Sofema Aviation Services (SAS) www.sassofia.com reviews requirements & best practices related to the implementation of an effective Information Security Management System (ISMS) (Applicable from 22 February 2026 – Regulation (EU) 2023/203)
Introduction
To implement effective systems for 145.A.200A ISMS and 145.A.202 Internal Safety Reporting Scheme, an organization must establish a robust framework that integrates these systems into its broader management practices. Success requires strong leadership, continuous improvement, regulatory compliance, and fostering an organizational culture of safety and cybersecurity awareness.
- Each system requires robust processes and an organizational culture that supports proactive risk management and transparency.
145.A.200A: Information Security Management System (ISMS)
- Protect sensitive information from unauthorized access, disclosure, modification, or destruction.
- Address risks that impact aviation safety by safeguarding systems, data, and infrastructure.
Risk Management Framework:
- Identify, assess, and mitigate cybersecurity risks that could affect the safety and functionality of aviation maintenance operations.
- Compliance with Regulation (EU) 2023/203:
>> Align ISMS processes with the specific requirements outlined in the regulation, effective from February 2026.
Implementation Requirements:
- Define clear policies for managing information security aligned with organizational objectives and regulatory requirements.
Risk Assessment Processes:
- Regularly evaluate information security risks using standardized methodologies.
- Focus on potential threats such as malware, ransomware, insider threats, and supply chain vulnerabilities.
Technology and Tools:
- Implement secure IT infrastructure, firewalls, encryption protocols, and monitoring systems.
- Deploy systems to detect and respond to cybersecurity incidents.
Training and Awareness:
- Train staff on information security best practices and establish a culture of vigilance.
- Address the human factor, often the weakest link in cybersecurity.
Incident Management:
- Establish procedures for identifying, reporting, and mitigating information security incidents promptly.
Audits and Continuous Improvement:
- Conduct regular internal and external audits of the ISMS.
- Update processes to adapt to evolving threats and vulnerabilities.
145.A.202: Internal Safety Reporting Scheme
- The scheme must gather reports of occurrences, errors, near misses, and hazards from all levels of the organization.
Evaluation and Analysis:
- Use safety data to identify underlying causes and contributing factors.
Integration with Risk Management:
- Incorporate findings into the organization’s safety risk management process.
Communication and Feedback:
- Disseminate relevant safety information to all stakeholders, ensuring actionable insights are shared.
Implementation Requirements:
- Provide user-friendly reporting tools (e.g., web portals, apps, or hotlines) to encourage employees to report incidents.
- Foster trust by ensuring employees that reports will not lead to punitive actions, enabling honest and open communication.
- Extend the safety reporting framework to encompass subcontracted activities, ensuring comprehensive risk oversight.
- Regularly review safety reports to identify trends, recurring issues, and high-priority risks.
- Develop and implement corrective actions to address identified risks and improve operational safety.
- Educate staff about the importance of reporting and how the information will be used to improve safety.
- Ensure compliance with Regulation (EU) 2021/1963 by aligning the scheme with the reporting requirements under point 145.A.60.
Common Challenges and Mitigation Strategies:
- Resistance to Reporting – Mitigate by establishing trust, ensuring confidentiality, and promoting the benefits of reporting.
- Integration with Existing Systems – Overcome silos by aligning ISMS and safety reporting systems with the broader management framework.
- Resource Constraints – Allocate sufficient resources for training, technology acquisition, and system maintenance.
Next Steps
Follow this link to our Library to find & download related documents for Free.
Sofema Aviation Services (SAS) and Sofema Online (SOL) provide Classroom, Webinar and Online Training. For more information, please email team@sassofia.com.
Tags:
EASA Part 145, Risk Management, SAS blogs, Information Security Management System (ISMS), Incident Management, Technology and Tools, Training and Awareness, Internal Safety Reporting Scheme, Evaluation and Analysis, Communication and Feedback, Common Challenges
