Sofema Aviation Services (SAS) www.sassofia.com considers the forthcoming requirements related to European Union Aviation Safety Agency Opinion No 03/2021
Note 1 – An EASA Opinion is the source for Implementing Rules (when ratified by the European Commission (EC)) unless issued under delegated authority re 2018/1139.
Note 2 – An EASA Decision is the source for Acceptable Means of Compliance (AMC) and Guidance Material (GM) known also as “soft law” when issued directly by EASA.
Introduction to Forthcoming Requirements
EASA proposes the introduction of a process to identify and manage information security risks affecting aviation information and communication technology systems and data.
- To be able to detect information security events
- Identifying those which are considered information security incidents,
- Able to respond to, and recover from, those information security incidents to a level commensurate with their impact on aviation safety.
EASA Use of Terminology – Information security risk
- Means the risk to organizational civil aviation operations, assets, individuals, and other organisations due to the potential of an information security event.
- Information security risks are associated with the potential that threats will exploit vulnerabilities of an information asset or group of information assets.
Applicability – Applies to the following Aviation Business Areas
- Competent authorities
- Organisations in all aviation domains
o Production & Design organisations,
o Air operators,
o Maintenance organisations,
o Continuing airworthiness management organisations (CAMOs),
o Training organisations,
o Aero-medical centres,
o Operators of flight simulation training devices (FSTDs),
o Air traffic management/air navigation services (ATM/ANS) providers,
o U-space service providers and single common information service providers,
o Aerodrome operators and apron management service providers),
Proposes a new Implementing Regulation and a new Delegated Regulation (depending on the specific aviation domains covered) regarding information security management systems for organisations and competent authorities.
- Shall include high-level, performance-based requirements, and shall be supported by acceptable means of compliance (AMC), guidance material (GM), and industry standards.
Forthcoming Regulation In Detail EASA Part IS (Information Security)
Requirement for Regulatory Authorities – Part-IS.AR (Authority Requirements):
IS.AR.I00 Scope
IS.AR.200 information security management system (ISMS) ISAR2OS Information security risk assessment
IS.AR210 Information security risk treatment
IS.AR21S Information security incidents — detection, response, and recovery
ISAR.220 Contracting of information security management activities
ISAR.225 Personnel requirements
IS.A11.230 Record-keeping
ISAR235 Continuous improvement
Requirements for Industry – Part-IS.OR (Organisation Requirements):
IS.OR.100 Scope
IS.OP.200 Information security management system (ISMS)
IS.012.205 Information security risk assessment
IS.012.210 Information security risk treatment
IS.OR.215 Information security internal reporting scheme
IS.OR.220 Information security incidents — detection, response, and recovery IS.OR.225 Response to findings notified by the competent authority
IS.OR.230 Information security external reporting scheme
IS.OR.235 Contracting of information security management activities
IS.OR.240 Personnel requirements
IS.OR.245 Record-keeping
IS.OR.250 Information security management manual (ISNLM)
IS.OR.255 Changes to the information security management system
IS.011.260 Continuous improvement
Next Steps
Sofema Aviation Services (www.sassofia.com) & Sofema Online (www.sofemaonline.com) are now taking reservations for the following course: EASA Compliant Organizational Cyber Security Responsibilities – 1 Day
Please email team@sassofia.com for details
Tags:
aviation safety, EASA, AMC, Air Traffic Management, Air Operators, Guidance Material, Aerodrome, Cyber Security, Acceptable Means of Compliance, Aviation Operations, Civil Aviation, Aviation Cyber Security, Aviation Regulatory Requirements, Maintenance organisations, EASA Part IS, European Union Aviation Safety Agency
