FAQs on Part-IS are published!

Vasileios PAPAGEORGIOU • 23 January 2024

in community Cybersecurity

3 likes

FAQs on Part-IS are published!

The Frequently Asked Questions (FAQs) published include a set of 22 questions and answers that aim to address common queries and concerns by aviation stakeholders on a number of topics related to Part-IS and its implementation.

Those topics include among others, the applicability of the Rules, the provisions related to the derogation, the delegation of tasks, competencies and other common areas of interest under this regulatory framework.

The questions included in the FAQs have been collected by our cybersecurity team following exchanges with numerous stakeholders and by taking on-board the feedback received during the previous months and especially following the publication of the AMC/GM of Part-IS.

The FAQs, together with the published AMC/GM on Part-IS, aim to provide support and guidance to both organisations and authorities towards the implementation of Part-IS. Depending on the questions that will be received in the future, the FAQs may be further updated.

Do you think that FAQs are a useful tool? Let us know in the comments below!

The image has been generated by utilising OpenAI’s tools following relevant prompts

Comments (5)

Gian Andrea BANDIERI • 3 months ago

dear Community members,
this is the first batch of FAQs. We are happy to expand it, based on the additional questions you will share with us.
Don't sit on your questions!

Michal Walczak • 1 month ago

After Part-IS implementation in a company that have multiple legal entities operating in different countries (under jurisdiction of different aviation authorities) how the company will be audited? Each company separate by local authority or the group (operator) can be audited as a whole organization?

Dominique SAVEL • 1 month ago

It is likely that the IS part will lead us towards ISO 27001 because it is the auditable standard that comes closest. For a company of the dimensions you mention, there must be a DPO in HQ management for GDPR compliance, he will be best able to translate the differences between states in terms of information security. Because each authority will interpret the text in the light of its existing texts.You will therefore have as many audits as there are states and in each state : depending on the interpretation.
If you check the GDPR problems, you'll find something revelant : "Currently, in the case of cross-border data transfers, companies trying to use different technology providers encounter a number of difficulties. They are increasingly confused by the ambiguity, overlap and fragmentation of various laws and regulations. requirements in this area. Only an international political solution could help put an end to this imbroglio."

Davide MARTINI • 1 month ago

Dear Michal, please consider that Part-IS adds ISMS requirements to the provisions that already exist in the implementing regulation for the domain.
Therefore, a (legal) entity holding multiple approvals obtained in different Member States (for instance an airline group with multiple air operator certificates) will be subject to the same audit scheme as today. During the audit cycle, compliance with the provisions of Part IS will be assessed.
In complex settings, the Common Responsible Person option can help a group streamline some processes and share them across multiple approvals, but it won't affect the audit scheme.

Dominique SAVEL • 1 month ago

Hello, Part-IS adds ISMS requirements, I understand. My question is how the European EASA regulations interpret the storage of data outside the European Union and therefore not subject to the GDPR ? Concretely, will we have a map of the servers in order to guarantee that the data stored there is indeed governed by the security rules that apply to us ? Mapping the risk will otherwise be complicated, and this without going into the detail of the processing of data subject to 15 CFR 730-774.

You are not allowed to comment on content in a group you are not member of.

View group