Part-IS Implementation Task Force - Deliverables

Vasileios PAPAGEORGIOU • 23 July 2024

in community Cybersecurity

10 likes

The Part-IS Task Force is a collaborative effort of EASA States civil aviation authorities.

The overarching objectives of the Task Force are the following:

Discuss Part-IS implementation issues;
Develop a common understanding and share experiences regarding the practical application of the rules;
Identify common solutions (methods, processes, policies, implementation options, etc);
Agree on a harmonised approach towards Part-IS implementation

In line with these objectives and as part of our ongoing commitment to maintain high standards of aviation safety throughout the European Union, the Task Force has worked with great care to produce a number of deliverables that could be used as guidelines by both aviation organisations and authorities.

The deliverables that have been produced so far are the following:

The Task Force is also working on other deliverables and once those are finalised they will be uploaded in this page.

Files

Comments (13)

Davide MARTINI • 7 months ago

First two important guidances that provide answers to the most frequently asked questions about Part-IS implementation

Carla Pinto • 7 months ago

Very useful documents!

John Straiton • 7 months ago

On Page 10 of the Implementation guidelines for Part IS - IS.I/D.OR200(e)
The entry reads "At least IS.I.OR.240 (3)..."
Should it read "At least IS.I.OR.240(a)(3) ..."?

Vasileios PAPAGEORGIOU • 7 months ago

Hi John, this point indeed refers to IS.I.OR.240(a)(3), i.e., to the accountable manager who needs to have at least a basic understanding of the rule

Cyrille Aubergier • 7 months ago

Some comments on Guidelines - ISO/IEC 27001 vs PART-IS

IS.OR.205 (b) Information security risk assessment
Proposal of addition: 5.9 Inventory of information and other associated assets

IS.OR.225 Response to findings notified by the competent authority
Proposal of addition: 8.3 Information security risk treatment

IS.OR.230 Information security external reporting scheme
Proposal of addition: 5.3 Organizational roles, responsibilities and authorities.

IS.OR.250 (a) Information security management manual (ISMM)
Proposal of addition: 4 Context of the organization (that includes: 4.1 Understanding the organization and its context; 4.2 Understanding the needs and expectations of interested parties; 4.3 Determining the scope of the information security management system.

IS.OR.200 (a) Information security management system (ISMS)
Proposal of addition: A5.1 Policies for information security

4.29 IS.OR.240 (a) + (e) Personnel requirements
Proposal of correction: A5.3 is "Segregation of duties" and not "Management responsibilities"

4.31 IS.OR.240 (d) Personnel requirements
Proposal of addition: A5.4 Management responsibilities

Vasileios PAPAGEORGIOU • 7 months ago

Hi Cyrille,
Many thanks for your feedback. It is much appreciated to receive the inputs from our community members and this is the added value of this community. We will make sure this is taken into account when reviewing the document.

Michal Walczak • 7 months ago

Are there any plans for Part-IS Task Force to update the Part-IS task mapping from Appendix II with NIST CSF Version 2.0?

Vasileios PAPAGEORGIOU • 7 months ago

Hi Michal, there is currently no such discussion in the level of the Part-IS task force although we are constantly exploring potential topics where the task force can work on. I believe this is a very good point and it would make sense to explore such an option before the next iteration of the AMC/GM so thanks for raising this thought.

John Straiton • 6 months ago

Morning all,
Also supporting document NIST SP 800-53 is now at Revision 5

mfonganpascal@gmail.com • 2 weeks ago

Bonjour,

Je tiens à exprimer ma plus sincère appréciation pour l'initiative de la réglementation EASA PART-IS, qui vise à renforcer la sécurité des systèmes d'information dans l'aviation civile. Cette réglementation est une étape importante pour garantir la protection des données sensibles et la prévention des cybermenaces dans notre secteur.

Je suis également très intéressé par la possibilité d'intégrer le groupe de travail cyber qui travaille sur la mise en œuvre de cette réglementation. Je pense que mon expérience et mes connaissances dans le domaine de la sécurité des systèmes d'information pourraient être utiles pour contribuer à ce groupe de travail.

Je serais ravi de discuter plus en détail de cette opportunité et de savoir comment je pourrais contribuer à ce groupe de travail.

Merci de votre temps et de votre considération.

Cordialement.

Vasileios PAPAGEORGIOU • 6 days ago

Bonjour Pascal, merci pour ton message. Pour l'instant et compte tenu de son applicabilité, seules les autorités de l'aviation civile de l'UE peuvent faire partie de la Part-IS Task Force. Cependant, nous sommes ouverts à tout commentaire via cette communauté. Merci de ton intérêt!

Vasileios Papageorgiou • 6 days ago

Kindly note that the Part-IS Oversight Approach Guidelines has been published as well and you may find it in this page as well as under its dedicated post: https://www.easa.europa.eu/community/topics/part-oversight-approach-gui…

Davide MARTINI • 6 days ago

With this third publication we complete the additional harmonised guidance for Part-IS implementation and oversight.
All the topics for which the majority of organisations and authorities wished to have more details:
- The mapping of similarities and differences between an ISMS under ISO 27001 and Part-IS,
- The elements of proportionality in the implementation and oversight of the ISMS under Part-IS,
- The derogation process, and
- The expected level of the ISMS implementation maturity for the initial oversight
have all been covered with published guidelines.

Please log in or sign up to comment.