April 28, 2025

Steven Bentley

Sofema Aviation Services (SAS) considers areas of key exposure related to the implementation of ISMS

As well as demonstrating compliance with Regulation (EU) 2023/203, Operators should focus on reducing exposure to cyber risks and operational disruptions, by improving business resilience and safety in line with EASA requirements. Finally, Operators should aim to strengthen stakeholder confidence in information security practices.

To focus on operators’ exposures when identifying compliance gaps within organisational business areas related to the implementation of an EASA-compliant Information Security Management System (ISMS) under Regulation (EU) 2023/203, the following key points are critical:

Scope of Exposure for Operators – Threat Landscape and Business Impact

  • Operators face exposure from a rapidly evolving threat landscape, including:
    • External threats – Malware, ransomware, phishing, DDoS, and cyber espionage.
    • Internal threats – Insider sabotage, human error, and lack of awareness.
    • Supply chain vulnerabilities – Inadequate third-party security practices.
    • Emerging threats – AI-based attacks, IoT vulnerabilities, and data breaches.

Operators Potential Consequences

  • Disruption to maintenance scheduling and planning.
  • Unauthorized access to maintenance records leading to compromised safety.
  • Corruption of critical data (e.g., maintenance records, operational data).
  • Financial losses from ransomware or data theft.
  • Regulatory non-compliance leading to fines or loss of approval.

Identifying Gaps in Risk Assessment and Management

Key Takeaways  – Conduct comprehensive threat mapping and establish clear classification of threats based on severity and impact.

Current Weaknesses for Operators:

  • Insufficient threat identification – Lack of formal structure to capture new and evolving threats.
  • Inadequate classification of risks – Threat levels are not linked directly to operational consequences.
  • Weak incident response testing – Few operators conduct real-world response simulations.

Role and Responsibility Gaps

Accountable Manager Exposure:

  • Failure to provide sufficient resources for cybersecurity.
  • Lack of awareness of cyber threats at the leadership level.
  • Inadequate oversight of ISMS implementation.

Business Area Manager Exposure:

  • Poor internal communication of cybersecurity policies.
  • Failure to integrate security practices into operational workflows.
  • Lack of accountability for third-party supplier compliance.

Compliance & Safety Manager Exposure:

  • No structured reporting mechanism for cyber events.
  • Weak integration between safety and information security requirements.

Key Takeaways – Define clear accountability for cybersecurity performance, Ensure ISMS integration with existing Safety Management Systems (SMS), Strengthen oversight of third-party supplier security measures.

Policy and Procedure Gaps – Observed Weaknesses:

  • Lack of defined cyber risk policies tailored to operational exposure.
  • No regular review of security controls for alignment with current threats.
  • Inadequate guidance on handling data breaches and system compromise.

Training and Competence Gaps – Weaknesses:

  • Limited awareness among operational staff about cybersecurity threats.
  • Poor training for recognizing phishing or social engineering attacks.
  • Lack of contractor and supplier training requirements.

Training and Competence Key Takeaways – Introduce annual cybersecurity training aligned with AMC1 IS.I.OR.240 & Train all employees and contractors on:

  • Threat recognition.
  • Secure data handling.
  • Reporting procedures.

Supply Chain Weaknesses Challenges for Operators:

  • External vendors often introduce cyber risks (e.g., software updates, remote access).
  • No defined process to vet supplier security.
  • Weak control over subcontractor data access and handling.

Supply Chain – Key Takeaways

  • Ensure all supplier contracts include cybersecurity compliance terms.
  • Introduce periodic audits of vendor systems.
  • Require suppliers to provide evidence of ISMS compliance.

Incident Management and Reporting Gaps – Identified Weaknesses

  • No clear threshold for internal and external reporting.
  • Delays in incident detection due to poor system monitoring.
  • Poor feedback loop for lessons learned from cyber incidents.

Incident Management Key Takeaways

  • Implement a structured Incident Response Plan (IRP) aligned with IS.I.OR.220.
  • Define internal and external reporting protocols:
    • Initial reporting within 24 hours.
    • Full report within 72 hours to competent authorities.
  • Ensure continuous monitoring with automated detection tools.

Technical and System Exposure – Observed Weaknesses:

  • Outdated maintenance and diagnostic tools vulnerable to exploitation.
  • Weak access controls and authentication mechanisms.
  • Poor segregation of critical and non-critical systems.

Recommendations Key Takeaways

  • Introduce multi-factor authentication (MFA).
  • Encrypt sensitive records and operational data.
  • Isolate critical systems from external networks.

Audit and Continuous Improvement Gaps – Identified Weaknesses:

  • Poor follow-up on audit findings related to cybersecurity.
  • Limited integration of cyber risk insights into SMS.
  • Weak engagement with external stakeholders on cyber resilience.

Audit Key Takeway – Schedule regular internal and external audits per IS.I.OR.235, Ensure audit findings are incorporated into ISMS improvements and Develop a continuous improvement plan aligned with IS.I.OR.260.

Business Continuity and Recovery Gaps – Operator Challenges:

  • No formalized plan for recovering from a major cyber incident.
  • Weak coordination between technical and operational teams during recovery.
  • Insufficient redundancy for critical data and systems.

Recommendations:

  • Develop a Business Continuity Plan (BCP) aligned with IS.I.OR.220.
  • Conduct real-world simulations to test recovery plans.
  • Ensure off-site backups are secure and regularly tested.
  • Establish structured threat identification, risk classification, and mitigation protocols.
  • Clarify roles and responsibilities under ISMS requirements.
  • Implement stronger oversight of third-party security.
  • Expand employee awareness and response capability.
  • Upgrade system protection and access controls.
  • Formalise detection, reporting, and recovery protocols.
  • Schedule regular audits and improvement reviews.

Next Steps

Follow this link to our Library to find & download related documents for Free.

Sofema Aviation Services and Sofema Online provide Information and Cyber Security Regulatory Training as Classroom, Webinar and Online Training – Please see the websites or email [email protected].

Share this with your network:

Tags:

EASA requirements, SAS blogs, ISMS, Business Impact, Compliance Gaps, Regulation (EU) 2023/203, Organisational Business Areas, Threat Landscape, External threats, Internal threats, Supply chain vulnerabilities, Emerging threats, Risk Assessment and Management