April 17, 2025

Steven Bentley

The successful implementation and management of an Information Security Management System (ISMS) in aviation safety under EASA regulations requires a coordinated effort from multiple stakeholders. Each stakeholder groupā€”Management, Compliance, IT, and Operationsā€”has distinct responsibilities, competence requirements, and training needs

Under Regulations (EU) 2023/203 and 2022/1645, EASA outlines specific requirements for competence, training, and performance evaluation to ensure effective information security management and to minimise risks to aviation safety.

Each stakeholder groupā€”Management, Compliance, IT, and Operationsā€”plays a distinct and interconnected role in ISMS implementation. Successful execution requires tailored competence assessment and targeted training for each role to ensure alignment with EASA regulations and best practices.

Management Responsibilities

Management holds the highest level of responsibility for implementing and maintaining the ISMS within an aviation organisation. Their role is to provide strategic direction, ensure resource allocation, and oversee overall compliance with ISMS requirements.

Management Key Responsibilities

  • Establishing the ISMS framework and integrating it into the broader Safety Management System (SMS).
  • Defining the scope of the ISMS and identifying critical assets and systems.
  • Approving the Information Security Policy and ensuring it aligns with organisational objectives.
  • Allocating necessary resources (financial, human, technological) to support ISMS implementation.
  • Conducting regular management reviews to assess ISMS performance and ensure continuous improvement.
  • Ensuring accountability for information security across all departments.
  • Promoting a Just Culture to encourage open reporting of information security risks and incidents.

Management Competence Requirements – Leadership and Governance:

    • Understanding of the ISMS framework and EASA regulations (EU 2023/203, 2022/1645).
    • Familiarity with ISO/IEC 27001 and NIST Cybersecurity Framework (CSF).
    • Strategic decision-making capabilities in relation to information security.

Risk-Based Decision Making:

    • Understanding information security risks and their impact on aviation safety.
    • Ability to evaluate and prioritize information security threats.

Crisis Management:

    • Capability to lead response efforts in the event of a major information security incident.
    • Decision-making under pressure and coordination with internal and external stakeholders.

Stakeholder Engagement:

    • Ability to engage with regulatory authorities (EASA, national authorities) and other industry stakeholders.
    • Communication and negotiation skills to ensure alignment of ISMS requirements across departments.

Training Requirements – Executive ISMS Awareness Training:

  • Overview of EASA regulatory requirements and ISMS structure.
  • Alignment between ISMS and SMS requirements.

Risk Management and Incident Response Training:

  • Managing risk at the executive level.
  • Defining and executing strategic response plans.

Leadership in Cybersecurity and Crisis Management:

  • Developing a security-conscious corporate culture.
  • Best practices for managing information security crises.

Performance Evaluation and Continuous Improvement:

  • Evaluating ISMS performance using KPIs.
  • Identifying and implementing corrective and preventive actions (CAPA).

Compliance Responsibilities – Key Responsibilities

Compliance teams are responsible for ensuring that the organisation adheres to EASAā€™s ISMS requirements and other applicable regulations. They also play a key role in preparing for audits and coordinating with regulatory authorities.

  • Monitoring and interpreting regulatory updates and ensuring alignment with ISMS requirements.
  • Maintaining documentation and ensuring the availability of records for audits and inspections.
  • Conducting internal audits and ensuring corrective actions are implemented.
  • Reporting incidents and non-conformities to the competent authorities (e.g., EASA, NIS authorities).
  • Ensuring that third-party contracts include ISMS-related requirements.

Competence Requirements

    • Detailed understanding of EASA regulations and AMC/GM related to ISMS.
    • Familiarity with ISO 27001, NIST CSF, and other industry standards.
    • Experience in conducting internal and external ISMS audits.
    • Capability to identify gaps and recommend corrective actions.
    • Ability to assess and classify incidents according to EASA guidelines.
    • Understanding of external reporting requirements under EASA and NIS regulations.
    • Ability to review and enforce ISMS requirements in third-party contracts.
    • Experience in managing supplier relationships and holding them accountable for ISMS compliance.

Compliance Training Requirements

  • In-depth training on EASA (EU 2023/203 and 2022/1645) requirements.
  • Understanding how ISMS aligns with SMS and other regulatory frameworks.
  • Techniques for conducting internal and external audits.
  • Evaluation of ISMS performance and corrective actions.
  • Incident classification methods.
  • Reporting requirements to EASA and national authorities.
  • Legal and compliance aspects of ISMS-related contract clauses.
  • Monitoring and oversight of third-party compliance.

IT Responsibilities –Ā IT teams are responsible for the technical implementation and maintenance of the ISMS, ensuring that information systems are protected from threats and vulnerabilities.

IT Key Responsibilities

  • Establishing and maintaining a secure IT infrastructure.
  • Implementing and testing access controls, firewalls, and intrusion detection systems.
  • Conducting vulnerability scans and penetration tests.
  • Monitoring network traffic and responding to anomalies.
  • Applying software patches and configuration updates.
  • Managing encryption, authentication, and data integrity.

ITĀ Competence Requirements

    • Expertise in network security, system hardening, and encryption.
    • Familiarity with industry-standard cybersecurity tools and practices.
    • Ability to monitor and analyse security events.
    • Capability to respond effectively to attacks and minimise impact.
    • Experience in root cause analysis and forensic investigations.
    • Ability to coordinate with compliance and operations teams during an incident.
    • Understanding of GDPR and data protection laws.
    • Experience in implementing data access controls and encryption methods.

IT Training Requirements

  • Recognizing and mitigating cyberattacks.
  • Incident response and recovery.
  • Configuring ISMS controls.
  • Aligning technical measures with ISMS requirements.
  • GDPR and data protection training.
  • Secure data transmission and storage.

Operational Team Responsibilities ā€“ Key Responsibilities

Operations teams are responsible for ensuring that ISMS measures are effectively implemented at the operational level.

  • Front line for incident detection and response.
  • Following established ISMS procedures during day-to-day operations.
  • Reporting security incidents and suspected breaches.
  • Implementing physical and technical controls to protect sensitive systems and data.
  • Coordinating with IT and compliance teams to address security weaknesses.
  • Participating in incident response and recovery efforts.

Operational Competence Requirements

  • Situational Awareness:
    • Recognizing abnormal system behavior.
    • Understanding operational risks related to information security.
  • Incident Reporting and Response:
    • Capability to respond quickly to incidents and contain threats.
    • Knowledge of reporting requirements and escalation procedures.
  • Physical Security Controls:
    • Managing access to secure areas and systems.
    • Ensuring security of hardware and infrastructure.

Operations Training Requirements

  • Recognizing social engineering and phishing attacks.
  • Understanding basic cybersecurity principles.
  • Reporting procedures and escalation.
  • Coordinating with IT and compliance teams.
  • Secure transmission and storage of data.
  • Protecting physical and digital access points.

Next Steps

Follow thisĀ linkĀ to our Library to find & download related documents for Free.

Sofema Aviation ServicesĀ and Sofema OnlineĀ provide Information and Cyber Security Regulatory Training as Classroom, Webinar and Online Training ā€“ Please see the websites or email [email protected].

Share this with your network:

Tags:

aviation safety, Compliance, EASA, Operations, Management, Leadership, SAS blogs, Information Security Management System (ISMS), ISMS, IT, Operational Stakeholder Responsibilities, Management Responsibilities, Governance, EASA regulations (EU 2023/203, 2022/1645)