EASA PART-IS / Information Security Management System (ISMS)
EASA Part-IS sets information security rules. Summary of key topics: scope, takeaways, timeline.
Part-IS (Information Security) is a regulatory framework within European aviation regulations that establishes how aviation organizations must protect their information systems and data against cyber threats.
To facilitate compliance with information security regulations, EASA published on June 2024 the Easy Access Rules for Information Security (Regulations (EU) 2023/203 and 2022/1645).
In today’s article I’m going to summarise:
What does Part-IS cover?
Who must comply with Part-IS?
Key take aways
Implementation Timeline
Let’s dive in! 🤿
What Does Part-IS Cover?
Part-IS sets out requirements for:
Establishing an Information Security Management System (ISMS).
Conducting risk assessments to identify vulnerabilities.
Implementing security measures to mitigate risks.
Defining incident response and recovery procedures.
Managing outsourced security activities.
Ensuring compliance with governance, risk, and compliance principles.
Establishing continuous improvement processes.
Who Must Comply with Part-IS?
Part-IS applies to a wide range of aviation entities, including:
Air operators and maintenance organizations.
Air Navigation Service Providers (ANSPs).
U-space service providers.
Design and production organizations for ATM/ANS systems.
Training organizations, including ATCO and aircrew training.
Regulatory authorities responsible for aviation oversight.
Key Takeaways
1. Information Security Management System (ISMS)
Organizations must establish, implement, operate, monitor, review, maintain, and continuously improve an ISMS.
The ISMS aims to protect information assets so that operational and security objectives can be achieved effectively, efficiently, and with risk awareness.
Governance, Risk, and Compliance perspectives must be incorporated into the ISMS.
2. Information Security Risk Assessment
A thorough risk assessment is required to identify vulnerabilities and threats affecting aviation security.
The assessment determines the ISMS's scope and interfaces with external stakeholders.
Competent authorities must ensure all relevant aviation security elements are included in the ISMS scope.
3. Information Security Risk Treatment
Identified risks must be addressed with risk treatment measures to mitigate or reduce their impact.
Risk treatment must follow a structured plan with priorities, objectives, and deadlines.
Measures must align with IS.AR.210(a) objectives to ensure compliance.
4. Incident Detection, Response, and Recovery
Procedures must be in place to detect security events, classify incidents, and initiate an effective response.
A vulnerability management strategy is essential for timely and effective responses to identified vulnerabilities.
Response measures must align with the maximum acceptable risk level for affected elements.
5. Outsourcing Information Security Management Activities
Organizations outsourcing ISMS activities must comply with specific requirements.
A pre-assessment of vendors' competencies, sustainability, and qualifications is mandatory.
The pre-assessment ensures that suppliers meet information security requirements before contracting.
6. Personnel Requirements
Personnel involved in ISMS must undergo background checks and reliability assessments.
Reliability assessments may consider the potential security impact of accessed systems and data under IS.AR.205.
7. Record-Keeping
Organizations must maintain records related to information security management, including contracts, risk assessments, and mitigation measures.
Records must be archived and traceable for audit and compliance purposes.
8. Continuous Improvement
The ISMS must include a continuous improvement process to enhance security maturity levels.
Regular assessments should identify improvement areas and drive corrective actions.
Implementation Timeline
The EASA's Part-IS Information Security regulations will be implemented in two phases:
Delegated Regulation (EU) 2022/1645: Applicable from October 16, 2025
Implementing Regulation (EU) 2023/203: Applicable from February 22, 2026
Wondering which regulation applies to your organization? 🤔
A quick way to check is by reviewing the relevant EASA FAQ section through the link:
https://www.easa.europa.eu/en/the-agency/faqs/information-security-part#category-applicability
That’s all for today.
Stay tuned! 🚀 See you next week. 👋
Disclaimer: The information provided in this newsletter and related resources is intended for informational and educational purposes only. It reflects both researched facts and my personal views. It does not constitute professional advice. Any actions taken based on the content of this newsletter are at the reader's discretion.