Compliance Auditing of EASA Aerodrome Information Security Management Systems
- Hits: 459
Sofema Online (SOL ) www.sofemaonline.com considers the regulatory requirements related to Information Security Management (ISM) and the key compliance audit elements.
What is an EASA Aerodrome Information Security Threat?
- Information security threat may be any circumstance or event with the potential to adversely
>> Impact the operation, systems and/or constituents due to
- Human action (accidental, casual or purposeful, intentional or unintentional, mistaken)
- Resulting from unauthorised access, use, disclosure, denial, disruption, modification, or
- Destruction of information and/or information system interfaces.
- This includes malware and the effects of external systems on dependent systems but does not include physical threats.
Introduction
ADR.OR.D.005A Information security management system - Delegated Regulation (EU) 2022/1645
- The aerodrome operator shall establish, implement and maintain an information security management system in accordance with Delegated Regulation (EU) 2022/1645
>> In order to ensure the proper management of information security risks which may have an impact on aviation safety.
GM1 ADR.OR.F.045(c) Management system - ED Decision 2020/021/R
Note - Management System Documentation
- It is not required to duplicate information in several manuals.
- The safety management manual is considered part of the management manual of the organisation responsible for the provision of Apron Management Service (AMS) ADR.OR.F.045A Information security management system
Delegated Regulation (EU) 2022/1645 - The organisation responsible for the provision of AMS shall establish, implement and maintain an information security management system in accordance with Delegated Regulation (EU) 2022/1645 in order to ensure the proper management of information security risks which may have an impact on aviation safety. [applicable from 16 October 2025 — Delegated Regulation (EU) 2022/1645]
GM1 ADR.OR.D.007(a) Management of aeronautical data and aeronautical information ED Decision 2014/012/R
- Concerning Quality Management System for Aeronautical Data and aeronautical information provision activities
>> An aerodrome operator does not need to duplicate functions and activities in order to discharge the responsibilities related to the management of aeronautical data and aeronautical information provision activities.
>> In this respect, the compliance monitoring may be used for the purposes of ensuring compliance with the relevant requirements for management of aeronautical data and aeronautical information provision activities.AMC1 ADR.OR.D.007(b) Management of aeronautical data and aeronautical information
Security Management for Aeronautical Data and Aeronautical Information Provision activities ED Decision 2014/012/R
The security management objectives should be:
- To ensure the security of aeronautical data and aeronautical information received, produced, or otherwise employed so that it is protected from interference, and access to it is restricted only to those authorised; and
- To ensure that the security management measures meet appropriate national, EU, or international requirements for critical infrastructure and business continuity, and international standards for security management, including:
>> ISO/IEC 17799:2005 — Information technology — Security techniques — Code of practice for information security management;
>> ISO 28000:2007: — Specification for security management systems for the supply chain.
- Regarding the ISO standards, the relevant certificates issued by an appropriately accredited organisation, are considered as an Acceptable Means of Compliance.
Applicable until 15 October 2025 — Delegated Regulation (EU) 2020/2148]
As part of its management system, the aerodrome operator shall implement and maintain a quality management system covering the following activities:
- Its aeronautical data activities;
- Its aeronautical information provision activities.
As part of its management system, the aerodrome operator shall establish a security management system to ensure the security of operational data
- It receives,
- or produces,
- or otherwise employs,
- so that access to that operational data is restricted only to those authorised.
The security management system shall define the following elements:
- The procedures relating to data security risk assessment and mitigation,
- Security monitoring and improvement,
- Security reviews and lesson dissemination.
The means designed to detect security breaches and to alert personnel with appropriate security warnings;
The means of controlling the effects of security breaches and of identifying recovery action and mitigation procedures to prevent reoccurrence.
The aerodrome operator shall ensure the security clearance of its personnel with respect to aeronautical data security.
(e) The aspects related to information security shall be managed in accordance with point ADR.OR.D.005A.
Applicable from 16 October 2025 — Delegated Regulation (EU) 2022/1645] ADR.OR.D.007 Management of aeronautical data and aeronautical information
- As part of its management system, the aerodrome operator shall implement and maintain a quality management system covering the following activities:
>> Its aeronautical data activities;
>> Its aeronautical information provision activities.
- The aerodrome operator shall, as part of its management system, establish a security management system to ensure the security of operational data it receives, or produces, or otherwise employs, so that access to that operational data is restricted only to those authorised.
The security management system of the aerodrome operator shall define the following elements:
- The procedures relating to
>> Data security risk assessment and mitigation,
>> Security monitoring and improvement,
>> Security reviews and lesson dissemination;
- The means designed to detect security breaches and to alert personnel with appropriate security warnings;
- The means of controlling the effects of security breaches and of identifying recovery action and mitigation procedures to prevent reoccurrence.
The aerodrome operator shall ensure the security clearance of its personnel with respect to aeronautical data security.
The aerodrome operator shall take the necessary measures to protect its aeronautical data against cyber security threats.
Next Steps
Please see the following course EASA Airports Aviation Compliance Management and Auditing – 4 Days or email [email protected] for additional information