Sofema Aviation Services (SAS) considers reporting methods and criteria within the EASA Part 145 Information Security Management (Cyber) System while maintaining the existing headcount.
To establish a unified procedure for managing cybersecurity-related events, ensuring compliance with EU regulations, and safeguarding aviation safety in accordance with Commission Implementing Regulation (EU) 2023/203 and related EASA regulatory frameworks.
Scope
This procedure applies to:
- All personnel, including contractors and third-party service providers, involved with the organizationās EASA Part 145 operations.
- All cyber events, vulnerabilities, and incidents potentially affecting aviation safety, information security, or operational systems.
- The integration and harmonization of measures outlined in Part-IS.I.OR and Part-145 requirements.
Definitions
- Information Security: The preservation of confidentiality, integrity, authenticity, and availability of network and information systems as per Article 3(1) of EU 2023/203.
- Cybersecurity Event: An identified occurrence indicating a potential breach of security controls or policies.
- Incident: An event with an actual adverse effect on the security of systems or processes critical to aviation safety.
- Risk Assessment: Systematic identification, evaluation, and management of risks as outlined in IS.I.OR.205.
- Competent Authority: Regulatory bodies such as EASA or national authorities defined under IS.I.OR.230.
Reporting Structure – Internal Reporting
Responsibility: All personnel are responsible for identifying and reporting cybersecurity events.
Reportable Items:
- Time and date of detection.
- Description of the event (e.g., phishing attempt, ransomware, system compromise).
- Impacted systems, processes, or departments.
- Preliminary safety and operational impact assessments.
Channels:
- Utilize internal platforms (incident management systems or dedicated emails).
- Escalate critical events immediately to the Information Security Officer (ISO).
Evaluation:
- ISMT (Information Security Management Team) assesses and classifies the event under IS.I.OR.215.
- Risks are analyzed as per IS.I.OR.205 and treated per IS.I.OR.210.
Reporting Structure – External Reporting
Criteria for Reporting:
- Incidents affecting aviation safety, system integrity, or compliance with Part-145.
- Threats with significant operational or reputational impacts.
Timelines:
- Initial Notification: Within 72 hours of detection as per IS.I.OR.230(c)(2).
- Follow-Up Report: Within 30 days, detailing root cause, mitigation actions, and preventive measures.
Notification Recipients:
- National Competent Authority (NCA).
- Design approval holders or applicable external entities per IS.I.OR.230(b).
Incident Response and Recovery
Detection
- Leverage automated systems and anomaly detection tools to monitor and flag deviations as outlined in IS.I.OR.220.
- Develop baselines for normal system performance to quickly detect anomalies.
Response
- Activate the Incident Response Plan (IRP).
- Contain threats to limit further impact as defined in IS.I.OR.220(b).
- Escalate events to internal and external stakeholders for immediate action.
- Assign responsibilities to a predefined response team.
Recovery
- Restore systems to operational status in compliance with IS.I.OR.220(c).
- Conduct root cause analysis and post-incident reviews to identify vulnerabilities and improve safeguards.
Training and Awareness
Regular training aligned with IS.I.OR.240, emphasizing:
- Cyber risk identification and reporting.
- Usage of internal reporting mechanisms.
- Compliance with regulatory responsibilities.
Record-Keeping
- Maintain detailed records of all cybersecurity activities for a minimum of 5 years per IS.I.OR.245.
- Ensure records are secure, traceable, and protected from unauthorized access or modification.
Continuous Improvement
Periodic review of the Information Security Management System (ISMS) per IS.I.OR.260:
- Evaluate incident trends, training feedback, and audit results.
- Implement corrective measures for identified deficiencies.
Compliance and Harmonization
This procedure aligns with:
- Annex II, Part-IS.I.OR: Internal and external reporting requirements.
- Annex VII, Part-ORA: Oversight and risk management mandates.
- Annex III, Part-145: Operational compliance for maintenance organizations.
Governance
- Accountable Manager: Ensures organizational compliance and resource availability per IS.I.OR.240(a).
- Information Security Management Team (ISMT): Oversees incident evaluation, mitigation, and compliance.
References
- Commission Implementing Regulation (EU) 2023/203.
- Regulation (EU) 1321/2014, Part-145.
- Annex II, Part-IS.I.OR: Information Security Requirements.
- EU Regulation 2018/1139: Safety Management Systems framework.
Next Steps
- Follow thisĀ linkĀ to our Library to find & download related documents for Free.
- See the following 2 day course-Implementing an Information Cyber Security Program in an EASA Part 145 Organization ā 2 Days
for comments or questions please emailĀ team@sassofia.com
Tags:
Part-IS.I, Incident Response and Recovery, Notification Recipients, IS.I.OR.215, IS.I.OR.210, IS.I.OR.205, ISMT (Information Security Management Team), Internal Reporting, Cybersecurity Event, EASA Part 145, Regulation (EU) 2023/203, BlogSeries, Security Management, Competent Authority, Cybersecurity, Information Security, SAS blogs, Risk Assessment
