Carlos Sorel posted in Cybersecurity
2 weeks ago
Public
Regarding IS.I.OR.235, I wonder how we should approach cases in which an airline belongs to a corporation or group of companies, and that this parent company is the one that provides them with information security services. Should we understand that these services are being subcontracted to a third party or, on the contrary, understand that they are being provided as their own by the airline, being part of the same group of companies?
The applicability of Part-IS is defined in the basis of the approval. The approval holder is the one accountable for complying with the requirements of the domain, including now also the requirements of Part-IS. Any services provided beyond those boundaries should be treated as contracted activities. It is in any case the responsibility of the approved organisation to identify and address any risks they might be facing regardless from where those are originating if they have an impact on aviation safety.
Thank you, Vasileios
Please log in or sign up to comment.