Sofema Aviation Services (SAS) www.sassofia.com considers the various requirements to be met for an organisation to demonstrate compliance with EASA Part-IS.D.OR – Information Security Management System(ISMS);(Commission Delegated Regulation (EU) 2022/1645 of 14 July 2022) amending Commission Regulations (EU) No 748/2012 and (EU) No 139/2014
Note regarding Compliance – Applicable from 16 October 2025.
IS.D.OR.205 – Information security risk assessment
The organisation shall identify all of its elements, that could be exposed to information security risks. That shall include:
- The organisation’s activities, facilities and resources, as well as the services the organisation operates, provides, receives or maintains;
- The equipment, systems, data and information that contribute to the functioning of the elements listed
- The organisation shall identify the interfaces that it has with other organisations, which could result in mutual exposure to information security risks.
- With regard to the elements and interfaces referred to, the organisation shall identify the information security risks that may have a potential impact on aviation safety.
o For each identified risk, the organisation shall:
- Assign a risk level according to a predefined classification established by the organisation;
- Associate each risk and its level with the corresponding element or interface identified
- The predefined classification shall take into account the potential occurrence of the threat scenario and the severity of its safety consequences.
- Based on that classification, and considering whether the organisation has a structured and repeatable risk management process for operations, the organisation shall be able to establish whether the risk is acceptable or needs to be treated per point IS.D.OR.210.
Note – assignment of the risk level shall take into account all relevant information
Review and update the risk assessment when:
- There is a change in the elements subject to information security risks;
- There is a change in the Organisational Interfaces
- There is a change in the information or knowledge used for the identification, analysis and classification of risks;
- There are lessons learnt from the study of information security incidents.
IS.D.OR.210 – Information Security Risk Treatment
Those measures shall enable the organisation to:
- Control the circumstances that contribute to the effective occurrence of the threat scenario;
- Reduce the consequences on aviation safety associated with the materialisation of the threat scenario;
- Avoid the risks. (Measures shall not introduce any new potential unacceptable risks to aviation safety.
Communication of Risk Assessment & Outcome Measures (IS.D.OR.240) – AM and interface organisations
- shall also inform interface organisations of any risk shared between both organisations.
IS.D.OR.215 – Information security internal reporting scheme
Establish an internal reporting scheme (IS.D.OR.230)
Scheme and process ref IS.D.OR.220 to:
o Identify which of the events are considered information security incidents or vulnerabilities with a potential impact on aviation safety;
o Identify the causes of, and contributing factors to, the information security incidents and vulnerabilities identified
o Address them as part of the information security risk management process in accordance with points IS.D.OR.205 and IS.D.OR.220;
- Ensure an evaluation of all known, relevant information relating to the information security incidents and vulnerabilities identified
- Ensure the implementation of a method to distribute internally the information as necessary.
- Contracted Organisations are required to report IS Events I.A.W contracted procedure
- Cooperate on investigations with any other organisation that has a significant contribution to the information security of its own activities.
- May Integrate that reporting scheme with other reporting schemes it has already implemented.
IS.D.OR.220 – Information security incidents – detection, response, and recovery
Based on the outcome of the risk assessment – shall implement measures to detect incidents and vulnerabilities that indicate the potential materialisation of unacceptable risks and which may have a potential impact on aviation safety.
Those detection measures shall enable the organisation to:
- Identify deviations from predetermined functional performance baselines;
- Trigger warnings to activate proper response measures, in case of any deviation.
- Implement measures to respond to any event conditions that may develop or have developed into an information security incident.
- Those response measures shall enable the organisation to:
o initiate the reaction to the warnings by activating predefined resources and course of actions;
o Contain the spread of an attack and avoid the full materialisation of a threat scenario;
o Control the failure mode of the affected elements defined in point IS.D.OR.205(a).
- The organisation shall implement measures aimed at recovering from information security incidents, including emergency measures, i
- Those recovery measures shall enable the organisation to:
o Remove the condition that caused the incident, or constrain it to a tolerable level;
o Reach a safe state of the affected elements defined in point IS.D.OR.205(a) within a recovery time previously defined by the organisation.
Next Steps
Follow this link to our Library to find & Download related documents for Free.
Please visit www.sassofia.com and www.sofemaonline.com to register for a training program enroll through the website or email team@sassofia.com with any questions or comments
Tags:
AM and interface organisations, classification of risks, Commission Regulations, Compliance, data and information, EASA, EASA Commission Delegated Regulation (EU) 2022/1645, Information Security, Information Security Management System (ISMS), internal reporting scheme, ISMS, Part - IS. D. OR, recovery time, Requirements, Risk Assessment & Outcome Measures, risk level, Risk Treatment, SAS blogs, security incidents
