EASA Part 145 Cyber Security Compliance: Duties and Responsibilities Under IS.I.OR.240

Sofema Aviation Services (SAS) considers key elements related to Cyber Security Compliance within an EASA Part 145 Organisation.

Regulation (EU) 2023/203, specifically IS.I.OR.240, mandates a structured and accountable approach to cybersecurity.

• Recognizing the critical role of robust cybersecurity practices requires EASA Part 145 organizations to understand duties, accountabilities, and responsibilities to maintain compliance and safeguard sensitive information.
• This document provides a breakdown of key roles—Accountable Manager, Nominated Post Holder, Business Area Manager, Compliance & Safety Manager, and Common Responsible Person—detailing their specific cybersecurity duties and performance expectations.
• Each role is considered in the context of regulatory compliance, focusing on practical implementation, continuous improvement, and measurable outcomes aligned with IS.I.OR.240.

Accountable Manager – Cybersecurity Duties:

• Holds overall corporate authority to ensure the implementation and financing of the Information Security Management System (ISMS).
• Establishes and promotes the information security policy, ensuring its alignment with organizational objectives and regulatory requirements (IS.I.OR.200(a)(1)).
• Ensures adequate resourcing for cybersecurity measures, including personnel, tools, and training (IS.I.OR.240(a)).
• Monitors compliance of the ISMS through regular feedback and improvement measures (IS.I.OR.260).
• Demonstrates a basic understanding of cybersecurity regulations and their impact on aviation safety.

Accountable Manager – Cybersecurity Performance Measurement:

• Implementation and promotion of an effective information security policy.
• Availability of resources to address cybersecurity risks and compliance with ISMS requirements.
• Incident response performance, including adherence to reporting timelines and corrective actions.
• Continuous improvement of the ISMS, evidenced through successful audits and risk assessments.

Nominated Post Holder -Cybersecurity Duties:

• Oversees the implementation of cybersecurity controls within their operational area.
• Ensures compliance with risk assessment processes to identify and address information security risks (IS.I.OR.205).
• Monitors cybersecurity activities, such as internal reporting schemes (IS.I.OR.215) and risk treatment measures (IS.I.OR.210).
• Coordinates with other stakeholders to ensure consistent application of cybersecurity policies and practices across interfaces.

Nominated Post Holder – Cybersecurity Performance Measurement:

• Completion of risk assessments and implementation of risk treatment plans.
• Timely and accurate reporting of cybersecurity events to internal and external stakeholders (IS.I.OR.230).
• Effective integration of cybersecurity controls into daily operations.
• Reduction in vulnerabilities and alignment with safety objectives.

Business Area Manager – Cybersecurity Duties:

• Ensures cybersecurity risk management processes are effectively implemented within their department.
• Oversees training and awareness programs for employees to minimize cybersecurity risks (IS.I.OR.240(g)).
• Coordinates the reporting of cybersecurity events and incidents within their area of responsibility (IS.I.OR.215).
• Allocates resources to ensure compliance with cybersecurity requirements for systems, data, and infrastructure.

Business Area Manager – Cybersecurity Performance Measurement:

• Departmental compliance with cybersecurity regulations, as verified through internal and external audits.
• Participation in cybersecurity incident detection and response activities (IS.I.OR.220).
• Staff competency in identifying and mitigating cybersecurity risks.
• Integration of cybersecurity practices into operational workflows.

Compliance & Safety Manager – Cybersecurity Duties:

• Develops and oversees the Information Security Risk Assessment process, ensuring risks are identified, classified, and treated effectively (IS.I.OR.205 and IS.I.OR.210).
• Monitors and evaluates the organization’s compliance with cybersecurity regulations (IS.I.OR.225).
• Implements and manages the Internal reporting scheme for cybersecurity events, including detection, analysis, and follow-up (IS.I.OR.215).
• Ensures regular updates and reviews of the ISMS based on lessons learned from incidents and evolving threats (IS.I.OR.260).

Compliance & Safety Manager – Cybersecurity Performance Measurement:

• Timely identification and resolution of cybersecurity incidents.
• Regular and comprehensive updates to the ISMS based on performance indicators and incident reviews.
• Quality and thoroughness of safety and cybersecurity training initiatives.
• Reduced exposure to information security risks across the organization.

Common Responsible Person – Cybersecurity Duties:

• Coordinates cybersecurity policies, procedures, and responsibilities across shared organizational structures (IS.I.OR.240(d)).
• Establishes procedures for managing shared information security risks, ensuring adequate integration across all entities (IS.I.OR.205(b)).
• Oversees implementation and continuous improvement of cybersecurity practices within shared resources and infrastructure (IS.I.OR.260).
• Maintains a collaborative relationship with all stakeholders to ensure consistent compliance with cybersecurity objectives.

Cybersecurity Performance Measurement:

• Successful integration of shared cybersecurity practices across departments or organizations.
• Effectiveness of coordination mechanisms in preventing duplication or conflict in cybersecurity responsibilities.
• Responsiveness and alignment with incident management processes (IS.I.OR.220).
• Feedback from audits and stakeholder reviews on the effectiveness of shared responsibilities.

Developing ISMM Structure for Cybersecurity Content

When integrating into the ISMM, include the following sections for each role:

1. Title and Responsibility: Clearly define the authority, scope, and decision-making capacity of each role (e.g., Accountable Manager).
2. Cybersecurity Activities: List specific cybersecurity duties tied to regulatory requirements (e.g., IS.I.OR.205 and IS.I.OR.220).
3. Performance Indicators: Identify measurable outcomes to track the effectiveness of the role (e.g., number of incidents resolved within the set timeframe).
4. Reporting Lines: Show organizational charts and relationships, particularly for cybersecurity event reporting and decision-making (IS.I.OR.240).
5. Continuous Improvement: Outline processes for role-based feedback and updates to the ISMS.

Next Steps

• Follow this link to our Library to find & download related documents for Free.
• See the following 2 day course-Implementing an Information Cyber Security Program in an EASA Part 145 Organization – 2 Days
  for comments or questions please email team@sassofia.com

Tags:

Business Area Manager, Cybersecurity Activities, ISMM Structure, Cybersecurity Performance Measurement, cybersecurity events, cybersecurity controls, IS.I.OR.260, IS.I.OR.240(a), Common Responsible Person, Compliance & Safety Manager, EASA Part 145, cybersecurity measures, Regulation (EU) 2023/203, BlogSeries, ISMS, Performance Indicators, Nominated Post Holder, SAS blogs, Cyber Security, Accountable Manager