Sofema Aviation Services (SAS) highlights ISMS in aviation safety, emphasizing EASA’s IS.I.OR.200 and its impact on European operations.
An Information Security Management System (ISMS) under IS.I.OR.200 is a systematic framework for managing and securing information in aviation organisations. The ISMS aims to protect information assets, ensure operational and safety objectives are met, and manage risks associated with information security threats.
General Requirements for ISMS
The organisation must establish, implement, and maintain an ISMS that ensures the following:
- a) Information Security Policy
- The organisation must establish a policy on information security that defines the principles and overall approach to managing information security risks and their impact on aviation safety.
- The policy must cover at least:
- Compliance with applicable legislation and standards.
- Setting objectives and performance measures.
- Defining processes and activities for securing information and ICT systems.
- Commitment to continuous improvement.
- b) Identification and Review of Information Security Risks
- The organisation must identify and assess information security risks that may impact aviation safety.
- This includes reviewing external and internal interfaces that could expose the organisation to information security threats.
- c) Risk Treatment Measures
- The organisation must define and implement measures to treat identified information security risks.
- The measures must align with the principles outlined in IS.I.OR.210.
- d) Internal Reporting Scheme
- An internal scheme must be in place to report information security events and incidents with a potential impact on aviation safety.
- The scheme must include:
- Reporting criteria.
- Clear responsibility assignments.
- Mechanisms for escalation and response.
- e) Incident Detection and Response
- The organisation must define and implement measures to detect and respond to information security events.
- The measures must enable the organisation to:
- Identify events that could impact aviation safety.
- Respond effectively and recover from such events.
- f) Implementation of Competent Authority Measures
- The organisation must implement any corrective or immediate measures required by the competent authority following an information security incident.
- g) Corrective Actions for Non-Compliance
- The organisation must take corrective action to address findings notified by the competent authority.
- h) External Reporting Scheme
- The organisation must establish an external reporting scheme to allow the competent authority to take appropriate actions following an incident.
- i) Management of Contracted Activities
- If any part of the ISMS is outsourced, the organisation must establish contractual terms and oversight procedures to ensure compliance with ISMS requirements.
- j) Personnel Requirements
- The organisation must ensure that staff involved in ISMS activities are competent and adequately trained.
- k) Record-Keeping
- The organisation must maintain records of:
- Risk assessments.
- Risk treatment plans.
- Incident reports.
- Corrective actions.
- l) Compliance Monitoring and Reporting
- Internal audits must be conducted at regular intervals to monitor compliance with ISMS requirements.
- Reports must be submitted to the accountable manager, with evidence of corrective actions.
- m) Confidentiality Protection
- The organisation must protect the confidentiality of information received from other organisations in line with data sensitivity.
Documentation and Amendment Requirements
- The organisation must document all key processes, roles, and responsibilities related to ISMS.
- A process for updating this documentation must be defined and managed in line with IS.I.OR.255.
- The Information Security Management Manual (ISMM) must:
- Be approved by the competent authority.
- Include references to internal and external reporting procedures.
- Be updated to reflect changes in scope or requirements.
Continuous Improvement
- The organisation must implement a continuous improvement process in line with IS.I.OR.260.
- Effectiveness of the ISMS must be measured through:
- Performance indicators.
- Risk treatment outcomes.
- Incident response effectiveness.
Proportionality of Implementation
- ISMS processes should be tailored to reflect the complexity and nature of the organisation’s operations.
- Proportionality considerations include:
- Size and structure of the organisation.
- Complexity of operations.
- Risk exposure.
Integration with Existing Management Systems
- ISMS can be integrated with other management systems (e.g., Safety Management Systems) to improve efficiency and reduce duplication of effort.
- Examples of integration:
- Reusing existing risk management processes.
- Leveraging existing incident response protocols.
- Using existing compliance monitoring processes.
Derogation and Exemptions
- The competent authority may approve exemptions from ISMS requirements if the organisation demonstrates that its activities, facilities, and services pose no information security risks affecting aviation safety.
- The exemption request must be based on a documented risk assessment reviewed by the competent authority.
Summary of ISMS Process Flow
- Identify – Identify information security risks and vulnerabilities.
- Protect – Implement controls to protect against threats.
- Detect – Establish mechanisms to detect incidents.
- Respond – Implement measures to mitigate and recover from incidents.
- Improve – Continuously monitor and improve the ISMS.
Next Steps
Follow this link to our Library to find & download related documents for Free.
Sofema Aviation Services and Sofema Online provide Information and Cyber Security Regulatory Training as Classroom, Webinar and Online Training – Please see the websites or email [email protected]
Tags:
EASA, SAS blogs, ISMS, Personnel requirements, continuous improvement, IS.I.OR.210, ICT systems, IS.I.OR.200, information security threats, Information Security Policy, Competent Authority Measures, External Reporting Scheme, IS.I.OR.255
