September 12, 2023


Sofema Aviation Services considers the various requirements to be met for an organisation to demonstrate compliance with EASA Information Security Management System (ISMS) Part-IS.D.OR (Commission Delegated Regulation (EU) 2022/1645 of 14 July 2022) amending Commission Regulations (EU) No 748/2012 and (EU) No 139/2014.


Potential Waiver – IS.D.OR.205 through IS.D.OR.260

If it (The organisation) demonstrates to the satisfaction of that authority that its activities, facilities and resources, as well as the services it operates, provides, receives and maintains, do not pose any information security risks with a potential impact on aviation safety neither to itself nor to other organisations.

The approval shall be based on a documented information security risk assessment carried out by the organisation or a third party in accordance with point IS.D.OR.205 and reviewed and approved by its competent authority.

The continued validity of that approval will be reviewed by the competent authority following the applicable oversight audit cycle and whenever changes are implemented in the scope of work of the organisation.


  • IS.D.OR.100 – Scope

o   Establishes the requirements to be met by the organisations referred to in Article 2 of this Regulation. (Aerodrome, Design & Production Organisations – excluding ELA)

IS.D.OR.200 – Information security management system

  • The processes, procedures, roles and responsibilities established by the organisation in order to comply with point IS.D. OR.200(a) shall correspond to the nature and complexity of its activities, based on an assessment of the information security risks inherent to those activities, and may be integrated within other existing management systems already implemented by the organisation.

The organisation shall set up, implement and maintain an information security management system (ISMS) which ensures that the organisation:

  • Policy on information security with regard to the potential impact of information security risks on aviation safety;
  • Identifies and reviews information security risks IS.D.OR.205;
  • Security risk treatment measures in accordance with point IS.D.OR.210;
  • IS internal reporting scheme in accordance with point IS.D.OR.215;
  • Defines and implement measures IS.D.OR.220, the measures required to detect information security events (Emergency Response) alleviation for IS.D.OR.205(e)
  • Comply with CA IS Requirements & action, in accordance with point IS.D.OR.225.
  • External Reporting IS.D.OR.230
  • Contracting activities to comply with IS.D.OR.235;
  • Personnel requirements laid down in point IS.D.OR.240;
  • Records IS.D.OR.245;
  • Monitors compliance of the organisation IS requirements – feedback to AM or HOD (head of Design)
  • Ensure incident reporting confidentiality
  • continuous improvement process IS.D.OR.260.
  • Document I.A.W IS.D.OR.250, establish a process for amending that documentation. Changes to those processes, procedures, roles and responsibilities shall be managed in accordance with point IS.D.OR.255.

Next Steps

Follow this link to our Library to find & Download related documents for Free

Sofema Aviation Services offers the following courses delivered as classroom or webinar – EASA Compliant Organizational Cyber Security Responsibilities – 1 Day

Please see or email


(Commission Delegated Regulation (EU) 2022/1645 of 14 July 2022), (ISMS) Requirements DR EU 2022_1645, Aerodrome, aviation safety, Commission Regulations (EU) No 748/2012 and (EU) No 139/2014, Document I.A.W IS.D.OR.250, EASA Information Security Management System, Emergency Response, External Reporting, IS internal reporting scheme, IS requirements, IS.D.OR.100 – Scope, Personnel requirements, Potential Waiver - IS.D.OR.205 through IS.D.OR.260, Production Organisations, risk treatment measures, SAS blogs, security risks