Part-IS Implementation Task Force - Deliverables

Vasileios PAPAGEORGIOU
Vasileios PAPAGEORGIOU • 23 July 2024
in community Cybersecurity
9 comments
10 likes

CooperationThe Part-IS Task Force is a collaborative effort of EASA States civil aviation authorities.

The overarching objectives of the Task Force are the following:

  • Discuss Part-IS implementation issues;
  • Develop a common understanding and share experiences regarding the practical application of the rules;
  • Identify common solutions (methods, processes, policies, implementation options, etc);
  • Agree on a harmonised approach towards Part-IS implementation

ObjectivesIn line with these objectives and as part of our ongoing commitment to maintain high standards of aviation safety throughout the European Union, the Task Force has worked with great care to produce a number of deliverables that could be used as guidelines by both aviation organisations and authorities.

The deliverables that have been produced so far are the following:

The Task Force is also working on other deliverables and once those are finalised they will be uploaded in this page.

Files

Comments (9)

John Straiton
John Straiton

On Page 10 of the Implementation guidelines for Part IS - IS.I/D.OR200(e)
The entry reads "At least IS.I.OR.240 (3)..."
Should it read "At least IS.I.OR.240(a)(3) ..."?

Vasileios PAPAGEORGIOU
Vasileios PAPAGEORGIOU

Hi John, this point indeed refers to IS.I.OR.240(a)(3), i.e., to the accountable manager who needs to have at least a basic understanding of the rule

Cyrille Aubergier
Cyrille Aubergier

Some comments on Guidelines - ISO/IEC 27001 vs PART-IS

IS.OR.205 (b) Information security risk assessment
Proposal of addition: 5.9 Inventory of information and other associated assets

IS.OR.225 Response to findings notified by the competent authority
Proposal of addition: 8.3 Information security risk treatment

IS.OR.230 Information security external reporting scheme
Proposal of addition: 5.3 Organizational roles, responsibilities and authorities.

IS.OR.250 (a) Information security management manual (ISMM)
Proposal of addition: 4 Context of the organization (that includes: 4.1 Understanding the organization and its context; 4.2 Understanding the needs and expectations of interested parties; 4.3 Determining the scope of the information security management system.

IS.OR.200 (a) Information security management system (ISMS)
Proposal of addition: A5.1 Policies for information security

4.29 IS.OR.240 (a) + (e) Personnel requirements
Proposal of correction: A5.3 is "Segregation of duties" and not "Management responsibilities"

4.31 IS.OR.240 (d) Personnel requirements
Proposal of addition: A5.4 Management responsibilities

Vasileios PAPAGEORGIOU
Vasileios PAPAGEORGIOU

Hi Cyrille,
Many thanks for your feedback. It is much appreciated to receive the inputs from our community members and this is the added value of this community. We will make sure this is taken into account when reviewing the document.

Vasileios PAPAGEORGIOU
Vasileios PAPAGEORGIOU

Hi Michal, there is currently no such discussion in the level of the Part-IS task force although we are constantly exploring potential topics where the task force can work on. I believe this is a very good point and it would make sense to explore such an option before the next iteration of the AMC/GM so thanks for raising this thought.


Please log in or sign up to comment.