What is expected by organisations by the applicability date of the regulation?
The implementation of Part-IS is not a binary process, but rather a continuous one with different implementation levels to be achieved. Organisations are expected to follow the PSOE (Present, Suitable, Operational, Effective) model and be under the 'Present' and 'Suitable' levels by the applicability date.
This is a notion familiar to the organisations applying already a safety management system (SMS). In short, the organisations need:
- to establish the fundamental elements of the information security management system (ISMS);
- to define the personnel roles and responsibilities as well as the scope; and
- to define a security policy, a risk management process as well as change management policies.
Moreover, procedures on incident management and reporting (internal) of events are expected to set the stage for formalising security management. Following this, the organisation should further proceed in terms of implementation levels, reaching the 'Operational' and 'Effective' levels.
More information on guidelines on the oversight approach by authorities.
When acting as competent authority, what is EASA’s policy for Part IS oversight while organisations are in the process to achieve the operational Part IS implementation stage?
The general implementation principles are outlined in the Guidelines for Part-IS oversight approach jointly developed by Member State authorities and EASA in the Part-IS Implementation Task Force.
To further precise the above guidance EASA in its role as competent authority, e.g. for organisations outside the EU MS, has developed further implementation guidance documents. These documents are based on the following principles:
EASA has decided to allow organisations under its responsibility an 18 month development phase for the full implementation of Part IS, i.e. it is acknowledged that organisations will need this time to develop their Information Security Management System from a present and suitable to a full operational level (the PSOE model is used here in analogy to the SMS implementation levels for clarity/simplification).
The overseen organisations should make best use of this development period to progress towards the operational level of implementation. In line with the published implementation guidelines, EASA oversight teams will use existing planned oversight activities for the compliance verification of the various Part IS implementation stages to the greatest extent possible.
The graph below illustrates the resulting oversight approach:
The organisations are expected to develop their Part IS system roughly following the green line.
Further details on the resulting oversight verification are currently under development and will be referenced here as soon as available.