| Dokumendiregister | Transpordiamet |
| Viit | 1.8-5/25/13276-1 |
| Registreeritud | 08.08.2025 |
| Sünkroonitud | 11.08.2025 |
| Liik | Sissetulev kiri |
| Funktsioon | 1.8 Rahvusvahelise koostöö korraldamine |
| Sari | 1.8-5 Rahvusvaheline kirjavahetus lennundusohutuse küsimustes: ECAC, ICAO, EASA, Eurocontrol, State Letterid |
| Toimik | 1.8-5/2025 |
| Juurdepääsupiirang | Avalik |
| Juurdepääsupiirang | |
| Adressaat | EASA |
| Saabumis/saatmisviis | EASA |
| Vastutaja | Anastasia Levin (Users, Tugiteenuste teenistus, Õigusosakond) |
| Originaal | Ava uues aknas |
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 1 of 36
Annex to ED Decision 2025/015/R
‘AMC & GM to Part-IS.AR — Issue 1, Amendment 1’
This document shows deleted, new or amended text as follows:
— deleted text is struck through;
— new or amended text is highlighted in blue;
— an ellipsis ‘[…]’ indicates that the rest of the text is unchanged.
Note to the reade r
In amended, and in particular in existing (that is, unchanged) text, ‘Agency’ is used interchangeably with ‘EASA’. The
interchangeable use of these two terms is more apparent in the consolidated versions. Therefore, please note that both terms
refer to the ‘European Union Aviation Safety Agency (EASA)’.
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 2 of 36
GM1 IS.AR.200 Information security management system (ISMS)
An information security management system (ISMS) is a systematic approach to establish, implement,
operate, monitor, review, maintain and continuously improve the state of information security of an
organisation. Its objective is to protect the information assets, such that the operational and safety
objectives of an organisation can be reached in a risk-aware, effective and efficient manner.
Generally speaking, an ISMS establishes an information security risk management process, based upon
the results of information security impact analyses, which basically determine its scope. If information
security breaches may cause or contribute to aviation safety consequences, information security
requirements need to limit the their impact or influence of information security breaches on levels of
aviation safety, which are deemed acceptable. Hence, all roles, processes, or information systems,
which may cause or contribute to aviation safety consequences, are within the scope of Regulation
(EU) 2023/203. The ISMS provides for means to decide on needed information security controls for all
architectural layers (governance, business, application, technology, data) and domains (organisational,
human, physical, technical). It further allows to manage the selection, implementation, and operation
of information security controls. Finally, it allows to manage the governance, risk management and
compliance (GRC) within the ISMS scope.
The overall risk assessment considers safety consequences influenced by information security risks.
These may emerge as threats, hazards, escalation factors that weaken barriers, or direct triggers of
existing hazards. When conducting this assessment, both aspects, information security and safety need
to be coordinated throughout the process. This ensures mutual understanding of the objectives and
the implementation of preventive measures against of all types of threats or weaknesses, as well as
mitigating measures.
The risk management process is thus based on aviation safety risk assessments and derived
information security risk acceptance levels, which are designed to effectively treat and manage
information security risks with a potential impact on aviation safety caused by threats exploiting
vulnerabilities of information assets in aeronautical systems.
Interacting bow-ties is one possible way that allows for a higher-level and non-exhaustive illustration
of how different disciplines of risk assessment may need to collaborate to establish a common risk
perspective, as depicted in Figure 1. The below Figure 1 from ICAO Doc 10204 ‘Manual on Aviation
Information Security’ illustrates these interactions.
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 3 of 36
-
Figure 1: Bow-tie representation of management of aviation safety risks posed by information
security threats
Risk Assessment
Y
N
Risk
Acceptable?
Safety
Consequences Threat
Safety Assessment
Information security Assessment Information
Security (IS)
Consequence
s Threat
Y
Achieved
information security
compromise
likelihood,
consequences and
context
Context and target
information security
compromise
likelihood
Likelihood
Acceptable?
Preventative
Controls
Mitigative
Controls
N
Top
Event
Mitigative
Barriers
Risk Treatment
Preventative
Barriers
Information
Compromise
Vulnerability
Safety
Hazards
Risk Treatment
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 4 of 36
In the drawing, the term ‘context’ in the communication between the safety assessment process (SAP)
and the information security assessment process (ISAP) carries slightly different notions, which need
to be understood and distinguished.
In order to satisfy the safety requirements, the SAP will provide context information, such as:
— the architecture of the systems and the functional descriptions of the elements within the
scope, including those related to the barriers. Systems should be understood as the dynamic
interaction between people, processes, and products, or services;
— all identified relevant safety hazards;
— the top events and their relations (e.g. triggers) to those hazards.
In addition to context information, it provides the target likelihood of the related information security
successful compromise. This target likelihood is commensurate with the safety objectives related to
the severity of the safety consequence. However, it needs to be complemented to include information
about the acceptable level of uncertainty, in order to be able to rely adequately on the results of the
ISAP.
In turn, the ISAP will return context information such as:
— modification to the architecture of the systems and functional descriptions of the elements
modified or added, whether those were safety barriers or other items;
— additional threats;
— potentially additional safety hazards;
— additional direct triggers of hazards;
— additional escalating factors affecting barriers.
In addition to context information, it provides the achieved likelihood of an information security
successful compromise. While this likelihood is consistent with the safety objectives set by the SAP,
the achieved level of uncertainty also needs to be considered.
The interaction between SAP and ISAP is iterative and continues until the safety risk is acceptable, i.e.
the target likelihood of the related information security successful compromise has been achieved.
The interaction can start from safety consequences identified through the SAP that fall within the
scope of the ISMS risk analysis, or from existing information security assessments.
The ISMS in this Regulation should bring together the information security and aviation safety
competencies in most of the processes, including, for instance, identifying critical systems or threats,
and assessing potential impacts on and risks to aviation safety.
ISMS implementation and maintenance
[…]
PART-IS versus ISO/IEC 27001:2022 cross reference table
For a mapping between the Part-IS provisions main tasks required under Pat-IS and the clauses and
associated controls in ISO/IEC 27001:2022, refer to Appendix II IV.
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 5 of 36
GM1 IS.AR.225(c) Personnel requirements
NECESSARY COMPETENCE AND TRAINING PROGRAMME
A training programme should start from the identification of the competence required by the
personnel for each role, followed by the identification of the gaps between the existing competence
and the required one.
In order to develop the list of competencies, a competent authority may use, as initial guidance, an
existing cybersecurity competence framework such as the European e-Competence Framework (e-CF)
or the NICE (National Initiative for Cybersecurity Education) based on the NIST Cybersecurity
Framework (NIST CSF).
In Appendix II, the main tasks of this Regulation are listed and mapped to the competencies derived
from the EU e-CF or, for ease of mapping, to the functions and categories of the NIST CSF. This mapping
may be used to establish a baseline to identify the aforementioned competence gaps. However, it
should be noticed that existing cybersecurity/information security competence frameworks such as
the NICE typically focus primarily on the protection of standard information technologies; therefore,
the proposed list of competencies may need to be adapted to the technologies or integrated with
processes used in the organisation.
[…]
GM1 IS.AR.235 Continuous improvement
[…]
Similar provisions for continuous improvement are provided for in other information management
systems such as ISO/IEC 27001 (see Appendix II IV to this document).
[…]
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 6 of 36
Appendix II — Main tasks stemming from the implementation of Part-IS, including mapping mapped to the EU e-CF and the NIST CSF 1.1 2.0 competencies and ISO/IEC 27001 clauses and controls
Part-IS main task
Activity type Reference
Management, Operational
Part-IS
EU e-CF NIST CSF 2.0
Competence areas & skills
Functions & categories
Establish and operate an information security management system (ISMS)
Management IS.AR.200(a) ISM (E.08) GV.OP – IS
Governance
Establish the scope of the ISMS in accordance with according to Part-IS requirements
Management IS.AR.205(a)
ISM (E.08) GV.RM – Risk Management
Implement and maintain an information security policy
Management IS.AR.200(a)(1) ISM (E.08) GV.OP – IS
Governance
Identify and review information security risks
Management IS.AR.200(a)(2)
IS.AR.205
ISM (E.08), Risk Management (E.02)
ID.RA – Risk Assessment
Implement information security risk treatment measures
Management IS.AR.200(a)(3)
IS.AR.210
ISM (E.08), Risk Management (E.02)
PR.IP – Information Protection Processes
Implement measures to detect information security events and identify those related to aviation safety
Management IS.AR.200(a)(4)
IS.AR.215
Incident Management (C.04)
DE.AE – Anomalies and Events
Monitor compliance with this Regulation and report findings to top management
Operational IS.AR.200(a)(8) Compliance (E.09)
GV.RM – Risk Management
Protect confidentiality of exchanged information
Operational IS.AR.200(a)(9)
Information Security Management (E.08)
PR.DS – Data Security
Implement and maintain a continuous improvement process to measure the effectiveness and maturity of the ISMS and strive to improve it
Management IS.AR.200(b)
IS.AR.235
Information Security Management (E.08)
GV.IA – Improvement and Assessment
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 7 of 36
Part-IS main task
Activity type Reference
Management, Operational
Part-IS
EU e-CF NIST CSF 2.0
Competence areas & skills
Functions & categories
Communicate to the Agency changes regarding capability and responsibilities
Operational IS.AR.200(a)(10)
Risk Management (E.02), ISM (E.08)
RS.CO – Communicatio ns
Share information to assist other competent authorities, agencies and organisations
Operational IS.AR.200(a)(11)
Risk Management (E.02), ISM (E.08)
RS.CO – Communicatio ns
Implement and maintain a continuous improvement process to measure the effectiveness and maturity of the ISMS and strive to improve it
Management IS.AR.200(b)
IS.AR.235 ISM (E.08)
GV.IA – Improvement and Assessment
Document and maintain all key processes, procedures, roles and responsibilities
Management IS.AR.200(c)
ISM (E.08), Compliance (E.09)
GV.IA – Improvement and Assessment
Identify all elements which could be exposed to information security risks
Management IS.AR.205(a) Risk Management (E.02)
ID.AM – Asset Management
Identify the interfaces with other organisations which could result in exposure to information security risks
Management IS.AR.205(b)
Risk Management (E.02), Business Change Management (E.07)
ID.BE – Business Environment
Identify information security risks and assign a risk level
Management IS.AR.205(c) Risk Management (E.02)
ID.RA – Risk Assessment
Review and update the risk assessment based on certain criteria
Operational IS.AR.205(d) Risk Management (E.02)
GV.RM – Risk Management
Develop and implement measures to address risks and verify their effectiveness
Operational IS.AR.210(a) Risk Management (E.02)
GV.RM – Risk Management
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 8 of 36
Part-IS main task
Activity type Reference
Management, Operational
Part-IS
EU e-CF NIST CSF 2.0
Competence areas & skills
Functions & categories
Communicate the outcome of the risk assessment to management, other personnel and other organisations sharing an interface
Operational IS.AR.210(b)
Risk Management (E.02), ISM (E.08)
RS.CO – Communicatio ns
Implement measures to detect in processes and operations information security events which may have a potential impact on aviation safety
Operational IS.AR.215(a) ISM (E.08)
DE.CM – Security Continuous Monitoring
Implement measures to respond to information security events that may cause an information security incident
Operational IS.AR.215(b) Incident Management (C.04)
RS.RP – Response Planning
Implement measures to recover from information security incidents
Operational IS.AR.215(c) Incident Management (C.04)
RC.RP – Recovery Planning
Manage risks associated with contracted activities with regard to the management of information security
Management IS.AR.220
Supplier Relationship Management (E.10)
GV.RM – Risk Management
Define a person with the authority to establish and maintain the organisational structures, policies, processes, and procedures necessary to implement this Regulation
Management IS.AR.225(a)
ISM (E.08), Compliance (E.09)
GV.OP – IS Governance
Create and maintain a process to ensure that there is sufficient personnel to perform all activities regarding information security management
Management IS.AR.225(b) Personnel Development (D.11)
GV.PO – Strategy, Policy, and Oversight
Create and maintain a process to ensure that the personnel have the necessary competence for activities regarding information security management
Management IS.AR.225(c)
Personnel Development (D.11)
GV.PO – Strategy, Policy, and Oversight
Create and maintain a process to ensure that the personnel acknowledge the responsibilities associated with the assigned roles and tasks
Management IS.AR.225(d) Prsonnel Development (D.11)
GV.PO – Strategy, Policy, and Oversight
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 9 of 36
Part-IS main task
Activity type Reference
Management, Operational
Part-IS
EU e-CF NIST CSF 2.0
Competence areas & skills
Functions & categories
Verify the identity and trustworthiness of personnel who have access to information systems
Management IS.AR.225(e) ISM (E.08)
PR.AC – Identity Management and Access Control
Archive, protect and retain records and ensure they are traceable for a specified time
Operational IS.AR.230 ISM (E.08), Compliance (E.09)
PR.DS – Data Security
Regularly assess the effectiveness and maturity of the ISMS
Operational IS.AR.235(a) ISM (E.08)
GV.IA – Improvement and Assessment
Take actions to improve the ISMS if required. Reassess the ISMS elements affected by the implemented measures.
Operational IS.AR.235(b)
ISM (E.08) GV.IA – Improvement and Assessment
Part-IS main task
Activity type Reference
Management,
Operational Part-IS
NIST CSF Version 1.1 ISO/IEC 27001
Function Category Paragraph
Clause
Annex A Control
:2013 :2022
Establish and operate an
information security
management system
(ISMS)
Management IS.AR.200(a) IDENTIFY ID.RM 4
6.1.1
Establish the scope of the
ISMS according to Part-IS
requirements
Management IS.AR.205(a)
IDENTIFY
ID.BE-2
ID.BE-4
ID.AM-5
4.3
Implement and maintain
an information security
policy
Management IS.AR.200(a)(1) IDENTIFY ID.GV-1 5.2 A5.1 A5.1
Identify and review
information security risks Management IS.AR.200(a)(2)
IS.AR.205 IDENTIFY
ID.GV-4
ID.RA
6.1.2
8.1
8.2
Implement security risk
treatment measures Management IS.AR.200(a)(3)
IS.AR.210 PROTECT PR.PT
6.1.3
8.1
8.3
Implement measures to
detect information Management IS.AR.200(a)(4)
IS.AR.215 DETECT
DE.AE-3
DE.CM-1
A11.1.2
A12.4.1
A7.2
A8.15
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 10 of 36
Part-IS main task
Activity type Reference
Management,
Operational Part-IS
NIST CSF Version 1.1 ISO/IEC 27001
Function Category Paragraph
Clause
Annex A Control
:2013 :2022
security events and
identify those related to
aviation safety
DE.CM-2
DE.CM-3
A12.4.3
A16.1.7
A5.28
Monitor compliance with
this Regulation and report
findings to top
management
Operational IS.AR.200(a)(8) IDENTIFY ID.GV-3 9.2 A18.2.1
A18.2.2
A5.35
A5.36
Protect confidentiality of
exchanged information Operational IS.AR.200(a)(9) PROTECT
PR.DS-1
PR.DS-2
A8.2.2
A13.2
A5.13
A5.14
Communicate to the
Agency changes regarding
capability and
responsibilities
Operational IS.AR.200(a)(10) A6.1.3 A5.5
Share information to
assist other competent
authorities, agencies and
organisations
Operational IS.AR.200(a)(11)
IDENTIFY ID.RA-2
ID.BE-2
A6.1.4 A5.6 PROTECT PR.IP-8
RESPOND RS.CO-3
RS.CO-5
Implement and maintain
a continuous
improvement process to
measure the
effectiveness and
maturity of the ISMS and
strive to improve it
Management IS.AR.200(b)
IS.AR.235
IDENTIFY ID.RA-6
ID.SC-4
4.4
9.1
9.3
10.1
10.2
A5.1.2
A16.1.7
A17.1.3
A18.2.1
A5.1
A5.28
A5.29
A5.35
PROTECT PR.IP-7
PR.IP-10
DETECT DE.DP-5
RESPOND RS.MI-3
RS.IM-2
RECOVER RC.IM-2
Document and maintain
all key processes,
procedures, roles and
responsibilities
Management IS.AR.200(c)
IDENTIFY
ID.AM-6
ID.GV-4
ID.RM-1
ID.SC-1
ID.SC-2
4.2
5.2
5.3
A5.1
A6.1.1
A5.1
A5.2 PROTECT
PR.AT-2
PR.AT-4
PR.AT-5
PR.IP-12
DETECT DE.DP-1
RESPOND RS.CO-1
RS.AN-5
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 11 of 36
Part-IS main task
Activity type Reference
Management,
Operational Part-IS
NIST CSF Version 1.1 ISO/IEC 27001
Function Category Paragraph
Clause
Annex A Control
:2013 :2022
Identify all elements
which could be exposed
to information security
risks
Management IS.AR.205(a) IDENTIFY
ID.AM-1
ID.AM-2
ID.AM-4
ID.AM-5
4.3 A8.1.1 A5.9
Identify the interfaces
with other organisations
which could result in
exposure to information
security risks
Management IS.AR.205(b) IDENTIFY
ID.BE-1
ID.BE-2
ID.BE-4
ID.BE-5
4.3
Identify information
security risks and assign a
risk level
Management IS.AR.205(c) IDENTIFY
ID.RA-1
ID.RA-2
ID.RA-3
ID.RA-4
ID.RA-5
6.1.2
Review and update the
risk assessment based on
certain criteria
Operational IS.AR.205(d) IDENTIFY ID.RM 8.2 A5.7
Develop and implement
measures to address risks
and verify their
effectiveness
Operational IS.AR.210(a) PROTECT PR.IP
PR.PT
6.1.3
8.3
Communicate the
outcome of the risk
assessment to
management, other
personnel and other
organisations sharing an
interface
Operational IS.AR.210(b)
IDENTIFY
ID.AM-3
ID.BE-1
ID.BE-2
ID.BE-4
ID.RM-3
ID.SC-3
8.1 PROTECT PR.IP-7
DETECT
DE.AE-2
DE.AE-3
DE.AE-5
Implement measures to
detect in processes and
operations information
security events which
may have a potential
impact on aviation safety
Operational IS.AR.215(a)
DETECT
DE.AE
DE.CM
DE.DP
A11.1.2
A12.4.1
A12.6.1
A16.1.1
A16.1.2
A16.1.3
A16.1.4
A16.1.5
A7.2
A8.8
A8.15
A8.16
A5.24
A5.25
A5.26
A6.8
PROTECT PR.PT-1
Implement measures to
respond to information
security events that may
cause a security incident
Operational IS.AR.215(b) RESPOND
RS.RP
RS.AN
RS.MI
A16.1.5 A5.26
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 12 of 36
Part-IS main task
Activity type Reference
Management,
Operational Part-IS
NIST CSF Version 1.1 ISO/IEC 27001
Function Category Paragraph
Clause
Annex A Control
:2013 :2022
Implement measures to
recover from information
security incidents
Operational IS.AR.215(c) RECOVER RC.RP-1
RC.IM-1
A16.1.5
A16.1.6
A5.26
A5.27
Manage risks associated
with contracted activities
with regard to the
management of
information security
Management IS.AR.220 IDENTIFY ID.SC-1
ID.SC-2
A15.1
A15.2
A5.19
A5.20
A5.21
A5.22
Define a person with the
authority to establish and
maintain the
organisational structures,
policies, processes, and
procedures necessary to
implement this
Regulation
Management IS.AR.225(a) IDENTIFY ID.AM-6 7.1 A6.1.1 A5.2
Create and maintain a
process to ensure that
there is sufficient
personnel to perform all
activities regarding
information security
management
Management IS.AR.225(b) IDENTIFY
ID.AM-5
ID.AM-6
ID.GV-2
7.1 A6.1.1 A5.2
Create and maintain a
process to ensure that
the personnel have the
necessary competence
for activities regarding
information security
management
Management IS.AR.225(c)
IDENTIFY ID.AM-5
ID.AM-6
7.2 A7.2.2 A6.3
PROTECT PR.AT-1
Create and maintain a
process to ensure that
the personnel
acknowledge the
responsibilities associated
with the assigned roles
and tasks
Management IS.AR.225(d) IDENTIFY ID.GV-2
ID.GV-3
7.3
7.4 A7.1.2 A6.2
Verify the identity and
trustworthiness of
personnel who have
access to information
systems
Management IS.AR.225(e) PROTECT PR.AC-6
PR.IP-11 7.1 A7.1.1 A6.1
IS.AR.230 IDENTIFY ID.RA-4 7.5 A8.2.2 A5.10
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 13 of 36
Part-IS main task
Activity type Reference
Management,
Operational Part-IS
NIST CSF Version 1.1 ISO/IEC 27001
Function Category Paragraph
Clause
Annex A Control
:2013 :2022
Archive, protect and
retain records traceability
for a specified time
Operational
PROTECT
PR.AC-2
PR.AC-3
PR.AC-4
PR.DS-1
PR.DS-4
PR.DS-5
PR.DS-6
PR.IP-4
PR.IP-6
PR.PT-1
A8.2.3
A11.1.3
A11.1.4
A12.1.3
A12.3.1
A12.4.1
A12.4.2
A12.4.3
A5.13
A7.3
A7.5
A8.6
A8.10
A8.13
A8.15
RESPOND
RS.CO-2
RS.CO-3
RS.CO-4
RS.CO-5
RECOVER RC.CO-3
Regularly assess the
effectiveness and
maturity of the ISMS
Operational IS.AR.235(a) 9
A5.1.2
A12.7.1
A16.1.6
A5.1
A5.27
A8.34
Take actions to improve
the ISMS if required.
Reassess the
implemented measures
of the ISMS elements.
Operational IS.AR.235(b) 10 A5.1.2 A5.1
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 14 of 36
Appendix III — Examples of aviation services and interfaces
AVIATION SERVICES
The following is a non-exhaustive and non-complete list of aviation services that can be used as a basis
to identify the scope of risk assessment for the organisation:
— aerodrome & ATM-MET service providers
— aeronautical digital mapping services
— aeronautical information management (AIM) – external, national, regional
— airports
— air traffic control (ATC) – external, superior
— air traffic management (ATM)
— approach (APP) & area control (ACC) Services – ER ACC, APP ACC
— cargo and passenger loading
— civil & state airspace user (AU) operations centres
— communication infrastructure
— flight information & traffic information services (FIS/TIS) data integrator
— fuel calculation
— navigation infrastructure – ground-based, satellite-based
— non-ATM meteorological (MET) service providers
— mass & balance calculation
— non-aviation users (external)
— regional & sub-regional airspace management (ASM) and air traffic flow & capacity
management (ATFCM)
— static aeronautical data services
— sub-regional demand & capacity balancing (DCB) common service providers
— surveillance infrastructure – airport, en-route, terminal manoeuvring area (TMA)
— route planning
— time reference services (external)
— tower (TWR) services
• aerodrome ATM-MET services provider
• aeronautical digital map service
• AIM (external)
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 15 of 36
• airport
• APP ACC
• ATC (external)
• ATC superior
• ATM
• ATM-MET services provider
• civil AU operations centre
• communication infrastructure
• ER ACC
• FIS/TIS data integrator
• national AIM
• navigation infrastructure — ground-based
• navigation Infrastructure — satellite-based
• non-ATM-MET services provider
• non-aviation users (external)
• regional AIM
• regional ASM
• regional ATFCM
• state AU operations centre
• static aeronautical data service
• sub-regional DCB common service provision
• sub-regional/local ATFCM
• sub-regional/national ASM
• surveillance infrastructure airport
• surveillance infrastructure en-route
• surveillance infrastructure TMA
• time reference (external)
• tower (TWR)
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 16 of 36
INTERFACES
Below are some examples of data exchange at the interfaces between organisations interacting in
different functional chains, which can be used as a basis for identifying the scope of the risk assessment
for the organisation.
Note 1: These examples are graphical representations based on the ‘Examples of ecosystem data
exchange’ provided in EUROCAE ED-201A, Appendix B - Tables B-14, which can be consulted for
further information.
Note 2: Although it is not an organisation, an aircraft has been included in all these examples for the
sake of completeness of the description of the data exchange. The aircraft should be considered as an
element within the scope of the ISMS of the organisation to which it belongs (typically the airline). Any
data exchange between aircraft and other systems within the organisation should take into account
existing security measures that may have been evaluated as part of aircraft certification (see also GM1
IS.AR.205(c)).
ATSP
Initial flight plan processing system (IFPS)
Collaborative decision-making (CDM)
Daily operational briefing
AIS - NOTAMs
Weather forecast and observations / METAR
Consolidated maintenance data, completed checklist with performed
activities
Operational documentation
Software updates
Airport capacity, BPM – luggage treatment state, PHMR identification,
recording terminals
AOC data
QAR, FDR data
Centralised maintenance system (CMS), Aircraft conditioning management system (ACMS) report
AISP
METSP
Maintenance
Design and Production
Airline
Airport
Aircraft
Figure 1: Interfaces of other organisations with an airline operator
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 17 of 36
IFPS, Target take-off time, ATC flight plan proposal, Enhanced tactical flow
management, CDM ATC
AIREP encountered weather info
EFB load, specific SW and configuration, maintenance procedures, request for
intervention
Airport capacity needs, boarding pass data, TOBT, Airlines attendance, PHMR
identification, PNR – passenger info, BSM – luggage data
Take-off performance data Meteo data Parking data
NOTAM, Chart, QNH, Temperature Weight and Balance
AOC data
EFB load
METSP
Maintenance
Airline Airport
Aircraft
Figure 2: Interfaces of an airline operator with other organisations
Accounts & roles management
Design and Production
Maintenance procedures
Software loads
EFB load, specific SW and configuration, maintenance procedures, request for
intervention
Hardware
Raw maintenance data
Airline
Maintenance
Aircraft
Data Base
Logistic Data
Hardware
Figure 3: Interfaces of other organisations with a maintenance service provider
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 18 of 36
Logisitic Data
Design and Production
Hardware
Software loads
Consolidated maintenance data
Completed checklist with performed activities
Airline
Maintenance
Aircraft Data Base
EFB loads
Hardware
Maintenance requests
Figure 4: Interfaces of a maintenance service provider with other organisations
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 19 of 36
Appendix IV — Part-IS requirements mapping to ISO/IEC 27001:2022
clauses and controls, and considerations on differences
Although Part-IS does not credit ISO/IEC 27001 certification, the practices and methods typically
adopted for implementing and maintaining an ISMS under ISO/IEC 27000 largely align with the
objectives of this regulation. Therefore, entities that have already implemented an ISMS under ISO/IEC
27001 can use this as a basis for Part-IS compliance.
The following provides guidance on how competent authorities that have already implemented an
ISMS compliant with ISO/IEC 27001:2022 can integrate Part-IS requirements into their existing ISMS.
Specifically, the table below illustrates how to incorporate the ‘Part-IS particularity’ of each
requirement into an existing ISO/IEC 27001-based ISMS in order to achieve Part-IS compliance. This is
referred to as ‘Guidance on Part-IS implementation’.
Part-IS requirement
ISO/IEC 27001:2022 mapping and specific guidance
IS.AR.200(a) Related ISO/IEC 27001:2022 clauses and controls
4. Context of the organisation
6.1.1 Actions to address risks and opportunities - General
Part-IS particularity
An ISMS designed in the context of an ISO/IEC 27001:2022 ISMS, which is currently not connected to the management systems required by the delegated and implementing acts of Regulation (EU) 2018/1139, including Part-IS, may differ if these different systems do not address the same goals. Part-IS focuses on information security requirements meeting the applicable aviation safety objectives, which have an influence on elements of the ISMS. Also, the ‘interested parties’ and the ‘internal and external issues’ as laid down in Chapter 4 of ISO/IEC 27001:2022 may be adapted to address the requirements of Part-IS for the competent authority.
Guidance on Part-IS implementation
Please note that the point IS.AR.200 requirement points to many other Part-IS requirements that the ISMS has to comply with, namely points 205, 210, 215, 220, 225, 230 and 235. Further details are provided in the specific chapters on the particular requirement.
Regarding the other remaining requirements, not pointing out to other Part-IS requirements, and comparing them with ISO/IEC 27001:2022, there are five requirements left, namely points IS.AR.200(a)(1), IS.AR.200(a)(8), IS.AR.200(a)(9), IS.AR.200(a)(10) and IS.AR.200(a)(11).
IS.OR.200(a)(1) Related ISO/IEC 27001:2022 clauses and controls
5.2 Policy
A.5.1 Policies for information securities
Part-IS particularity
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 20 of 36
Part-IS requirement
ISO/IEC 27001:2022 mapping and specific guidance
An ISMS designed in the context of an ISO/IEC 27001:2022 ISMS, which is currently not connected to the management systems required by the delegated and implementing acts of Regulation (EU) 2018/1139, may differ as these different systems do often not address the same goals. Part-IS focuses on information security requirements influencing the applicable aviation safety objectives, which in their turn have an influence on the elements of the ISMS.
Guidance on Part-IS implementation
The policy on information security established in an ISO/IEC 27001:2022 context has to be updated with regard to the potential impact of the risks on aviation safety. At least the elements of AMC1 IS.AR.200(a)(1) have to be mentioned in the policy. Therefore, the following elements may need to be added to an existing ISMS policy. The elements in bold and italics are additional guidance that might also be considered.
(a) committing to complying with applicable legislation, considering relevant standards and best practices, including safety- and cybersecurity-related standards and guidance published or prescribed by ICAO or EASA;
(b) setting objectives and performance measures for managing information security, updated to ensure meeting the applicable aviation safety objectives;
(c) defining general principles, activities, processes for the competent authority to appropriately secure information and communication technology systems and data, in relation to the information security / safety risk assessment required by point IS.AR.205;
(d) committing to applying ISMS requirements into the processes of the competent authority;
(e) committing to continually improving towards higher levels of information security process maturity as per point IS.AR.235;
(f) committing to satisfying applicable requirements regarding information security and its proactive and systematic management and to the provision of appropriate resources for its implementation and operation;
(g) assigning information security as one of the essential responsibilities for all managers;
(h) committing to promoting the information security policy through training or awareness sessions within the competent authority to all personnel on a regular basis or upon modifications;
(i) encouraging the implementation of a ‘just-culture’ and the reporting of vulnerabilities, suspicious/anomalous events and/or information security incidents;
(j) committing to communicating the information security policy to all relevant parties, as appropriate.
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 21 of 36
Part-IS requirement
ISO/IEC 27001:2022 mapping and specific guidance
IS.AR.200(a)(8) Related ISO/IEC 27001:2022 clauses and controls
9.2. Internal audit
9.3 Management review
10.2 Non-conformity and corrective action
A5.36 Compliance with policies, rules and standards for information security
Part-IS particularity
This requirement is strongly related to the internal audit system and the
independent checking function of ISO/IEC 27001:2022. The required feedback
system to the person referred to in point IS.AR.225(a) fits into the requirement
of 9.3.
In addition, all delegated and implementing acts for the specific domains require
a similar ‘compliance monitoring function’, where information security should be
integrated as described in AMC1 IS.AR.200(a)(8).
Guidance on Part-IS implementation
The requirements of ISO/IEC 27001:2022 and the delegated and implementing
acts of Regulation (EU) 2018/1139 are compatible. Therefore, it will be easy to
integrate Part-IS into the audit scope of the ISO/IEC 27001:2022 internal audit
system.
The role of the the person referred to in point IS.AR.225 (a) has to be addressed
accordingly in the feedback loop if the role is not already addressed in the
management review process. This person is required to be personally briefed on
the key findings so that appropriate decisions can be made.
Refer also to GM1 IS.AR.200(a)(8).
Note: ISO 19011:2018 provides guidance on the establishment of an internal audit system. Specifically, Chapter A.7 ‘Auditing compliance within a management system’ provides useful guidance on how to integrate a compliance monitoring function into an internal audit system.
IS.AR.200(a)(9) Related ISO/IEC 27001:2022 clauses and controls
7.5.3. Control of documented information (Note)
A5.12 Classification of information
A5.34 Privacy and protection of personal identifiable information (PII)
A8.12 Data leakage prevention
Part-IS particularity
This requirement is limited to ‘information related to oversight activities and received through the organisation’s external reporting scheme’ and to confidentiality. ISO/IEC 27001:2022 does not differentiate between type of information (as laid down e.g. in ISO 9001:2015 Chapter 8.5.3). The only reference is made in the note in Chapter 7.5.3.
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 22 of 36
Part-IS requirement
ISO/IEC 27001:2022 mapping and specific guidance
Part-IS stresses protection of information related oversight activities and external information received due to the sensitivity it may have regarding incidents and vulnerabilities disclosure. Insufficient confidentiality protection may result in exploitation of vulnerabilities affecting safety that the original provider of information may not have perceived.
Guidance on Part-IS implementation
The protection of information, specifically regarding confidentiality (as in ISO/IEC 27002:2022), is related to a set of controls that can be found in Table A.1 (Matrix of controls and attribute values) of ISO/IEC 27002:2022. See also the definition in ISO 27002:2022:
3.1.7 confidential information
information that is not intended to be made available or disclosed to unauthorized individuals, entities or processes.
The competent authority having implemented these controls should take special care that they apply to external information that may result in information security threats if known by unauthorised actors. When this kind of information is further shared with other entities, appropriate confidentiality procedures must be put in place and followed (TLP marking for instance).
IS.AR.200(a)(10) and IS.AR.200(11)
Related ISO/IEC 27001:2022 clauses and controls
A5.5 Contact with authorities
Part-IS particularity
These requirements are not directly addressed in ISO/IEC 27001:2022.
Guidance on Part-IS implementation
This is not covered by the requirements of ISO/IEC 27001:2022, so it is not possible to adapt existing policies and procedures under ISO/IEC 27001:2022 for these provisions. To ensure compliance with these requirements, please refer exclusively to the related AMC and GM.
IS.AR.200(b) Related ISO/IEC 27001:2022 clauses and controls
10.1 Continual improvement
Part-IS particularity
Part-IS and ISO/IEC 27001:2022 are very similar regarding this requirement. See points IS.AR.235 (a) and (b) for subtle differences.
Guidance on Part-IS implementation
See point IS.AR.235 in this table.
IS.AR.200(c) Related ISO/IEC 27001:2022 clauses and controls
6.3 Planning of changes
7.5.3 Control of documented information
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 23 of 36
Part-IS requirement
ISO/IEC 27001:2022 mapping and specific guidance
Part-IS particularity
Control of documented information is one of the key processes in each ISO management system standard, following the ISO ‘high-level structure’ (ISO/IEC Directives part 1 Annex SL), such as ISO/IEC 27001:2022.
In addition, most of the delegated and implementing acts for the specific domains require a similar need to document, where information security should be integrated.
Guidance on Part-IS implementation
Additional guidance is provided under GM1 IS.AR.200(c).
IS.AR.200 (d) Related ISO/IEC 27001:2022 clauses and controls
4.3 Determining the scope of the information security management system.
Part-IS particularity
The scope statement and the ‘statement of applicability’ (SOA) are the best references to apply the ‘nature and complexity’.
In addition, most of the delegated and implementing acts for the specific domains require a similar need to document, where information security should be integrated.
Guidance on Part-IS implementation
When determining the scope, it should be noted that Part-IS is delimited to the subject matter as defined in Article 1 of the Regulation(s), which refers to identification and management of information security risks with potential impact on aviation safety.
Considering this, the scope of an ISMS under ISO/IEC 27001:2022 may be broader than that required by Part-IS. Some organisational units, processes or locations may fall under what is covered by the ISMS under ISO/IEC 27001:2022, but not within the scope of Part-IS.
The opposite may happen too: the scope under ISO/IEC 27001:2022 may be narrower than the one Part-IS would require (e. g. the ISO/IEC 27001:2022 scope covers only the IT department).
In both situations, scope definitions have to be compared and adjusted when necessary.
Note: See also guidance on point IS.AR.205(a) in this table.
The scope statement in the ISO/IEC 27001:2022 context is the right place where this clarification is made.
IS.AR.205(a) Related ISO/IEC 27001:2022 clauses and controls
4.3 Determining the scope of the information security management system
6.1.2 Information security risk assessment
Part-IS particularity
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 24 of 36
Part-IS requirement
ISO/IEC 27001:2022 mapping and specific guidance
This requirement of Part-IS is in line with ISO/IEC 27001:2022, however ISO/IEC
27001:2022 allows a wider focus, whereas Part-IS puts the focus on safety
already from the element’s identification stage.
In addition, all of the delegated and implementing acts for the specific domains
require a risk assessment process, where information security can be integrated.
Guidance on Part-IS implementation
AMC1 IS.AR.205(a) explains that when conducting an information security risk
assessment, the competent authority should ensure that each relevant aviation
safety impact is identified and included in the ISMS scope, which might not be
the case when using ISO/IEC 27001:2022.
On the other hand, an ISO/IEC 27001:2022 ISMS focuses its security risk
assessment mainly on the business impact of infringement on confidentiality,
integrity and availability, their risks and the impact on assets (e. g. loss of IT
infrastructure, breach of data).
This means that, starting from an ISMS based on ISO/IEC 27001:2022, a
complementary analysis has to be made to take into account all the elements
related to aviation safety.
To bridge the two approaches of safety management systems (SMS) and ISMS,
an identified information security risk may be entered as a ‘cause’ or
‘contributing event’ in the aviation-safety-focused risk assessment required by
the domain-specific implementing or delegated act. The figure in
GM1.IS.AR.205(c) provides a good indication of how this bridge could be built.
IS.AR.205(b) Related ISO/IEC 27001:2022 clauses and controls
4.1 Understanding the organisation and its context
4.3 Determining the scope of the information security management system
A5.19 Information security in supplier relationships
A5.21 Managing information security in the information and communication
technology (ICT) supply chain
Part-IS particularity
Point IS.AR.205(b) focuses on the identification of interfaces with the other parties. ISO/IEC 27001:2022 4.3 requires considering in point c) the interfaces at and dependencies between activities performed by the competent authority and those that are performed by other parties. So, there is more in Part-IS than that required by ISO/IEC 27001:2022, provided that the scope considered includes safety, as required by point IS.AR.205(a).
The controls A5.19 and A5.21 are a profound foundation for the requirements of point IS.AR.205(b).
Guidance on Part-IS implementation
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 25 of 36
Part-IS requirement
ISO/IEC 27001:2022 mapping and specific guidance
ISO/IEC 27001:2022 A5.19 requires the identification of risks associated with the use of suppliers’ products or services. ISO 27002 A5.19 contains additional guidance in points f) to j) on how to manage the risk exposure.
ISO/IEC 27001:2022 A5.21 requires the management of information security risks associated with the ICT products and services supply chain. ISO 27002 A5.21 contains additional guidance in points f), k), l) and m) on how to manage risks through the supply chain.
The Part-IS notion about interfaces and supply chain goes beyond the respective ISO/IEC 27001:2022 notion. GM1 IS.AR.205(b) requests interfacing entities to share information about mutual risk exposure (including all data flows) and urges competent authorities to use ED-201A for that. Point IS.AR.205(c) also requires accounting for information acquired by interfacing entities, which underlines the two-way nature of the considerations.
IS.AR.205(c) Related ISO/IEC 27001:2022 clauses and controls
6.1.2 Information security risk assessment
Part-IS particularity
Point IS.AR.205(c) is the ‘heart’ of Part-IS. ISO/IEC 27001:2022 6.1.2 opens a ‘framework’ where the requirements of point IS.AR.205 may fit in.
It has to be assured that the risk management systems of the ISMS and those required by the SMS-regulations (see point IS.AR.205(a)) do NOT operate independently, as there might be difficulties in connecting the two systems.
Guidance on Part-IS implementation
Further to this provision, a proper risk assessment has to be made, taking into account the scope and interfaces described in points IS.AR.205(a) and IS.AR.205(b). It has to be noted (see also GM1 IS.AR.205(c)) that point IS.AR.205 does not require the use of any specific information security risk assessment framework, such as ISO31000, NIST or others to develop the risk assessment. ISO/IEC 27001:2022 tends to lean towards using ISO 27005 as a risk assessment standard; however, it does not make it mandatory. The key point is that the risk assessment carried out in the application of ISO/IEC 27001:2022 6.1.2 does not necessarily consider safety risks, and may focus on different types of risks.
With respect to safety, conditions that may lead to safety consequences are identified as hazards. Their materialisation may be either directly triggered or caused by information security threats which have not been successfully prevented. Information security can thus cause or contribute to a safety consequence in four different ways:
(1) it can act as a safety threat;
(2) it can have a negative effect on a safety barrier, rendering it less effective than before;
(3) it can directly trigger the materialisation of an already identified hazard; or
(4) it can constitute a new, not yet identified, hazard, which can obviously also materialise.
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 26 of 36
Part-IS requirement
ISO/IEC 27001:2022 mapping and specific guidance
By using e.g. the ‘bow-tie method’ regarding information security, a ‘hazard’ would be replaced by a ‘vulnerability’, which can be exploited resulting in information security consequences (e.g. lack or reduction of confidentiality, integrity, availability, authenticity properties). Hence, from a methodology perspective, both considerations are very similar and can be designed to interact (e. g. consequences of the information security bow-tie may connect as causes of the ‘safety bow-tie’).
Where the authority has implemented an SMS and operates an ISMS under voluntary compliance with ISO/IEC 27001:2022, it may operate two risk management systems, one for safety and one for information security. The latter may ultimately be certified by an ISO/IEC 27001:2022 accredited body.
Each potential risk identified by the ISMS risk management has to be systematically assessed for its potential impact on safety. To establish the connection between the systems, the following approach should be used:
(1) If a safety risk assessment is available, it should be able to provide its context and determined target likelihoods for acceptable information security risks to the information security risk assessment process. The context consists of the system architecture, including its preventative and mitigative barriers, the hazards assessed and the safety risks identified. Based upon the information provided, the information security risk assessment can be conducted. Modifications to the system architecture, or any modifications of properties of the preventative or mitigative barriers, as well as the achieved risk properties need to be communicated back to the safety risk assessment process. Based upon this communication, the safety risk assessment has to be updated. In other words: mitigation measures put in place as a result of the information security risk assessment should also be considered as they may not only mitigate, but possibly also create a negative safety impact.
(2) If a safety risk assessment is available, but the information security assessment process identifies a new hazard that was previously unknown to the safety risk assessment, a full hazard assessment of all safety aspects has to be conducted to ensure that the safety risk assessment contains the ‘full picture’ of the newly addressed hazard.
(3) The safety risk and the information security risk assessments need to be repeated as described above until all acceptability requirements for all aspects are met.
IS.AR.205(d) Related ISO/IEC 27001:2022 clauses and controls
6.3 Planning of changes
8.2 Information security risk assessment
Part-IS particularity
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 27 of 36
Part-IS requirement
ISO/IEC 27001:2022 mapping and specific guidance
Point IS.AR.205(d) is about the subsequent changes to the original risk assessment, due to a change of context or interfaces or knowledge about the risks or lessons learnt. This is equivalent to ISO/IEC 27001:2022 8.2. In both frameworks the reviews are planned and documented.
Guidance on Part-IS implementation
The same process as that already in place in an ISO/IEC 27001:2022 context can be used to implement point IS.AR.205(d), provided that this process has been updated to include safety criteria evaluation of changes that trigger an unplanned update of the risk assessment.
Those competent authorities that have most experienced risk assessment updates at planned intervals will need to be proactive to trigger such updates more often in the situations listed in points IS.AR.205(d) (1), (2), (3), and (4) that could affect safety.
The triggering criteria and the process should be documented and tested before implementation, for example through table-top exercises.
The change management process is key to keep a management system in a solid and stable condition. Considering an established ISMS according to ISO/IEC 27001:2022, the regular updates of the risk assessment based on changes and lessons learned should be effective. The essential focus, introduced by Part-IS, is the ‘impact on safety’, which drives the update assessment. Change management processes focusing on changes that may have impact on safety are also set out in all domain-specific implementing and delegated acts.
Without the ‘bridge’ of Part-IS, both systems (ISMS and SMS) are implemented independently, often without considering interdependencies. Part-IS implies the need (and provides the opportunity) to interlink the systems to provide a common risk picture for the competent authority, with a focus on safety, but also opening the horizon to information security.
IS.AR.210(a) Related ISO/IEC 27001:2022 clauses and controls
6.1.3 Information security risk treatment
8.3 Information security risk treatment
Part-IS particularity
Point IS.AR.210(a) is about Information security risk treatment, which is widely covered by ISO/IEC 27001:2022, its Appendix A, and ISO/IEC 27002. Point IS.AR.210(a) provides however some additional inputs related to the risks that may have a safety impact.
Guidance on Part-IS implementation
ISO/IEC 27001:2022 6.1.3 is about the definition of the risk treatment plan, while ISO/IEC 27001:2022 8.3 deals with the implementation of the plan, and both are relevant.
ISO/IEC 27001:2022 Annex A contains a list of possible information security controls, and therefore should also be used in addition to the already existing
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 28 of 36
Part-IS requirement
ISO/IEC 27001:2022 mapping and specific guidance
controls, to mitigate information security risks having an impact of safety. All the controls of Annex A are detailed in ISO/IEC 27002.
Point IS.AR.210(a) specifies that the measures selected in the plan have to reduce the consequences on aviation safety associated with the materialisation of the threat scenario. This is in line with IS.AR.205 since the risk treatment phase is a consequence of the risk assessment phase and has to be address all the risks that have been evaluated.
Point IS.AR.210(a) also stipulates that those (protection) measures shall not introduce any new potential unacceptable risks to aviation safety.
This is an area that is not directly covered by either ISO/IEC 27001:2022 or ISO/IEC 27002. The requirement addresses the so-called ‘side effects’ when introducing measures into a system (a well-known issue in software development which is also very relevant for information security measures). Preventive or mitigative measures specifically (e.g. physical security, access control) could lead to unintended side effects.
Also, the risk treatment of the identified risks should focus on addressing safety via the same linkage/integration of ISMS and safety management.
IS.AR.210(b) Related ISO/IEC 27001:2022 clauses and controls
6.1.3.f Information security risk treatment
7.3 Awareness
9.3 Management review
A5.19 Information security in supplier relationships
A5.21 Managing information security in the ICT supply chain
Part-IS particularity
Point IS.AR.210(b) requires key personnel in the competent authority to be informed about the risks, the corresponding threat scenarios and the security risk treatment measures, which result in specific controls covered by Annex A to ISO/IEC 27001:2022 and ISO/IEC 27002. It partially covers point IS.AR.210(b) by the following requirement: obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks.
Point IS.AR.210(b) has two specific requirements that also have equivalent requirements in ISO/IEC 27001:2022 and ISO/IEC 27002:
— Inform the person referred to in point IS.AR.225(a) of the risk treatment plan — which is a mandatory input to the management review.
— Inform the interfacing entities (the same as in point IS.AR.205(b)) of all risks shared with them — which is stated in A5.19 Guidance point l).
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 29 of 36
Part-IS requirement
ISO/IEC 27001:2022 mapping and specific guidance
Guidance on Part-IS implementation
In addition to the risk owner’s approval requested by ISO/IEC 27001:2022 6.1.3.f,
the competent authority will need to inform:
— the person referred to in point IS.AR.225(a) of the risk treatment plan.
ISO/IEC 27001:2022 9.3. f) defines ‘results of risk assessment and status of
risk treatment plan’ as mandatory input for the management review which
is the vehicle to inform the person referred to in point IS.AR.225(a);
— the interfacing entities (the same as in point IS.AR.205(b)) of all risks shared
with them. ISO/IEC 27002 A5.21 states in point f) ‘defining rules for sharing
of information and any potential issues and compromises between the
organisations’. GM1 IS.AR.205(b) and ED-201A may also be used as
guidance on risk sharing.
IS.AR.215(a) Related ISO/IEC 27001:2022 clauses and controls
A5.24 Information security incident management planning and preparation
A5.25 Assessment and decision on information security events
A5.26 Response to information security incidents
A5.27 Learning from information security incidents
A5.28 Collection of evidence
A5.29 Information security during disruption
A7.5 Physical security monitoring
A8.16 Monitoring activities
Part-IS particularity
Fully covered by the requirements of A5.24 to A5.29, and A7.5 for physical security and A8.16 for technical monitoring.
Guidance on Part-IS implementation
The requirements of the controls (both reactive and proactive) mentioned above and the guidance in ISO/IEC 27002:2022 are comprehensive to fulfil the requirements of point IS.AR.215(a).
Again, the impact on safety needs to be assessed, and measures shall be taken to ensure safety. Part-IS refers to ‘unsafe conditions’, which have to be mitigated to an acceptable level. A re-assessment of risks that are related to incidents that have occurred or to a vulnerability that has been identified is mandatory in Part- IS to ensure that no risk becomes unacceptable.
Note: Due to historical reasons, information security and safety management use different wording when referring to situations which are more or less the same. The term ‘incident’ is used in a similar way (an event which already happened and infringes safety/security). A vulnerability in the sense of information security
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 30 of 36
Part-IS requirement
ISO/IEC 27001:2022 mapping and specific guidance
could be mapped to the term ‘hazard’ in the area of safety (a situation identified, which is possible to happen, but has not happened so far).
IS.AR.215(b) Related ISO/IEC 27001:2022 clauses and controls
A5.26 Response to information security incidents
A5.29 Information security during disruption
A7.5 Physical security monitoring
A8.8 Management of technical vulnerabilities
Part-IS particularity
Fully covered by the requirements of A5.26 and A5.29.
Guidance on Part-IS implementation
The requirements of the control A5.26 and the guidance in ISO/IEC 27002:2022 are comprehensive to fulfil the requirements of point IS.AR.215(b).
IS.AR.215(c) Related ISO/IEC 27001:2022 clauses and controls
A5.26 Response to information security incidents
A5.29 Information security during disruption
Part-IS particularity
This requirement is covered by the requirements of A5.26 and A5.29, with the difference that the recovery here is not intended to continuously ensure confidentiality, integrity, availability and integrity; instead, it is intended to maintain or return to an acceptable level of safety.
Guidance on Part-IS implementation
Coupled with the requirements of controls A5.26 and A5.28 and the guidance in ISO/IEC 27002:2022, AMC1.IS.AR.215(c) should be applied in order to revert as quickly as possible to a safe state.
IS.AR.220 Related ISO/IEC 27001:2022 clauses and controls
A5.19 Information security in supplier relationships
A5.21 Managing information security in the information and communication technology (ICT) supply chain
A5.22 Monitoring, review and change management of supplier services
Part-IS particularity
ISO/IEC 27001:2022 controls A5.19, A5.21 and A5.29 may cover this requirement. The difference in the requirements of point IS.AR.220 is that they are limited to those activities directly related to the ISMS (e. g. internal audits, consultancy for risk assessments, etc.).
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 31 of 36
Part-IS requirement
ISO/IEC 27001:2022 mapping and specific guidance
Guidance on Part-IS implementation
This requirement relates only to ISMS activities (e.g. internal audits, risk assessments), not to those activities not directly related to ISMS itself (e. g. hardware, software, IT and OT).
The difference in the requirements of point IS.AR.220 is that they are limited to those activities directly related to the ISMS (e. g. internal audits, consultancy for risk assessments, etc.). The controls in ISO/IEC 27001:2022 do not exclude those kinds of services, but sometimes they will not be in the focus of the competent authority.
Therefore, there is no need to establish an independent system for those contractors referred to in point IS.AR.220. The list of suppliers should be reviewed to ensure that the suppliers providing the services mentioned in point IS.AR.220 are covered.
IS.AR.225(a)
Related ISO/IEC 27001:2022 clauses and controls
5.1 Leadership and commitment
5.3 Organisational roles, responsibilities and authorities
7.1 Resources
A5.2 Information security roles and responsibilities
Part-IS particularity
ISO/IEC 27001:2022 does not require a specific role.
Guidance on Part-IS implementation
The implementation of the requirements of point IS.AR.225(a) can be covered by the implementation of ISO/IEC 27001:2022 requirements mentioned above, provided that the role of the person referred to in point point IS.AR.225(a) is clearly defined and meets the requirements in point IS.AR.225(a).
IS.AR.225(b)
Related ISO/IEC 27001:2022 clauses and controls
7.1 Resources
Part-IS particularity
The requirements of 7.1 should be implemented.
Guidance on Part-IS implementation
A systematic capacity planning of human resources is a key element of any management system. Therefore, such a process should be established in an ISMS. The possible additional requirement stemming from Part-IS has to be assessed and the capacity planning updated accordingly.
The targeted safety levels set in the safety/information security assessment should never be jeopardised by a lack of resources, even temporarily.
AMC1 IS.AR.225(b) should be considered.
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 32 of 36
Part-IS requirement
ISO/IEC 27001:2022 mapping and specific guidance
IS.AR.225(c)
Related ISO/IEC 27001:2022 clauses and controls
7.2 Competency
A6.3 Information security awareness, education and training
Part-IS particularity
The implementation of the requirements of 7.2 and A6.3 is sufficient to cover the requirement.
Guidance on Part-IS implementation
A systematic competency management process of staff is a key element of any management system. Therefore, such a process should have been established in an ISMS. The possible additional requirement stemming from Part-IS has to be assessed and the competency requirements updated accordingly.
AMC1 IS.AR.225(c) should be considered.
IS.AR.225(d)
Related ISO/IEC 27001:2022 clauses and controls
A6.2 Terms and conditions of employment
Part-IS particularity
The implementation of the requirements of A6.2 with some adaptation would be sufficient to cover the provision of point IS.AR.225(d).
Guidance on Part-IS implementation
Point IS.AR.225(d) is (at least partially) covered by ISO/IEC 27001:2022 A.6.2 ‘The employment contractual agreements have to be state the personnel’s and the organisation’s responsibilities for information security.’ and A.6.4 ‘disciplinary process’ (see ‘Just Culture’).
It depends on the organisational culture and on whether job descriptions or role assignments need to be formally acknowledged. In many cases, the assigned jobs and roles are mutually acknowledged by performing the tasks assigned.
IS.AR.225(e)
Related ISO/IEC 27001:2022 clauses and controls
A5.19 Information security in supplier relationships
A6.1 Screening
A7.2 Physical entry
A8.3 Information access restriction
A8.5 Secure authentication
Part-IS particularity
The implementation of the requirements of A5.19, A6.1, A7.2, A8.3 and A8.5 might be sufficient controls to cover this requirement for the personnel of the competent authority, as well as for contractors and suppliers.
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 33 of 36
Part-IS requirement
ISO/IEC 27001:2022 mapping and specific guidance
Guidance on Part-IS implementation
All the controls established in an ISO/IEC 27001:2022-compliant ISMS are designed to ensure the confidentiality and integrity of information. The implementation of those controls will provide sufficient protection to ensure compliance with this requirement.
AMC1 IS.AR.225(e) should be considered.
IS.AR.230(a)
Related ISO/IEC 27001:2022 clauses and controls
7.5 Documented information
A5.9 Inventory of information and other associated assets
A5.13 Labelling of information
A8.10 Information deletion
A8.13 Information backup
Part-IS particularity
Record-keeping and retention are an inherent part of the document control system under 7.5 of ISO/IEC 27001:2022. The controls A5.9, A5.13, A8.10 and A8.13 also apply.
Guidance on Part-IS implementation
Chapter 7.5.1 b) states that the ISMS has to be include ‘documented information determined by the competent authority as being necessary for the effectiveness of the information security management system.’ This includes the records defined in point IS.AR.230(a)(1). Chapter 7.5.3 requires, under f), also document control for retention and disposition. Part-IS requirements have to be integrated into the existing system, especially the minimum duration of record-keeping of five years.
The minimum set of records, as defined in point IS.AR.230(a)(1) should be covered in the inventory of assets. For the coverage, the content of GM1 IS.AR.230 also applies.
As records are not only information assets, the requested ‘record retention policy’ may be integrated into a wider policy as recommended by ISO/IEC 27002:2022 above.
AMC1 IS.AR.230(a)(1)(iv)&(a)(4) should be implemented.
IS.AR.230(b)
Related ISO/IEC 27001:2022 clauses and controls
7.5 Documented information
A5.9 Inventory of information and other associated assets
A5.10 Acceptable use of information and other associated assets
A5.13 Labelling of information
A5.34 Privacy and protection of personal identifiable information (PII)
A8.10 Information deletion
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 34 of 36
Part-IS requirement
ISO/IEC 27001:2022 mapping and specific guidance
A8.13 Information backup
Part-IS particularity
Record-keeping and retention are an inherent part of the document control system under 7.5 of ISO/IEC 27001:2022. The controls A5.9, A5.13, A8.10 and A8.13 will also apply and, due to GDPR issues specifically, also A5.10 and A5.34.
Guidance on Part-IS implementation
Chapter 7.5.1 b) states that the ISMS has to be include ‘documented information determined by the competent authority as being necessary for the effectiveness of the information security management system.’ This includes the records defined in point IS.AR.230(a)(1). Chapter 7.5.3 requires, under f), also document control for retention and disposition. Part-IS requirements have to be integrated into the existing system, especially the minimum duration of record-keeping of five years.
However, whereas there is no retention duration specified in ISO/IEC 27001:2022, point IS.AR.230(b) specifies three years after the person has left the competent authority.
As these records fall under the GDPR Regulation, each competent authority has to ensure that they are handled accordingly. It is recommended that the procedures are used not only for records related to ISMS, but also for the entire HR personnel files of the staff.
IS.AR.230(c)
Related ISO/IEC 27001:2022 clauses and controls
7.5 Documented information
A5.13 Labelling of information
Part-IS particularity
Record-keeping and retention are an inherent part of the document control system under 7.5 of ISO/IEC 27001:2022 as well as the control A5.13.
Guidance on Part-IS implementation
Chapter 7.5.3, under a), requires for the information that ‘it is available and suitable for use, where and when it is needed’. Part-IS requirements have to be integrated into the existing system.
ISO 27002:2022 A5.13 states ‘Procedures for information labelling should cover information and other associated assets in all formats.’; therefore, the Part-IS requirement is fulfilled with control A5.13.
IS.AR.230(d)
Related ISO/IEC 27001:2022 clauses and controls
7.5 Documented information
A5.10 Acceptable use of information and other associated assets
A5.12 Classification of information
A5.33 Protection of records
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 35 of 36
Part-IS requirement
ISO/IEC 27001:2022 mapping and specific guidance
A8.12 Data leakage prevention
Part-IS particularity
Record-keeping and retention are an inherent part of the document control system under 7.5 of ISO/IEC 27001:2022. The controls A5.10, A5.12, A5.33 and A8.12 will also apply.
Guidance on Part-IS implementation
Chapter 7.5.3, under d), requires ‘storage and preservation, including the preservation of legibility’. Part-IS requirements have to be integrated into the existing system.
The application of A5.33 and A8.12 has a strong relationship to A7.5 (Protecting against physical and environmental threats), A7.10 (Storage media), A8.3 (Information access restriction), A8.13 (Information backup), A8.14 (Redundancy of information processing facilities), A8.15 (Logging), A8.17 (Clock synchronization) and A8.24 (Use of cryptography).
IS.AR.235(a)
Related ISO/IEC 27001:2022 clauses and controls
9.3 Management review
10.1 Continual improvement
A5.35 Independent review of information security
Part-IS particularity
This requirement reflects a combination of requirements 9.3 and 10.1 of ISO/IEC 27001:2022 with references to requirements 4.4 and 5.2. While ISO/IEC 27001:2022 focuses on ISMS suitability, adequacy and effectiveness, point IS.AR.235(a) requires also a periodical maturity assessment of the ISMS.
Guidance on Part-IS implementation
ISO/IEC 27001:2022, 4.4 shows a clear requirement (‘shall’) for ISMS maintenance and improvement. The top management has a responsibility for continuous ISMS improvement as per ISO/IEC 27001:2022 5.2(d). The planning section also requires continuous improvement (ISO/IEC 27001:2022 6.1.1(c)).
Point IS.AR.235(a) requires an assessment of the effectiveness and maturity of the ISMS on a calendar basis or following an information security incident. This assessment should be performed by using indicators. ISO/IEC 27001:2022 Chapter 9.3.1 defines a very similar approach for the management review process. Chapter 10.1 indicates a more independent process to improve the ISMS. The process in Chapter 10.1 is seen as more of a bottom-up approach, whereas that in Chapter 9.3 is intended to be top-down.
The results from A5.35 should all be used as inputs for continuous improvement.
Point IS.AR.235(a) requires also a maturity assessment of the ISMS.
Each competent authority should establish which maturity model will be followed and which targeted maturity level is expected to be reached and by when.
AMC & GM to Part-IS.AR Issue 1, Amendment 1
Annex to ED Decision 2025/015/R Page 36 of 36
Part-IS requirement
ISO/IEC 27001:2022 mapping and specific guidance
For the maturity assessment, point (b) of AMC1 IS.AR.235(a) and GM1 IS.AR.235(a) provide guidance on how to ensure compliance with point IS.AR.235(a).
IS.AR.235(b)
Related ISO/IEC 27001:2022 clauses and controls
10.2 Non-conformity and corrective action
A5.7 Threat intelligence
Part-IS particularity
Point IS.AR.235(b) addresses the improvement measures, i.e. corrections and corrective actions for the deficiencies detected in point IS.AR.235(a) and the continuous improvement process.
This requirement reflects mainly requirement 10.2 of ISO/IEC 27001:2022, even if the term used is ‘non-conformity’, while point IS.AR.235(b) uses the term ‘deficiencies’. Deficiency has a broader meaning than non-conformity. It encompasses the case of a targeted maturity level that would not be reached at the planned date; that would be a deficiency but not necessarily a non- conformity.
Guidance on Part-IS implementation
The provisions listed in ISO/IEC 27001:2022 10.2 can be used to take corrective actions, to resolve both non-conformities and maturity level gaps.
ED Decision 2025/015/R
TE.RPRO.00072-012 © European Union Aviation Safety Agency. All rights reserved. ISO 9001 certified. Proprietary document. Copies are not controlled. Confirm revision status through the EASA intranet/internet. Page 1 of 2
An agency of the European Union
Executive Director Decision
2025/015/R
of 21 July 2025
issuing the following:
Amendment 1 to Issue 1 of the Acceptable Means of Compliance and Guidance Material to
Annex I (Part-IS.AR) to Commission Implementing Regulation (EU) 2023/203
‘AMC & GM to Part-IS.AR — Issue 1, Amendment 1’
— — —
‘Management of information security risks — GM to Part-IS.AR’
THE EXECUTIVE DIRECTOR OF THE EUROPEAN UNION AVIATION SAFETY AGENCY (EASA),
Having regard to Regulation (EU) 2018/11391, and in particular Articles 76(3) and 104(3)(a) thereof,
Whereas:
(1) Guidance material is non-binding material issued by EASA, which helps to illustrate the meaning
of delegated or implementing acts or certification specifications and detailed specifications, and
which is used to support the interpretation of Regulation (EU) 2018/1139, of the delegated and
implementing acts adopted on the basis thereof, and of certification specifications and detailed
specifications.
(2) With Decision 2023/010/R2 of 13 July 2023, the Executive Director issued the Acceptable Means
of Compliance and Guidance Material to Part-IS.AR.
(3) EASA shall, pursuant to Article 4(1)(a) of Regulation (EU) 2018/1139, reflect the state of the art
and the best practices in the field of aviation and update its Decisions, taking into account
worldwide aviation experience and scientific and technical progress in the respective fields.
1 Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of
civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91 (OJ L 212, 22.8.2018, p. 1) (http://data.europa.eu/eli/reg/2018/1139/oj).
2 ED Decision 2023/010/R - Management of information security risks - Development of acceptable means of compliance and guidance material to support the Part-IS regulatory package implementation | EASA
ED Decision 2025/015/R
TE.RPRO.00072-012 © European Union Aviation Safety Agency. All rights reserved. ISO 9001 certified. Proprietary document. Copies are not controlled. Confirm revision status through the EASA intranet/internet. Page 2 of 2
An agency of the European Union
(4) Commission Implementing Regulation (EU) 2023/2033 lays down requirements for
organisations and competent authorities regarding the management of information security
risks with a potential impact on aviation safety.
(5) In this context, EASA has determined the need to issue this set of guidance material to facilitate
the implementation of the aforementioned new requirements.
(6) EASA, pursuant to Article 115(1)(c) of Regulation (EU) 2018/1139 and Article 6 of the EASA
Rulemaking Procedure4, consulted its Advisory Bodies (ABs) on the content of this Decision and
considered the comments received,
HAS DECIDED:
Article 1
Annex I to Decision 2023/010/R of the Executive Director of the Agency of 13 July 2023 is amended as
laid down in the Annex to this Decision.
Article 2
This Decision shall enter into force on the day following that of its publication in the Official Publication
of EASA.
It shall apply from 22 February 2026.
Cologne, 21 July 2025
For the European Union Aviation Safety Agency
The Executive Director
Florian GUILLERMET
3 Commission Implementing Regulation (EU) 2023/203 of 27 October 2022 laying down rules for the application
of Regulation (EU) 2018/1139 of the European Parliament and of the Council, as regards requirements for the management of information security risks with a potential impact on aviation safety for organisations covered by Commission Regulations (EU) No 1321/2014, (EU) No 965/2012, (EU) No 1178/2011, (EU) 2015/340, Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664, and for competent authorities covered by Commission Regulations (EU) No 748/2012, (EU) No 1321/2014, (EU) No 965/2012, (EU) No 1178/2011, (EU) 2015/340 and (EU) No 139/2014, Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664 and amending Commission Regulations (EU) No 1178/2011, (EU) No 748/2012, (EU) No 965/2012, (EU) No 139/2014, (EU) No 1321/2014, (EU) 2015/340, and Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664 (http://data.europa.eu/eli/reg_impl/2023/203/oj).
4 EASA is bound to follow a structured rulemaking process as required by Article 115(1) of Regulation (EU) 2018/1139. Such a process has been adopted by the EASA Management Board (MB) and is referred to as the ‘Rulemaking Procedure’. See MB Decision No 01-2022 of 2 May 2022 on the procedure to be applied by EASA for the issuing of opinions, certification specifications and other detailed specifications, acceptable means of compliance and guidance material ('Rulemaking Procedure'), and repealing Management Board Decision No 18-2015 (EASA MB Decision No 01-2022 on the Rulemaking Procedure, repealing MB Decision 18-2015 (by written procedure) | EASA (europa.eu)).
European Union Aviation Safety Agency
Explanatory Note to ED Decisions 2025/013/R, 2025/014/R & 2025/015/R
issued in accordance with Article 4(2) of MB Decision No 01-2022
TE.RPRO.00058-013 © European Union Aviation Safety Agency. All rights reserved. ISO 9001 certified. Proprietary document. Copies are not controlled. Confirm revision status through the EASA intranet/internet. Page 1 of 9
An agency of the European Union
Regular update of the Acceptable Means of Compliance and Guidance Material
to Regulations (EU) 2023/203 and 2022/1645
(Part-IS) RMT.0753 — SUBTASK 1
WHAT THESE DECISIONS ARE ABOUT
These Decisions issue amendments to the Guidance Material (GM) to the Part-IS regulatory package
(Implementing Regulation (EU) 2023/203 and Delegated Regulation (EU) 2022/1645).
The objective of the amended GM is to support and facilitate the implementation of the Part-IS regulatory
package, thereby maintaining a high level of safety and contributing to the protection of the aviation system
against information security (cybersecurity) risks.
ED DECISIONS TO BE AMENDED — ED Decision 2023/008/R ‘AMC & GM to the Articles
of Regulation (EU) 2022/1645 and Regulation (EU) 2023/203’
— ED Decision 2023/009/R ‘AMC & GM to Part-IS.D.OR and AMC & GM to Part-IS.I.OR’
— ED Decision 2023/010/R ‘AMC & GM to Part-IS.AR’
AFFECTED STAKEHOLDERS
DOA and POA holders; Part-ORO air operators; AeMCs; FSTD operators; U-space service providers and single
common information service providers; apron management service providers; AOC holders (CAT); MOs;
CAMOs; training organisations; ATM/ANS providers; aerodrome operators; Member States; national
competent authorities
WORKING METHODS
Development Impact assessment(s) Consultation
By EASA Light NPA — Focused
RELATED DOCUMENTS / INFORMATION — ToR RMT.0753 Issue 1, issued on 20.2.2025
— NPA 2025-101
— Workshop on NPA 2025-101 ‘Regular update of the Acceptable Means of Compliance and Guidance Material to Regulations (EU) 2023/203 and 2022/1645 (Part-IS regulatory package)’
PLANNING MILESTONES: Refer to the latest edition of the EPAS Volume II.
European Union Aviation Safety Agency Explanatory Note to ED Decisions 2025/013/R, 2025/014/R & 2025/015/R
Table of contents
TE.RPRO.00058-013 © European Union Aviation Safety Agency. All rights reserved. ISO 9001 certified. Proprietary document. Copies are not controlled. Confirm revision status through the EASA intranet/internet. Page 2 of 9
An agency of the European Union
Table of contents
1. About these Decisions ........................................................................................................ 3
2. In summary — why and what ............................................................................................. 4
2.1. Why we need to act............................................................................................................ 4
2.2. What we want to achieve — objectives ............................................................................. 4
2.3. How we want to achieve it — overview of the amendments ............................................ 4
2.4. What are the stakeholders’ views ...................................................................................... 4
3. Expected benefits and drawbacks of the regulatory material ............................................... 6
4. Monitoring and evaluation ................................................................................................. 7
5. Proposed actions to support implementation ...................................................................... 8
6. References ......................................................................................................................... 9
European Union Aviation Safety Agency Explanatory Note to ED Decisions 2025/013/R, 2025/014/R & 2025/015/R
1. About these Decisions
TE.RPRO.00058-013 © European Union Aviation Safety Agency. All rights reserved. ISO 9001 certified. Proprietary document. Copies are not controlled. Confirm revision status through the EASA intranet/internet. Page 3 of 9
An agency of the European Union
1. About these Decisions
This rulemaking activity aims at updating the guidance material (GM) to the Part-IS regulatory package
(Regulations (EU) 2022/16451 and 2023/2032). It is included in the 2025 edition of Volume II of the
European Plan for Aviation Safety (EPAS) for 2023-20253 under Rulemaking Task (RMT).0753.
EASA developed the regulatory material in question in line with Regulation (EU) 2018/11394 (the Basic
Regulation) and the Rulemaking Procedure5, as well as in accordance with the objectives and working
methods described in the Terms of Reference (ToR) for this RMT6.
In particular, EASA has developed a significant part of the regulatory material based on the guidelines
developed by the Part-IS Implementation Task Force (TF), a collaborative effort of the national
competent authorities (NCAs) of the EASA Member States. The TF worked with great care to produce
a comprehensive set of guidelines aimed at ensuring a harmonised implementation of Part IS in all
Member States. This initiative is part of an ongoing commitment to maintaining high standards of
aviation safety throughout the European Union.
The draft regulatory material was consulted in accordance with the ToR for this RMT with the EASA
Advisory Bodies (MAB and SAB) through NPA 2025-1017 and the focused consultation workshop held
on 5 May 2025. EASA reviewed the comments received and duly considered them for the preparation
of the regulatory material presented here.
1 Commission Delegated Regulation (EU) 2022/1645 of 14 July 2022 laying down rules for the application of Regulation
(EU) 2018/1139 of the European Parliament and of the Council, as regards requirements for the management of information security risks with a potential impact on aviation safety for organisations covered by Commission Regulations (EU) No 748/2012 and (EU) No 139/2014 and amending Commission Regulations (EU) No 748/2012 and (EU) No 139/2014 (OJ L 248, 26.9.2022, p. 18) (http://data.europa.eu/eli/reg_del/2022/1645/oj).
2 Commission Implementing Regulation (EU) 2023/203 of 27 October 2022 laying down rules for the application of Regulation (EU) 2018/1139 of the European Parliament and of the Council, as regards requirements for the management of information security risks with a potential impact on aviation safety for organisations covered by Commission Regulations (EU) No 1321/2014, (EU) No 965/2012, (EU) No 1178/2011, (EU) 2015/340, Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664, and for competent authorities covered by Commission Regulations (EU) No 748/2012, (EU) No 1321/2014, (EU) No 965/2012, (EU) No 1178/2011, (EU) 2015/340 and (EU) No 139/2014, Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664 and amending Commission Regulations (EU) No 1178/2011, (EU) No 748/2012, (EU) No 965/2012, (EU) No 139/2014, (EU) No 1321/2014, (EU) 2015/340, and Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664 (OJ L 31, 2.2.2023, p. 1) (http://data.europa.eu/eli/reg_impl/2023/203/oj).
3 European Plan for Aviation Safety (EPAS) 2025 - 14th edition | EASA 4 Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of
civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91 (OJ L 212, 22.8.2018, p. 1) (http://data.europa.eu/eli/reg/2018/1139/oj).
5 EASA is bound to follow a structured rulemaking process as required by Article 115(1) of Regulation (EU) 2018/1139. Such a process has been adopted by the EASA Management Board (MB) and is referred to as the ‘Rulemaking Procedure’. See MB Decision No 01-2022 of 2 May 2022 on the procedure to be applied by EASA for the issuing of opinions, certification specifications and other detailed specifications, acceptable means of compliance and guidance material ('Rulemaking Procedure'), and repealing Management Board Decision No 18-2015 (EASA MB Decision No 01-2022 on the Rulemaking Procedure, repealing MB Decision 18-2015 (by written procedure) | EASA).
6 ToR RMT.0753 - Cybersecurity risks | EASA (europa.eu) 7 https://www.easa.europa.eu/en/document-library/notices-of-proposed-amendment/focused-consultations/npa-2025-
101
European Union Aviation Safety Agency Explanatory Note to ED Decisions 2025/013/R, 2025/014/R & 2025/015/R
2. In summary — why and what
TE.RPRO.00058-013 © European Union Aviation Safety Agency. All rights reserved. ISO 9001 certified. Proprietary document. Copies are not controlled. Confirm revision status through the EASA intranet/internet. Page 4 of 9
An agency of the European Union
2. In summary — why and what
2.1. Why we need to act
Commission Implementing Regulation (EU) 2023/203 and Commission Delegated Regulation (EU)
2022/1645 lay down rules for the identification and management of information security risks in
aviation organisations and aviation competent authorities, including EASA. The Part-IS TF has
identified some areas where more guidance would have been useful to support harmonised
implementation in the Member States. To this end, these Decisions update the associated GM for the
application of both the Implementing and Delegated Commission Regulations, mostly as a result of
the joint activity of Member States.
2.2. What we want to achieve — objectives
The overall objectives of the EASA system are defined in Article 1 of the Basic Regulation. The
regulatory material presented here is expected to contribute to achieving these overall objectives by
addressing the issue described in Section 2.1.
More specifically, with the regulatory material presented here, EASA intends to facilitate the
harmonised implementation of the Part-IS regulatory package.
2.3. How we want to achieve it — overview of the amendments
The Part-IS regulatory package introduces mostly performance- and risk-based provisions for the
identification and management of information security risks in aviation organisations and aviation
competent authorities. EASA updates the GM to provide further insight into how certain requirements
should be understood from the Agency’s point of view and advice on the practical aspects related to
the implementation of the requirements (how to). This is also done by referring to available industry
standards that could be used to demonstrate compliance. Moreover, in order to facilitate the
harmonised implementation in all Member States, the same GM is provided for both the
Implementing and Delegated Commission Regulations and thus for all organisations within the scope
of Part-IS and, to a large extent, for authorities when requirements for authorities and organisations
are equivalent.
The targeted applicability of the regulatory material is aligned with the applicability dates of the
implementing and delegated acts of Part-IS.
2.4. What are the stakeholders’ views
During the focused consultation, a total number of 206 comments from 19 different stakeholders were
received on NPA 2025-101. These were distributed as shown in Error! Reference source not found..
European Union Aviation Safety Agency Explanatory Note to ED Decisions 2025/013/R, 2025/014/R & 2025/015/R
2. In summary — why and what
TE.RPRO.00058-013 © European Union Aviation Safety Agency. All rights reserved. ISO 9001 certified. Proprietary document. Copies are not controlled. Confirm revision status through the EASA intranet/internet. Page 5 of 9
An agency of the European Union
Figure 1: Distribution of comments per stakeholder group
The major comments, related considerations, and how they were addressed by EASA are summarised
hereafter. Due to the similarity of the requirements on authorities with those on organisations (both
IS.I.OR and IS.D.OR), the comments received in relation to certain topics have been grouped to better
highlight the identified areas of interest and to provide an overview of the changes initiated by the
comments received. Therefore, changes that were suggested and have been introduced in the GM to
the authority requirements (ARs) have been also introduced in the organisation requirements (ORs)
when those points were of a general nature.
Error! Reference source not found.2 shows the distribution of the comments per area.
Figure 2: Distribution of comments per area of interest
The comments received resulted in providing further clarifications and corrections of identified
inconsistencies. In particular the comments on the further guidance to ‘Information security
management system (ISMS) (IS.I/D.OR.200 and IS.AR.200)’ resulted in the inclusion of some further
description of the interaction between the safety and the information risk assessment processes.
2%
2%
4%
36%
51%
5% Airlines Associations
Airport Associations
ATM/ANS organisations
Authorities
Manufacturers Associations Others
0
10
20
30
40
50
60
GM1 IS.D/I.OR.200/IS.AR.200
Information security management system
(ISMS)
Appendix V — Proportionality
considerations related to indicators of
complexity
Appendix IV — Part-IS requirements mapping
to ISO/IEC 27001 clauses and controls,
and considerations on differences
GM1 IS.I/D.OR.200(e) Information security management system (ISMS) - Derogation
Appendix III — Examples of aviation
services and interfaces
li e associat ons
ir srt ass ciations
/ANS organisations
t orities
ufacturers associations
t rs
European Union Aviation Safety Agency Explanatory Note to ED Decisions 2025/013/R, 2025/014/R & 2025/015/R
3. Expected benefits and drawbacks of the regulatory material
TE.RPRO.00058-013 © European Union Aviation Safety Agency. All rights reserved. ISO 9001 certified. Proprietary document. Copies are not controlled. Confirm revision status through the EASA intranet/internet. Page 6 of 9
An agency of the European Union
3. Expected benefits and drawbacks of the regulatory material
The provision of additional GM is beneficial in supporting the implementation of the rules.
European Union Aviation Safety Agency Explanatory Note to ED Decisions 2025/013/R, 2025/014/R & 2025/015/R
4. Monitoring and evaluation
TE.RPRO.00058-013 © European Union Aviation Safety Agency. All rights reserved. ISO 9001 certified. Proprietary document. Copies are not controlled. Confirm revision status through the EASA intranet/internet. Page 7 of 9
An agency of the European Union
4. Monitoring and evaluation
The usefulness of the AMC and GM to Commission Regulations (EU) 2022/1645 and 2023/203 will be
monitored through standardisation and oversight activities.
European Union Aviation Safety Agency Explanatory Note to ED Decisions 2025/013/R, 2025/014/R & 2025/015/R
5. Proposed actions to support implementation
TE.RPRO.00058-013 © European Union Aviation Safety Agency. All rights reserved. ISO 9001 certified. Proprietary document. Copies are not controlled. Confirm revision status through the EASA intranet/internet. Page 8 of 9
An agency of the European Union
5. Proposed actions to support implementation
Under the implementation support task IST.0001 ‘Supporting the implementation of the IS
management system (ISMS) by industry and NCAs’ described in the 2025 EPAS Volume II, EASA:
— holds dedicated thematic workshops;
— provides support to national competent authorities and organisations to develop competence
building / training for the implementation of Part-IS and the relevant oversight;
— coordinates with the dedicated TF of volunteer Member States to jointly discuss and solve the
challenges linked with Part-IS implementation.
European Union Aviation Safety Agency Explanatory Note to ED Decisions 2025/013/R, 2025/014/R & 2025/015/R
6. References
TE.RPRO.00058-013 © European Union Aviation Safety Agency. All rights reserved. ISO 9001 certified. Proprietary document. Copies are not controlled. Confirm revision status through the EASA intranet/internet. Page 9 of 9
An agency of the European Union
6. References
The following (non-exhaustive) list includes documents that have been considered during the
development of these Decisions:
— ISO 27000 Series on ‘information security management systems (ISMS)’ standards
— EUROCAE ED-200 Series on ‘information security in aviation’ standards