Sofema Aviation Services (SAS) considers key elements related to Cyber Security Compliance within an EASA Part 145 Organizations
Regulation (EU) 2023/203 was introduced to establish a framework for managing information security risks within the aviation sector, particularly focusing on their potential impact on aviation safety.
Note – EASA Part 145 Organizations have until 22 February 2026 to fully comply, allowing time to develop and integrate the ISMS.
Key Requirements for Part 145 Organizations
- Mandated under Article 2(1)(a) of the regulation, requiring organizations to manage information security risks associated with maintenance activities.
- Implementation of an Information Security Management System (ISMS) to address risks to aviation safety from information and communication technology (ICT) systems.
- Development of processes to detect, respond to, and recover from information security incidents.
Integration with Existing Systems
The ISMS must align with the management system already mandated under Part 145 regulations, avoiding duplication and ensuring operational efficiency.
- External Reporting: Part 145 organizations must establish an external reporting scheme for significant information security incidents, ensuring prompt communication with competent authorities, design approval holders, and other affected organizations.
Challenges for Part 145 Organizations
- Aligning the ISMS with existing safety and quality management systems without excessive administrative overhead.
- Harmonizing with standards like ISO 27001, which may not fully address aviation-specific risks.
- Limited expertise in cybersecurity within maintenance organizations.
Best Practices for Implementation
- Risk Assessments & Mitigation Strategies
- Conduct comprehensive risk assessments covering all ICT systems, interfaces, and operational activities.
- Classify risks and establish clear mitigation strategies.
- Training & Awareness
- Train all relevant personnel regarding organizational obligations and information security awareness.
- Integrated Management System
- Develop an Integrated Management System combining ISMS with the Part 145 management system.
- Incident Management & Response
- Establish clear protocols for detecting, responding to, and recovering from information security incidents.
- Test incident response plans through tabletop exercises and real-world simulations.
- Collaboration & Communication
- Foster relationships with design approval holders, CAMOs, and competent authorities to enhance risk-sharing and coordinated responses.
- Ensure regular internal and external reporting on information security risks and incidents.
- Continuous Improvement
- Periodically review the effectiveness of the ISMS using performance indicators.
- Incorporate lessons learned from security incidents and audits into system enhancements.
- Technology & Tools
- Invest in cybersecurity tools for intrusion detection, vulnerability management, and system monitoring.
- Ensure systems are updated with the latest patches and security enhancements.
Next Steps
Follow this link to our Library to find & download related documents for Free.
Sofema Aviation Services and Sofema Online provide Classroom, Webinar, and Online training.
See the following 2 day course-Implementing an Information Cyber Security Program in an EASA Part 145 Organization – 2 Days
for comments or questions please email [email protected]
Tags:
SAS blogs, best practices, ISO 27001, EASA Part 145 organizations, BlogSeries, CAMOs, Regulation (EU) 2023/203, Key Requirements, Implementation of an Information Security Management System (ISMS), Development of processes, Technology & Tools, Collaboration & Communication, ICT systems, real-world simulations
