incidents impacting the contracted services or the broader aviation system.

Cybersecurity Risk Assessment and Assurance:

• Organizations must conduct initial and recurring risk assessments concerning third-party providers’ cybersecurity posture.
• Provisions should be included for ongoing assessments or audits to confirm providers’ cybersecurity effectiveness.
• Contracts should specify how compliance and risk assessments (audits, penetration tests, reviews) will be conducted, the frequency, and the party responsible for conducting them.

Monitoring and Audit Rights:

• Explicitly incorporate the right to audit and inspect external provider cybersecurity measures, including technical and procedural controls.
• Outline the frequency, scope, and methodology of audits or cybersecurity assessments.

Security Controls and Safeguards:

• Define baseline cybersecurity controls (technical, physical, procedural) expected to be implemented by external providers.
• Include requirements for data encryption, identity and access management, authentication protocols, and network security practices, commensurate with identified risks.

Data Handling and Protection Requirements:

• Clearly define obligations for handling, storage, processing, and secure disposal of sensitive aviation or personal data.
• Contracts must adhere to GDPR and other EU/EASA data protection and privacy requirements.

Training and Awareness:

• Specify cybersecurity training obligations and awareness requirements for external provider personnel.
• Ensure external providers have a comprehensive awareness program aligned with the contracting organization’s cybersecurity policies.

Business Continuity and Disaster Recovery:

• Require external providers to develop and maintain robust business continuity and disaster recovery plans with clearly defined responsibilities, response procedures, and recovery timelines.
• Include provision for regular testing and reporting of the results.

Subcontracting Management:

• Clearly identify whether subcontracting is permitted, under which conditions, and the cybersecurity obligations passed down to subcontractors.
• Contracts should ensure visibility into subcontracted arrangements and require cybersecurity controls at the subcontractor level equivalent to primary provider obligations.

Termination Clauses and Exit Provisions:

• Define clear conditions under which the contract can be terminated due to cybersecurity-related breaches or non-compliance.
• Detail obligations upon termination, such as returning or securely deleting sensitive data, and assistance provided to transition securely away from the provider.

Contractual Best Practices 

To implement IS.I.OR.235 effectively, organizations should:

• Integrate cybersecurity considerations early in the contract negotiation process.
• Conduct comprehensive due diligence on third-party cybersecurity posture before engagement.
• Utilize clearly defined key performance indicators (KPIs) to track cybersecurity compliance.
• Regularly review and update contracts to accommodate emerging cyber threats and regulatory changes.
• Clear contractual terms help ensure that cybersecurity risks posed by third-party engagements are well understood and mitigated.

• Clear documentation of roles and obligations supports regulatory compliance and reduces the risk of regulatory penalties or enforcement actions.
• Defined incident response responsibilities enable rapid, coordinated responses, limiting impacts and downtime.
• Well-managed cybersecurity contracts build stakeholder confidence, customer trust, and overall organizational resilience.

Next Steps

Follow this link to our Library to find & download related documents for Free.

Sofema Aviation Services and Sofema Online provide Information and Cyber Security Regulatory Training as Classroom, Webinar and Online Training – Please see the websites or email [email protected].

Tags:

Risk Assessment, Responsibilities, sasblogs, Business Continuity, Incident Management, EASA Cybersecurity Regulations, Cyber Risk Management, Contracting Considerations, Cyber Risk, IS.I.OR.235, Information, Security Roles, Disaster Recovery, Subcontracting Management