Filters
Appendix IV — Part-IS requirements mapping to ISO/IEC 27001:2022 clauses and controls, and considerations on differences
ED Decision 2025/014/R
Although Part-IS does not credit ISO/IEC 27001 certification, the practices and methods typically adopted for implementing and maintaining an ISMS under ISO/IEC 27000 largely align with the objectives of this regulation. Therefore, entities that have already implemented an ISMS under ISO/IEC 27001:2022 can use this as a basis for Part-IS compliance.
The following provides guidance on how organisations that have already implemented an ISMS compliant with ISO/IEC 27001:2022 can integrate Part-IS requirements into their existing ISMS. Specifically, the table below illustrates how to incorporate the ‘Part-IS particularity’ of each requirement into an existing ISO/IEC 27001-based ISMS in order to achieve Part-IS compliance. This is referred to as ‘Guidance on Part-IS implementation’.
Part-IS requirement | ISO/IEC 27001:2022 mapping and specific guidance |
IS.I.OR.200(a) | Related ISO/IEC 27001:2022 clauses and controls |
4.Context of the organisation 6.1.1Actions to address risks and opportunities - General | |
Part-IS particularity | |
An ISMS designed in the context of an ISO/IEC 27001:2022 ISMS, which is currently not connected to the management systems required by the delegated and implementing acts of Regulation (EU) 2018/1139, including Part-IS, may differ if these different systems do not address the same goals. Part-IS focuses on information security requirements meeting the applicable aviation safety objectives, which have an influence on elements of the ISMS. Also, the ‘interested parties’ and the ‘internal and external issues’ as laid down in Chapter 4 of ISO/IEC 27001:2022 may be adapted to address the requirements of Part-IS for the organisation. | |
Guidance on Part-IS implementation | |
Please note that the point IS.I.OR.200 requirement points to many other Part-IS requirements that the ISMS has to comply with, namely points 205, 210, 215, 220, 225, 230, 235, 240, 245, 255, and 260. Further details are provided in the specific chapters on the particular requirement. Regarding the other remaining requirements, not pointing out to other Part-IS requirements, and comparing them with ISO/IEC 27001:2022, there are four requirements left, namely points IS.I.OR.200(a)(1), IS.I.OR.200(a)(6), IS.I.OR.200(a)(12) and IS.I.OR.200(a)(13). | |
IS.I.OR.200(a)(1) | Related ISO/IEC 27001:2022 clauses and controls |
5.2Policy A.5.1Policies for information securities | |
Part-IS particularity | |
An ISMS designed in the context of an ISO/IEC 27001:2022 ISMS, which is currently not connected to the management systems required by the delegated and implementing acts of Regulation (EU) 2018/1139, may differ as these different systems do often not address the same goals. Part-IS focuses on information security requirements influencing the applicable aviation safety objectives, which in their turn have an influence on the elements of the ISMS. In addition, all domain-specific delegated and implementing acts of Regulation (EU) 2018/1139, namely points ORO.GEN.200(a)(2), ORA.GEN.200(a)(2), CAMO.A.200(a)(2), 145.A.200(a)(2), 21.A.139(c)(1), 21.A.239(c)(1), ATM/ANS.OR.B.005(a)(2), ATCO.OC.C.001(b) and ADR.OR.D.005(b)(2), require a ‘safety policy’, where information security may be integrated. | |
Guidance on Part-IS implementation | |
The policy on information security established in an ISO/IEC 27001:2022 context has to be updated with regard to the potential impact of the risks on aviation safety. At least the elements of AMC1 IS.I.OR.200(a)(1) have to be mentioned in the policy. Therefore, the following elements may need to be added to an existing ISMS policy. The elements in bold and italics are additional guidance that might also be considered. (a)committing to complying with applicable legislation, considering relevant standards and best practices, including safety- and cybersecurity-related standards and guidance published or prescribed by ICAO, EASA or the relevant civil aviation authority; (b)setting objectives and performance measures for managing information security, updated to ensure meeting the applicable aviation safety objectives; (c)defining general principles, activities, processes for the organisation to appropriately secure information and communication technology systems and data, in relation to the information security / safety risk assessment required by point IS.I.OR.205; (d)committing to applying ISMS requirements into the processes of the organisation; (e)committing to continually improving towards higher levels of information security process maturity as per point IS.I.OR.260; (f)committing to satisfying applicable requirements regarding information security (including requirements stemming from civil aviation authorities) and its proactive and systematic management and to the provision of appropriate resources for its implementation and operation; (g)assigning information security as one of the essential responsibilities for all managers; (h)committing to promoting the information security policy through training or awareness sessions within the organisation to all personnel on a regular basis or upon modifications; (i)encouraging the implementation of a ‘just culture’ and the reporting of vulnerabilities, suspicious/anomalous events and/or information security incidents; (j)committing to communicating the information security policy to all relevant parties, as appropriate. | |
IS.I.OR.200(a)(6) | Related ISO/IEC 27001:2022 clauses and controls |
10.1Corrective actions A5.5Contact with authorities A5.26Response to information security incidents A8.8Management of technical vulnerabilities | |
Part-IS particularity | |
This requirement has no specific counterpart in ISO/IEC 27001:2022. | |
Guidance on Part-IS implementation | |
The policies and procedures, defined as means of compliance with the requirements listed above, should be extended to information security measures mandated by the competent authority. | |
IS.I.OR.200(a)(12) | Related ISO/IEC 27001:2022 clauses and controls |
9.2.Internal audit 9.3Management review 10.2Non-conformity and corrective action A5.36Compliance with policies, rules and standards for information security | |
Part-IS particularity | |
This requirement is strongly related to the internal audit system and the independent checking function of ISO/IEC 27001:2022. The required feedback system to the accountable manager or the head of the design organisation fits into the requirement of 9.3. In addition, all delegated and implementing acts for the specific domains require a similar ‘compliance monitoring function’, where information security should be integrated as described in AMC1 IS.I.OR.200(a)(12). | |
Guidance on Part-IS implementation | |
The requirements of ISO/IEC 27001:2022 and the delegated and implementing acts of Regulation (EU) 2018/1139 are compatible. Therefore, it will be easy to integrate Part-IS into the audit scope of the ISO/IEC 27001:2022 internal audit system. The role of the accountable manager or the head of the design organisation as defined under point IS.I.OR.240(a) has to be addressed accordingly in the feedback loop if the role is not already addressed in the management review process. The accountable manager or the head of the design organisation is required to be personally briefed on the key findings so that appropriate decisions can be made. Refer also to GM1 IS.I.OR.200(a)(12). Note: ISO 19011:2018 provides guidance on the establishment of an internal audit system. Specifically, Chapter A.7 ‘Auditing compliance within a management system’ provides useful guidance on how to integrate a compliance monitoring function into an internal audit system. | |
IS.I.OR.200(a)(13) | Related ISO/IEC 27001:2022 clauses and controls |
7.5.3. Control of documented information (Note) A5.12Classification of information A5.34Privacy and protection of personal identifiable information (PII) A8.12Data leakage prevention | |
Part-IS particularity | |
This requirement is limited to ‘information from other organisations’ and to confidentiality. ISO/IEC 27001:2022 does not differentiate between ‘internal’ or ‘external’ information (as laid down e.g. in ISO 9001:2015 Chapter 8.5.3). The only reference is made in the note in Chapter 7.5.3. Part-IS stresses protection of external information received due to the sensitivity it may have regarding incidents and vulnerabilities disclosure. Insufficient confidentiality protection may result in exploitation of vulnerabilities affecting safety that the original provider of information may not have perceived. | |
Guidance on Part-IS implementation | |
The protection of information, specifically regarding confidentiality (as in ISO/IEC 27002:2022), is related to a set of controls that can be found in Table A.1 (Matrix of controls and attribute values) of ISO/IEC 27002:2022. See also the definition in ISO/IEC 27002:2022: 3.1.7Confidential information Information that is not intended to be made available or disclosed to unauthorized individuals, entities or processes. The organisation having implemented these controls should take special care that they apply to information received from external information that may result in information security threats if known by unauthorised actors. When this kind of information is further shared with other organisations or authorities, appropriate confidentiality procedures must be put in place and followed (TLP marking, for instance). | |
IS.I.OR.200(b) | Related ISO/IEC 27001:2022 clauses and controls |
10.1Continual improvement | |
Part-IS particularity | |
Part-IS and ISO/IEC 27001:2022 are very similar regarding this requirement. See points IS.I.OR.260 (a) and (b) for subtle differences. | |
Guidance on Part-IS implementation | |
See point IS.I.OR.260 in this table. | |
IS.I.OR.200(c) | Related ISO/IEC 27001:2022 clauses and controls |
6.3Planning of changes 7.5.3Control of documented information | |
Part-IS particularity | |
Control of documented information is one of the key processes in each ISO management system standard, following the ISO ‘high-level structure’ (ISO/IEC Directives part 1 Annex SL), such as ISO/IEC 27001 :2022. For changes, see point IS.I.OR.255. In addition, most of the delegated and implementing acts for the specific domains require a similar need to document, where information security should be integrated. | |
Guidance on Part-IS implementation | |
See points IS.I.OR.250 and IS.I.OR.255 in this table. | |
IS.I.OR.200(d) | Related ISO/IEC 27001:2022 clauses and controls |
4.3Determining the scope of the information security management system | |
Part-IS particularity | |
The scope statement and the ‘statement of applicability’ (SOA) are the best references to apply the ‘nature and complexity’. In addition, most of the delegated and implementing acts for the specific domains require a similar need to document, where information security should be integrated. | |
Guidance on Part-IS implementation | |
When determining the scope, it should be noted that Part-IS is delimited to the subject matter as defined in Article 1 of the Regulation(s), which refers to identification and management of information security risks with potential impact on aviation safety. Considering this, the scope of an ISMS under ISO/IEC 27001:2022 may be broader than that required by Part-IS. Some organisational units, processes or locations may fall under what is covered by the ISMS under ISO/IEC 27001:2022, but not within the scope of Part-IS. The opposite may happen too: the scope under ISO/IEC 27001:2022 may be narrower than the one Part-IS would require (e. g. the ISO/IEC 27001:2022 scope covers only the IT department). In both situations, scope definitions must be compared and adjusted when necessary. Note: See also guidance on point IS.I.OR.205(a) in this table. The scope statement in the ISO/IEC 27001:2022 context is the right place where this clarification is made. | |
IS.I.OR.200(e) | Related ISO/IEC 27001:2022 clauses and controls |
4.1Understanding the organisation and its context. | |
Part-IS particularity | |
This is a ‘derogation’ for organisations falling under the applicability of Article 2 of this Regulation. This process is independent from an ISO/IEC 27001:2022 certification process. | |
Guidance on Part-IS implementation | |
If an organisation which already has an established ISMS according to ISO/IEC 27001:2022 decides to embark on this process, the full implementation of Part-IS into the ISMS may be put on hold until the decision of the competent authority is made. To demonstrate that an organisation’s activities, facilities and resources, as well as the services it operates, provides, receives and maintains, do not pose any information security risks with a potential impact on aviation safety either to itself or to other organisations, the existing risk assessment methodology according to ISO/IEC 27001:2022 Chapter 6.1.2 may be used if the methodology is enhanced with a focus on the impact on safety. On the other hand, an existing risk assessment methodology used by the existing safety management system (SMS) could be enhanced by addressing potential information security risks. In any case, the competent authority responsible for the organisation will determine which process and methodology shall be used. This demonstration has to be at least verified and reassessed at regular intervals and as a mandatory part of the organisation’s change process. In case of any doubt about the conclusion, the appropriate civil aviation authority must be contacted. | |
IS.I.OR.205(a) | Related ISO/IEC 27001:2022 clauses and controls |
4.3Determining the scope of the information security management system 6.1.2Information security risk assessment | |
Part-IS particularity | |
This requirement of Part-IS is in line with ISO/IEC 27001:2022, however ISO/IEC 27001:2022 allows a wider focus, whereas Part-IS puts the focus on safety already from the element’s identification stage. In addition, all of the delegated and implementing acts for the specific domains require a risk assessment process, where information security can be integrated. | |
Guidance on Part-IS implementation | |
AMC1 IS.I.OR.205(a) explains that when conducting an information security risk assessment, the organisation should ensure that each relevant aviation safety impact is identified and included in the ISMS scope, which might not be the case when using ISO/IEC 27001:2022. On the other hand, an ISO/IEC 27001:2022 ISMS focuses its security risk assessment mainly on the business impact of infringement on confidentiality, integrity and availability, their risks and the impact on assets (e. g. loss of IT infrastructure, breach of data). This means that, starting from an ISMS based on ISO/IEC 27001:2022, a complementary analysis has to be made to take into account all the elements related to aviation safety. To bridge the two approaches of management systems (SMS and ISMS), an identified information security risk may be entered as a ‘cause’ or ‘contributing event’ in the aviation-safety-focused risk assessment required by the domainspecific implementing or delegated act. The figure in GM1.IS.I.OR.205(c) provides a good indication of how this bridge could be built. | |
IS.I.OR.205(b) | Related ISO/IEC 27001:2022 clauses and controls |
4.1Understanding the organisation and its context 4.3Determining the scope of the information security management system A5.19Information security in supplier relationships A5.21Managing information security in the information and communication technology (ICT) supply chain | |
Part-IS particularity | |
Point IS.I.OR.205(b) focuses on the identification of interfaces with the other organisations. ISO/IEC 27001:2022 4.3 requires considering in point c) the interfaces at and dependencies between activities performed by the organisation and those that are performed by other organisations. So, there is more in Part-IS than that required by ISO/IEC 27001:2022, provided that the scope considered includes safety, as required by point IS.I.OR.205(a). Controls A5.19 and A5.21 are a profound foundation for the requirements of point IS.I.OR.205(b). | |
Guidance on Part-IS implementation | |
ISO/IEC 27001:2022 A5.19 requires the identification of risks associated with the use of suppliers’ products or services. ISO 27002 A5.19 contains additional guidance in points f) to j) on how to manage the risk exposure. ISO/IEC 27001:2022 A5.21 requires the management of information security risks associated with the ICT products and services supply chain. ISO 27002 A5.21 contains additional guidance in points f), k), l) and m) on how to manage risks through the supply chain. The Part-IS notion about interfaces and supply chain goes beyond the respective ISO/IEC 27001:2022 notion. GM1 IS.I.OR.205(b) requests interfacing organisations to share information about mutual risk exposure (including all data flows) and urges organisations to use ED-201A for that. Point IS.I.OR.205(c) also requires accounting for information acquired by interfacing organisations, which underlines the two-way nature of the considerations. Particular attention should be paid to the Part-IS intent to protect the so-called functional chains. The notion is that while organisations may protect themselves well enough, interfaces between organisations may pose risks to each chain when not accounted for. | |
IS.I.OR.205(c) | Related ISO/IEC 27001:2022 clauses and controls |
6.1.2Information security risk assessment | |
Part-IS particularity | |
Point IS.I.OR.205(c) is the ‘heart’ of Part-IS. ISO/IEC 27001:2022 6.1.2 opens a ‘framework’ where the requirements of point IS.I.OR.205 may fit in. It has to be assured that the risk management systems of the ISMS and those required by the SMS regulations (see point IS.I.OR.205(a)) do NOT operate independently, as there might be difficulties in connecting the two systems. | |
Guidance on Part-IS implementation | |
Further to this provision, a proper risk assessment has to be made, taking into account the scope and interfaces described in points IS.I.OR.205(a) and IS.I.OR.205(b). It has to be noted (see also GM1 IS.I.OR.205(c)) that point IS.I.OR.205 does not require the use of any specific information security risk assessment framework, such as ISO 31000, NIST or others, to develop the risk assessment. ISO/IEC 27001:2022 tends to lean towards using ISO 27005 as a risk assessment standard; however, it does not make it mandatory. The key point is that the risk assessment carried out in the application of ISO/IEC 27001:2022 6.1.2 does not necessarily consider safety risks, and may focus on different types of risks. With respect to safety, conditions that may lead to safety consequences are identified as hazards. Their materialisation may be either directly triggered or caused by information security threats which have not been successfully prevented. Information security can thus cause or contribute to a safety consequence in four different ways: (1)it can act as a safety threat; (2)it can have a negative effect on a safety barrier, rendering it less effective than before; (3)it can directly trigger the materialisation of an already identified hazard; or (4)it can constitute a new, not yet identified, hazard, which can obviously also materialise. By using e.g. the ‘bow-tie method’ regarding information security, a ‘hazard’ would be replaced by a ‘vulnerability’, which can be exploited, resulting in information security consequences (e.g. lack or reduction of confidentiality, integrity, availability, authenticity properties). Hence, from a methodology perspective, both considerations are very similar and can be designed to interact (e. g. consequences of the information security bow-tie may connect as causes of the ‘safety bow-tie’). Guidance on organisations that are NOT required to operate an SMS, including safety risk management Any ISO/IEC 27001:2022 risk assessment has to be reviewed and revised by introducing safety impact (consequence) considerations. Any risk matrix stemming from an ISO/IEC 27001:2022 6.1.2 risk assessment is acceptable, provided that it includes safety impacts (consequences), and the results remain within the limitations of ICAO Annex 19. If two different risk assessment schemes are used, they need to be linked accordingly. Guidance on organisations that are required to operate an SMS, including safety risk management In most of the cases, where an organisation is subject to the domain-specific implementing or delegated acts for SMS and operates an ISMS under voluntary compliance with ISO/IEC 27001:2022, it may operate two risk management systems, one for safety under the oversight of a competent authority, and one for information security. The latter may ultimately be certified by an ISO/IEC 27001:2022 accredited body. Each potential risk identified by the ISMS risk management has to be systematically assessed for its potential impact on safety. To establish the connection between the systems, the following approach should be used: (1)If a safety risk assessment is available, it should be able to provide its context and determined target likelihoods for acceptable information security risks to the information security risk assessment process. The context consists of the system architecture, including its preventative and mitigative barriers, the hazards assessed and the safety risks identified. Based upon the information provided, the information security risk assessment can be conducted. Modifications to the system architecture, or any modifications of properties of the preventative or mitigative barriers, as well as the achieved risk properties need to be communicated back to the safety risk assessment process. Based upon this communication, the safety risk assessment has to be updated. In other words: mitigation measures put in place as a result of the information security risk assessment should also be considered as they may not only mitigate, but possibly also create a negative safety impact. (2)If a safety risk assessment is available, but the information security assessment process identifies a new hazard that was previously unknown to the safety risk assessment, a full hazard assessment of all safety aspects have to be conducted to ensure that the safety risk assessment contains the ‘full picture’ of the newly addressed hazard. (3)The safety risk and the information security risk assessments need to be repeated as described above until all acceptability requirements for all aspects are met. | |
IS.I.OR.205(d) | Related ISO/IEC 27001:2022 clauses and controls |
6.3Planning of changes 8.2Information security risk assessment | |
Part-IS particularity | |
Point IS.I.OR.205(d) is about the subsequent changes to the original risk assessment, due to a change of context or interfaces or knowledge about the risks or lessons learnt. This is equivalent to ISO/IEC 27001:2022 8.2. In both frameworks the reviews are planned and documented. | |
Guidance on Part-IS implementation | |
The same process as that already in place in an ISO/IEC 27001:2022 context can be used to implement point IS.I.OR.205(d), provided that this process has been updated to include safety criteria evaluation of changes that trigger an unplanned update of the risk assessment. Those organisations that have most experienced risk assessment updates at planned intervals will need to be proactive to trigger such updates more often in the situations listed in points IS.I.OR.205(d) (1), (2), (3), and (4) that could affect safety. The triggering criteria and the process should be documented and tested before implementation, for example through table-top exercises. The change management process is key to keep a management system in a solid and stable condition. Considering an established ISMS according to ISO/IEC 27001:2022, the regular updates of the risk assessment based on changes and lessons learned should be effective. The essential focus, introduced by Part-IS, is the ‘impact on safety’, which drives the update assessment. Change management processes focusing on changes that may have impact on safety are also set out in all domain-specific implementing and delegated acts. Without the ‘bridge’ of Part-IS, both systems (ISMS and SMS) are implemented independently, often without considering interdependencies. Part-IS implies the need (and provides the opportunity) to interlink the systems to provide a common risk picture for the organisation, with a focus on safety, but also opening the horizon to information security. | |
IS.I.OR.205(e) | Related ISO/IEC 27001:2022 clauses and controls |
6.1.2Information security risk assessment | |
Part-IS particularity | |
This Part-IS requirement is specific to organisations required to comply with Subpart C of Annex III (Part-ATM/ANS.OR) to Regulation (EU) 2017/373. | |
Guidance on Part-IS implementation | |
Those organisations falling under Subpart C of Annex III (Part-ATM/ANS.OR) to Regulation (EU) 2017/373, which operate an ISO/IEC 27001:2022-conformed management system, use the safety support assessment instead of the information security risk assessment required in point IS.I.OR.205(c). | |
IS.I.OR.210(a) | Related ISO/IEC 27001:2022 clauses and controls |
6.1.3Information security risk treatment 8.3Information security risk treatment | |
Part-IS particularity | |
Point IS.I.OR.210(a) is about information security risk treatment, which is widely covered by ISO/IEC 27001:2022, its Appendix A, and ISO/IEC 27002. Point IS.I.OR.210(a) provides however some additional inputs related to the risks that may have a safety impact. | |
Guidance on Part-IS implementation | |
ISO/IEC 27001:2022 6.1.3 is about the definition of the risk treatment plan, while ISO/IEC 27001:2022 8.3 deals with the implementation of the plan, and both are relevant. ISO/IEC 27001:2022 Annex A contains a list of possible information security controls, and therefore should also be used in addition to the already existing controls, to mitigate information security risks having an impact of safety. All the controls of Annex A are detailed in ISO/IEC 27002. Point IS.I.OR.210(a) specifies that the measures selected in the plan have to reduce the consequences on aviation safety associated with the materialisation of the threat scenario. This is in line with point IS.I.OR.205 since the risk treatment phase is a consequence of the risk assessment phase and has to address all the risks that have been evaluated. Point IS.I.OR.210(a) also stipulates that those (protection) measures shall not introduce any new potential unacceptable risks to aviation safety. This is an area that is not directly covered by either ISO/IEC 27001:2022 or ISO/IEC 27002. The requirement addresses the so-called ‘side effects’ when introducing measures into a system (a well-known issue in software development which is also very relevant for information security measures). Preventive or mitigative measures specifically (e.g. physical security, access control) could lead to unintended side effects. Also, the risk treatment of the identified risks should focus on addressing safety via the same linkage/integration of ISMS and safety management. | |
IS.I.OR.210(b) | Related ISO/IEC 27001:2022 clauses and controls |
6.1.3.fInformation security risk treatment 7.3Awareness 9.3Management review A5.19Information security in supplier relationships A5.21Managing information security in the ICT supply chain | |
Part-IS particularity | |
Point IS.I.OR.210(b) requires key personnel in the organisation to be informed about the risks, the corresponding threat scenarios and the security risk treatment measures, which result in specific controls covered by Annex A to ISO/IEC 27001:2022 and ISO/IEC 27002. It partially covers point IS.I.OR.210(b) by the following requirement: obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks. Point IS.I.OR.210(b) has two specific requirements that also have equivalent requirements in ISO/IEC 27001:2022 and ISO/IEC 27002: —Inform the accountable manager or the head of the design organisation of the risk treatment plan — which is a mandatory input to the management review. —Inform the interfacing entities (the same as in point IS.I.OR.205(b)) of all risks shared with them — which is stated in A5.19 Guidance point l). | |
Guidance on Part-IS implementation | |
In addition to the risk owner’s approval requested by ISO/IEC 27001:2022 6.1.3.f, the organisation will need to inform: —the accountable manager or the head of the design organisation of the risk treatment plan. ISO/IEC 27001:2022 9.3. f) defines ‘results of risk assessment and status of risk treatment plan’ as mandatory input for the management review which is the vehicle to inform the accountable managers/heads of the design organisation; —the interfacing entities (the same as in point IS.I.OR.205(b)) of all risks shared with them. ISO/IEC 27002 A5.21 states in point f) ‘defining rules for sharing of information and any potential issues and compromises between the organisations’. GM1 IS.I.OR.205(b) and ED-201A may also be used as guidance on risk sharing. | |
IS.I.OR.215(a) | Related ISO/IEC 27001:2022 clauses and controls |
A5.24Information security incident management planning and preparation A6.8Information security event reporting | |
Part-IS particularity | |
Fully covered by the requirements of A5.24 and A6.8. However, the linkage to the external reporting scheme for the incidents with relation to safety (unsafe conditions) has to be established. | |
Guidance on Part-IS implementation | |
The linkage to the external reporting scheme for the incidents with relation to safety could be described under A5.5 (contact with authorities) in the ISO structure. | |
IS.I.OR.215(b) | Related ISO/IEC 27001:2022 clauses and controls |
A5.25Assessment and decision on information security events A5.26Response to information security incidents A5.27Learning from information security incidents A5.28Collection of evidence A8.8Management of technical vulnerabilities | |
Part-IS particularity | |
Fully covered by the requirements from A5.25 to A5.28 and A8.8 with a need to focus on safety impacts. | |
Guidance on Part-IS implementation | |
The requirements of controls A8.8, A5.25 to A5.28 and the guidance in ISO/IEC 27002:2022 are comprehensive to fulfil the requirements of point IS.I.OR.215(b). In accordance with point IS.I.OR.215(b)(1), the impact on safety always needs to be assessed specifically. AMC1 IS.I.OR.215(a)&(b) has to be also considered. | |
IS.I.OR.215(c) | A5.19Information security in supplier relationships A5.20Addressing information security within supplier agreements A5.21Managing information security in the information and communication technology (ICT) supply chain |
Part-IS particularity | |
To be covered under the procedures according to A5.19 and A5.21, as well as under the agreements according to A5.20. | |
Guidance on Part-IS implementation | |
However, this depends on whether the supplier is also subject to Part-IS or not. In the latter case, the external reporting shall be done by the contracting organisation. GM1 IS.I.OR.215(c) provides guidance on the relationship with contracted organisations. | |
IS.I.OR.215(d) | Related ISO/IEC 27001:2022 clauses and controls |
A5.6Contact with special interest groups A5.20Addressing information security within supplier agreements A5.21Managing information security in the information and communication technology (ICT) supply chain A5.28Collection of evidence | |
Part-IS particularity | |
The requirements of controls A5.20, A5.21 and A5.28 and the guidance in ISO/IEC 27002:2022 are comprehensive to fulfil the requirements of point IS.I.OR.215(d) in terms of process, but Part-IS will require cooperation with a broader range of organisations. | |
Guidance on Part-IS implementation | |
As ISO/IEC 27001:2022 only focuses on the supply chain and Part-IS requires a broader focus, the process needs to be highlighted to other relevant stakeholders. This may be covered under A5.6. Nevertheless, ISO/IEC 27002 A5.19 has a clear statement under point (i) of the guidance. See also the cooperation in accordance with point IS.I.OR.205(c). | |
IS.I.OR.215(d) | Related ISO/IEC 27001:2022 clauses and controls |
A5.24Information security incident management planning and preparation A6.8Information security event reporting | |
Part-IS particularity | |
Fully covered by the requirements of A5.24 and A6.8. | |
Guidance on Part-IS implementation | |
However, the linkage to the external reporting scheme for the incidents with relation to safety (unsafe conditions) shall be established. This could be described under A5.5 (contact with authorities) in the ISO structure. | |
IS.I.OR.220(a) | Related ISO/IEC 27001:2022 clauses and controls |
A5.24Information security incident management planning and preparation A5.25Assessment and decision on information security events A5.26Response to information security incidents A5.27Learning from information security incidents A5.28Collection of evidence A5.29Information security during disruption A7.5Physical security monitoring A8.16Monitoring activities | |
Part-IS particularity | |
Fully covered by the requirements of A5.24 to A5.29, and A7.5 for physical security and A8.16 for technical monitoring. | |
Guidance on Part-IS implementation | |
The requirements of the controls (both reactive and proactive) mentioned above and the guidance in ISO/IEC 27002:2022 are comprehensive to fulfil the requirements of point IS.I.OR.220(a). Again, the impact on safety needs to be assessed, and measures shall be taken to ensure safety. Part-IS refers to ‘unsafe conditions’, which have to be mitigated to an acceptable level. A re-assessment of risks that are related to incidents that have occurred or to a vulnerability that has been identified is mandatory in Part-IS to ensure that no risk becomes unacceptable. Note: Due to historical reasons, information security and safety management use different wording when referring to situations which are more or less the same. The term ‘incident’ is used in a similar way (an event which already happened and infringes safety/security). A vulnerability in the sense of information security could be mapped to the term ‘hazard’ in the area of safety (a situation identified, which is possible to happen, but has not happened so far). | |
IS.I.OR.220(b) | Related ISO/IEC 27001:2022 clauses and controls |
A5.26Response to information security incidents A5.29Information security during disruption A7.5Physical security monitoring A8.8Management of technical vulnerabilities | |
Part-IS particularity | |
Fully covered by the requirements of A5.26 and A5.29. | |
Guidance on Part-IS implementation | |
The requirements of control A5.26 and the guidance in ISO/IEC 27002:2022 are comprehensive to fulfil the requirements of point IS.I.OR.220(b). | |
IS.I.OR.220(c) | Related ISO/IEC 27001:2022 clauses and controls |
A5.26Response to information security incidents A5.29Information security during disruption | |
Part-IS particularity | |
This requirement is covered by the requirements of A5.26 and A5.29, with the difference that the recovery here is not intended to continuously ensure confidentiality, integrity, availability and integrity; instead, it is intended to maintain or return to an acceptable level of safety. In addition, some domain-specific implementing and delegated acts of Regulation (EU) 2018/1139 (e.g. points ARO.GEN.200, ATM/ANS.OR.A.070, ADR.OR.B.070) require emergency response planning and/or contingency planning, where information security should be integrated. | |
Guidance on Part-IS implementation | |
Coupled with the requirements of controls A5.26 and A5.28 and the guidance in ISO/IEC 27002:2022, AMC1 IS.I.OR.220(c) should be applied in order to revert as quickly as possible to a safe state. | |
Related ISO/IEC 27001:2022 clauses and controls | |
10.2Non-conformity and corrective action | |
Part-IS particularity | |
This requirement has no specific counterpart in ISO/IEC 27001:2022. | |
Guidance on Part-IS implementation | |
This issue is not covered by the requirements of ISO/IEC 27001:2022, so it is not possible to adapt existing policies and procedures under ISO/IEC 27001:2022 for this requirement. To ensure compliance with this requirement, please refer exclusively to the related AMC and GM. | |
Related ISO/IEC 27001:2022 clauses and controls | |
A5.5Contact with authorities | |
Part-IS particularity | |
This requirement is not directly addressed in ISO/IEC 27001:2022. | |
Guidance on Part-IS implementation | |
This issue is not covered by the requirements of ISO/IEC 27001:2022, so it is not possible to adapt existing policies and procedures under ISO/IEC 27001:2022 for this requirement. To ensure compliance with this requirement, please refer exclusively to the related AMC and GM. The reporting requirement should also be considered if the organisation falls under the NIS 2 Directive. | |
IS.I.OR.235(a) | Related ISO/IEC 27001:2022 clauses and controls |
A5.19Information security in supplier relationships A5.21Managing information security in the information and communication technology (ICT) supply chain A5.22Monitoring, review and change management of supplier services | |
Part-IS particularity | |
ISO/IEC 27001:2022 controls A5.19, A5.21 and A5.29 may cover this requirement. The difference in the requirements of point IS.I.OR.235 is that they are limited to those activities directly related to the ISMS (e. g. internal audits, consultancy for risk assessments, etc.). In addition, all domain-specific implementing or delegated acts require procedures to deal with contracted activities in a wider scope, where information security should be integrated. | |
Guidance on Part-IS implementation | |
This requirement relates only to ISMS activities (e.g. internal audits, risk assessments), not to those activities not directly related to ISMS itself (e. g. hardware, software, IT and OT). The difference in the requirements of point IS.I.OR.235 is that they are limited to those activities directly related to the ISMS (e. g. internal audits, consultancy for risk assessments, etc.). The controls in ISO/IEC 27001:2022 do not exclude those kinds of services, but sometimes they will not be in the focus of the organisation. Therefore, there is no need to establish an independent system for those contractors referred to in point IS.I.OR.235(a). The list of suppliers should be reviewed to ensure that the suppliers providing the services mentioned in point IS.I.OR.235 are covered. | |
IS.I.OR.235(b) | Related ISO/IEC 27001:2022 clauses and controls |
A5.20Addressing information security within supplier agreements | |
Part-IS particularity | |
Access provided to the authority is not covered in ISO/IEC 27001:2022. | |
Guidance on Part-IS implementation | |
Organisations subject to Part-IS are required to provide access to the competent authority. If the contracted organisation is approved by an authority of another Member State, the different competent authorities will coordinate on which authority will perform oversight of the organisation according to their authority procedures (e.g. Regulation (EU) No 965/2012, point ARO.GEN.300(e)). For contracted organisations not subject to Part-IS, GM1 IS.I.OR.235(b) provides the content to be introduced either in the ‘general terms and conditions of trade’ of the contracting organisation, or if standard general terms and conditions are used (e. g. for COTS-products), the content of the GM has to be arranged on a contractual basis (e. g. through a side letter). AMC1 IS.I.OR.235(b) should be considered in conjunction with ISO/IEC 27001:2022 A5.20. | |
IS.I.OR.240(a) IS.I.OR.240(e) | Related ISO/IEC 27001:2022 clauses and controls |
5.1Leadership and commitment 5.3Organisational roles, responsibilities and authorities 7.1Resources A5.2Information security roles and responsibilities | |
Part-IS particularity | |
ISO/IEC 27001:2022 does not require a specific role such as the ‘accountable manager’ or ‘head of the design organisation’. | |
Guidance on Part-IS implementation | |
The implementation of the requirements of point IS.I.OR.240(a) can be covered by the implementation of ISO/IEC 27001:2022 requirements mentioned above, provided that the role of accountable manager/head of the design organisation is clearly defined and meets the requirements in point IS.I.OR.240(a). The requirement of point IS.I.OR.240(a)(3) has to be set in line with the roles in A5.2 (where an accountable manager or the head of the design organisation is not envisaged). However, the measures in A6.3 should be used to ensure the competency of the accountable manager or the head of the design organisation (point IS.I.OR.240(a)(3)). | |
IS.I.OR.240(b) IS.I.OR.240(c) | Related ISO/IEC 27001:2022 clauses and controls |
5.3Organisational roles, responsibilities and authorities 7.1Resources A5.2Information security roles and responsibilities A5.3Segregation of duties | |
Part-IS particularity | |
This requirement is not directly addressed in ISO/IEC 27001:2022. | |
Guidance on Part-IS implementation | |
The implementation of the requirements of A5.2 and A5.3 should be used as a basis to fulfil the provisions of points IS.I.OR.240 (b) and (c), but some adaptation may be needed. This issue is covered in A5.2, but A5.3 may also be applicable. In addition, similar requirements for the ‘safety roles’ are laid down in the domain-specific ‘safety’ implementing or delegated acts of Regulation (EU) 2018/1139. AMC1 IS.I.OR.240(b) should be considered. | |
IS.I.OR.240(d) | Related ISO/IEC 27001:2022 clauses and controls |
4.3Determining the scope of the information security management system A5.2Information security roles and responsibilities A5.3Segregation of duties | |
Part-IS particularity | |
The implementation of the requirements of A5.2 and A5.3, as well as the guidance of ISO/IEC 27002, allow the delegation of responsibility within organisations. | |
Guidance on Part-IS implementation | |
This option might be useful for large organisations or groups, where the ISMS is implemented as an ‘umbrella function’ over a group of organisations, where not all of them are subject to Part-IS. The implementation of a ‘group CISO’ or an enterprise-wide ISMS could make use of this option in Part-IS. Nevertheless, the common responsible person has to fulfil the competency requirements of point IS.I.OR.240(a)(3). This might be relevant in cases where the other activities of the organisation or group are not related to aviation. | |
IS.I.OR.240(f) | Related ISO/IEC 27001:2022 clauses and controls |
7.1Resources | |
Part-IS particularity | |
The requirements of 7.1 should be implemented. | |
Guidance on Part-IS implementation | |
A systematic capacity planning of human resources is a key element of any management system. Therefore, such a process should be established in an ISMS. The possible additional requirement stemming from Part-IS has to be assessed, and the capacity planning updated accordingly. The targeted safety levels set in the safety/information security assessment should never be jeopardised by a lack of resources, even temporarily. AMC1 IS.I.OR.240(f) should be considered. | |
IS.I.OR.240(g) | Related ISO/IEC 27001:2022 clauses and controls |
7.2Competency A6.3Information security awareness, education and training | |
Part-IS particularity | |
The implementation of the requirements of 7.2 and A6.3 is sufficient to cover the requirement. | |
Guidance on Part-IS implementation | |
A systematic competency management process of staff is a key element of any management system. Therefore, such a process should be established in an ISMS. The possible additional requirement stemming from Part-IS has to be assessed and the competency requirements updated accordingly. AMC1 IS.I.OR.240(g) should be considered. | |
IS.I.OR.240(h) | Related ISO/IEC 27001:2022 clauses and controls |
A6.2Terms and conditions of employment | |
Part-IS particularity | |
The implementation of the requirements of A6.2 with some adaptation would be sufficient to cover the provision of point IS.I.OR.240(h). | |
Guidance on Part-IS implementation | |
Point IS.I.OR.240(h) is (at least partially) covered by ISO/IEC 27001:2022 A.6.2 ‘The employment contractual agreements should state the personnel’s and the organisation’s responsibilities for information security.’ and A.6.4 ‘disciplinary process’ (see ‘Just Culture’). It depends on the organisational culture and on whether job descriptions or role assignments need to be formally acknowledged. In many organisations, the assigned jobs and roles are mutually acknowledged by performing the tasks assigned. | |
IS.I.OR.240(i) | Related ISO/IEC 27001:2022 clauses and controls |
A5.19Information security in supplier relationships A6.1Screening A7.2Physical entry A8.3Information access restriction A8.5Secure authentication | |
Part-IS particularity | |
The implementation of the requirements of A5.19, A6.1, A7.2, A8.3 and A8.5 might be sufficient controls to cover this requirement for the personnel of the organisation, as well as for contractors and suppliers. | |
Guidance on Part-IS implementation | |
All the controls established in an ISO/IEC 27001:2022-compliant ISMS are designed to ensure the confidentiality and integrity of information. The implementation of those controls will provide sufficient protection to ensure compliance with this requirement. AMC1 IS.I.OR.240(i) should be considered. | |
IS.I.OR.245(a) | Related ISO/IEC 27001:2022 clauses and controls |
7.5Documented information A5.9Inventory of information and other associated assets A5.13Labelling of information A8.10Information deletion A8.13Information backup | |
Part-IS particularity | |
Record-keeping and retention are an inherent part of the document control system under 7.5 of ISO/IEC 27001:2022. Controls A5.9, A5.13, A8.10 and A8.13 also apply. | |
Guidance on Part-IS implementation | |
Chapter 7.5.1 b) states that the ISMS has to include ‘documented information determined by the organisation as being necessary for the effectiveness of the information security management system.’ This includes the records defined in point IS.I.OR.245(a)(1). Chapter 7.5.3 requires, under f), also document control for retention and disposition. Part-IS requirements have to be integrated into the existing system, especially the minimum duration of record-keeping of five years. The minimum set of records, as defined in point IS.I.OR.245(a)(1) should be covered in the inventory of assets. For the coverage, the content of GM1 IS.I.OR.245 also applies. As records are not only information assets, the requested ‘record retention policy’ may be integrated into a wider policy as recommended by ISO/IEC 27002:2022 above. AMC1 IS.I.OR.245(a)(1)(vi)&(a)(5) should be implemented. | |
IS.I.OR.245(b) | Related ISO/IEC 27001:2022 clauses and controls |
7.5Documented information A5.9Inventory of information and other associated assets A5.10Acceptable use of information and other associated assets A5.13Labelling of information A5.34Privacy and protection of personal identifiable information (PII) A8.10Information deletion A8.13Information backup | |
Part-IS particularity | |
Record-keeping and retention are an inherent part of the document control system under 7.5 of ISO/IEC 27001:2022. Controls A5.9, A5.13, A8.10 and A8.13 will also apply and, due to GDPR issues specifically, also A5.10 and A5.34. | |
Guidance on Part-IS implementation | |
Chapter 7.5.1 b) states that the ISMS has to include ‘documented information determined by the organisation as being necessary for the effectiveness of the information security management system.’ This includes the records defined in point IS.I.OR.245(a)(1). Chapter 7.5.3 requires, under f), also document control for retention and disposition. Part-IS requirements have to be integrated into the existing system, especially the minimum duration of record-keeping of 5 years. However, whereas there is no retention duration specified in ISO/IEC 27001:2022, point IS.I.OR.245(a) specifies three years after the person has left the organisation. As these records fall under the GDPR Regulation, each organisation has to ensure that they are handled accordingly. It is recommended that the procedures are used not only for records related to ISMS, but also for the entire HR personnel files of the staff. | |
IS.I.OR.245(c) | Related ISO/IEC 27001:2022 clauses and controls |
7.5Documented information A5.13Labelling of information | |
Part-IS particularity | |
Record-keeping and retention are an inherent part of the document control system under 7.5 of ISO/IEC 27001:2022 as well as control A5.13. | |
Guidance on Part-IS implementation | |
Chapter 7.5.3, under a), requires for the information that ‘it is available and suitable for use, where and when it is needed’. Part-IS requirements have to be integrated into the existing system. ISO/IEC 27002:2022 A5.13 states ‘Procedures for information labelling should cover information and other associated assets in all formats.’; therefore, the Part-IS requirement is fulfilled with control A5.13. A series of AMC material to the implementing and delegated acts regarding safety (e.g. AMC1 ARA.GEN.220(a), AMC1 145.A.55) also covers this issue. | |
IS.I.OR.245(d) | Related ISO/IEC 27001:2022 clauses and controls |
7.5Documented information A5.10Acceptable use of information and other associated assets A5.12Classification of information A5.33Protection of records A8.12Data leakage prevention | |
Part-IS particularity | |
Record-keeping and retention are an inherent part of the document control system under 7.5 of ISO/IEC 27001:2022. Controls A5.10, A5.12, A5.33 and A8.12 will also apply. | |
Guidance on Part-IS implementation | |
Chapter 7.5.3, under d), requires ‘storage and preservation, including the preservation of legibility’. Part-IS requirements have to be integrated into the existing system. The application of A5.33 and A8.12 has a strong relationship to A7.5 (Protecting against physical and environmental threats), A7.10 (Storage media), A8.3 (Information access restriction), A8.13 (Information backup), A8.14 (Redundancy of information processing facilities), A8.15 (Logging), A8.17 (Clock synchronization) and A8.24 (Use of cryptography). | |
IS.I.OR.250(a) | Related ISO/IEC 27001:2022 clauses and controls |
7.5Documented information A5.13Labelling of information | |
Part-IS particularity | |
Document control is an inherent part of the ISMS under 7.5 of ISO/IEC 27001:2022. Control A5.13 is also an ‘anchor point’ for this requirement. ISO/IEC 27001:2022 does not specifically request a document called ‘information security management manual’, made available to the authority. | |
Guidance on Part-IS implementation | |
Chapter 7.5.1 b) states that the ISMS has to include ‘documented information determined by the organisation as being necessary for the effectiveness of the information security management system’ which will allow the inclusion of the ISMS manual in the documentation. Part-IS requires a specific ISMS manual (ISMM), made available to the competent authority. It has to be made clear to the competent authority which set of documented information constitutes the ‘approved manual’. The document ‘statement of applicability’ (SOA), mandatory for all ISO/IEC 27001:2022-certified organisations may be helpful (e.g. by adding an additional column to label specific documents as part of a ‘virtual’ ISMS Manual). GM1 IS.I.OR.250(a) also provides associated guidance. It has to be ensured that all information listed in point IS.I.OR.250(a) is covered. | |
IS.I.OR.250(b) IS.I.OR.250(c) | Related ISO/IEC 27001:2022 clauses and controls |
7.5Documented information A5.5Contact with authorities | |
Part-IS particularity | |
Document control is an inherent part of the ISMS under 7.5 of ISO/IEC 27001:2022. | |
Guidance on Part-IS implementation | |
The use of the same procedure as the one implemented for the ‘safety regulations’ (see above) is recommended also for the approval, update and communication processes with the competent authority. Many organisations have their documented information available via document management systems (e.g. MS SharePoint). The access of the competent authority to these systems has to be managed in accordance with the rules of any other external access in respect of A5.15, A5.18, A6.6, A7.9, A8.3, A8.7, A8.11, and A8.24. | |
IS.I.OR.250(d) | Related ISO/IEC 27001:2022 clauses and controls |
7.5Documented information | |
Part-IS particularity | |
This possibility of ISMM integration with other expositions or manuals has no specific counterpart in ISO/IEC 27001:2022. However, following the ISO ‘Annex SL’ structure, ISO/IEC 27001:2022 enables an easy integration of other management system standards. | |
Guidance on Part-IS implementation | |
There is a tendency in the aviation industry to integrate different management systems, depending on the structure of the organisation. | |
IS.I.OR.255(a) | Related ISO/IEC 27001:2022 clauses and controls |
6.3Planning of changes A5.5Contact with authorities | |
Part-IS particularity | |
Change management is an inherent part of the ISMS under 6.3 of ISO/IEC 27001:2022, but there is no provision for approval of a procedure by a competent authority. | |
Guidance on Part-IS implementation | |
The use of the same procedure as the one implemented for the ‘safety regulations’ (see above) is recommended also for the approval of changes not requiring prior approval by the competent authority. This procedure should be extended to Part-IS in agreement with the competent authority. Note: This recommendation will only work if the competent authority is the authority as laid down in Article 6(1) of Regulation (EU) 2023/203 or Article 5(1) of Regulation (EU) 2022/1645. WARNING: An organisation with a derogation approval in accordance with point IS.I.OR.200(e) needs to assess for all changes (also those not requiring prior approval) whether the criteria for the approved derogation are still valid. If not, the change needs the approval of the competent authority/authorities prior to being implemented. | |
IS.I.OR.255(b) | Related ISO/IEC 27001:2022 clauses and controls |
6.3Planning of changes A5.5Contact with authorities | |
Part-IS particularity | |
Change management is an inherent part of the ISMS under 6.3 of ISO/IEC 27001:2022. However, ISO/IEC 27001:2022 does not require any kind of approval by a competent authority. | |
Guidance on Part-IS implementation | |
The use of the same procedure as the one implemented for the ‘safety-regulations’ (see above) is recommended also for the approval of changes in agreement with the competent authority. Note: This recommendation will only work if the competent authority is the authority as laid down in Article 6(1) of Regulation (EU) 2023/203 or Article 5(1) of Regulation (EU) 2022/1645. | |
IS.I.OR.260(a) | Related ISO/IEC 27001:2022 clauses and controls |
9.3Management review 10.1Continual improvement A5.35Independent review of information security | |
Part-IS particularity | |
This requirement reflects a combination of requirements 9.3 and 10.1 of ISO/IEC 27001:2022 with references to requirements 4.4 and 5.2. While ISO/IEC 27001:2022 focuses on ISMS suitability, adequacy and effectiveness, point IS.I.OR.260(a) requires also a periodical maturity assessment of the ISMS. | |
Guidance on Part-IS implementation | |
ISO/IEC 27001:2022, 4.4 shows a clear requirement (‘shall’) for ISMS maintenance and improvement. The top management has a responsibility for continuous ISMS improvement as per ISO/IEC 27001:2022 5.2(d). The planning section also requires continuous improvement (ISO/IEC 27001:2022 6.1.1(c)). Point IS.I.OR.260(a) requires an assessment of the effectiveness and maturity of the ISMS on a calendar basis or following an information security incident. This assessment should be performed by using indicators. ISO/IEC 27001:2022 Chapter 9.3.1 defines a very similar approach for the management review process. Chapter 10.1 indicates a more independent process to improve the ISMS. The process in Chapter 10.1 is seen as more of a bottom-up approach, whereas that in Chapter 9.3 is intended to be top-down. The results from A5.35 should all be used as inputs for continuous improvement. Point IS.I.OR.260(a) requires also a maturity assessment of the ISMS. Each organisation should establish which maturity model will be followed and which targeted maturity level is expected to be reached and by when. For the maturity assessment, point (b) of AMC1 IS.I.OR.260(a) and GM1 IS.I.OR.260(a) provide guidance on how to ensure compliance with point IS.I.OR.260(a). | |
IS.I.OR.260(b) | Related ISO/IEC 27001:2022 clauses and controls |
10.2Non-conformity and corrective action A5.7Threat intelligence | |
Part-IS particularity | |
Point IS.I.OR.260(b) addresses the improvement measures, i.e. corrections and corrective actions for the deficiencies detected in point IS.I.OR.260(a) and the continuous improvement process. This requirement reflects mainly requirement 10.2 of ISO/IEC 27001:2022, even if the term used is ‘non-conformity’, while point IS.I.OR.260(b) uses the term ‘deficiencies’. Deficiency has a broader meaning than non-conformity. It encompasses the case of a targeted maturity level that would not be reached at the planned date; that would be a deficiency but not necessarily a non-conformity. | |
Guidance on Part-IS implementation | |
The provisions listed in ISO/IEC 27001:2022 10.2 can be used to take corrective actions, to resolve both non-conformities and maturity level gaps. |