EASA-Compliant Operator - Information Security Management System (ISMS) Development – Part 6

?

Sofema Aviation Services (SAS) considers the key aspects related to the development of an ISMS.

Phase 6 – Regulatory Certification and Approval

The Regulatory Certification and Approval phase is the final step in the implementation of an EASA-compliant Information Security Management System (ISMS). This phase involves conducting a thorough internal compliance audit, providing the Competent Authority with the opportunity to audit the process and addressing any findings or gaps identified during the approval process.

This phase typically lasts 1 to 2 months for a medium-sized operator, depending on the complexity of the ISMS and the results of the internal and external audits.

Key Objectives of the Regulatory Certification and Approval Phase

The primary objective of this phase is to secure formal approval from EASA or the national aviation authority, confirming that the ISMS meets all applicable regulatory requirements. The key goals include:

• Conducting a final internal compliance audit to verify that all ISMS components are correctly implemented and functioning as intended.
• Compiling and reviewing all ISMS documentation to confirm that it meets EASA’s requirements and accurately reflects the implemented controls.
• Submitting the ISMS documentation to the competent authority (EASA or the national authority) for review and approval.
• Addressing any findings or gaps identified during the audit or approval process.
• Establishing a process for ongoing monitoring and continuous improvement following certification.

Achieving certification represents a significant milestone in the organization’s information security journey, confirming that the ISMS is both effective and compliant with international aviation standards.

Steps in the Regulatory Certification and Approval Phase -Conduct an Internal Compliance Audit

Before submitting the ISMS for regulatory approval, the organization must conduct a comprehensive internal compliance audit to verify that all ISMS elements are operational and effective.

The internal compliance audit should be conducted by the Compliance Manager or an independent internal audit team to ensure objectivity and thoroughness. It should follow the guidelines established in the ISMS framework and EASA’s acceptable means of compliance (AMC).

Scope of the Internal Audit:

• Governance and Accountability: Confirm that the ISMS Manager and security team have been formally appointed. Verify that senior management has endorsed the ISMS policy. Ensure that roles and responsibilities for information security are clearly defined.
• Information Security Policy and Procedures:

• Confirm that the Information Security Policy is up to date and accessible to staff.
• Verify that all supporting procedures (e.g., access control, incident response) are being followed consistently.
• Ensure that any recent changes to the ISMS have been documented and approved.
• Technical and Administrative Controls: Confirm that firewalls, encryption, and access controls are functioning as intended. Verify that all identified vulnerabilities have been addressed. Ensure that data backups are secure and recoverable. Test logging and monitoring systems to confirm that they are capturing and reporting security events accurately.
• Incident Management: Verify that incident response procedures have been tested through tabletop exercises. Confirm that staff are aware of incident reporting procedures. Ensure that incident records are complete and accurately documented.
• Training and Awareness: Confirm that all staff have completed required information security training. Verify that training records are up to date and reflect current staff assignments. Assess the effectiveness of security awareness programs (e.g., phishing tests).
• Third-Party Management: Confirm that ISMS requirements are included in contracts with suppliers. Verify that third-party audits have been conducted where required. Ensure that external service providers are meeting security obligations.
• Performance Monitoring and Continuous Improvement: Review the results of vulnerability scans, penetration tests, and security audits. Confirm that corrective actions have been implemented for identified weaknesses. Ensure that key performance indicators (KPIs) are being tracked and reported.

Key Deliverables from the Internal Audit:

• Internal Audit Report – A detailed report identifying findings, corrective actions, and areas for improvement.
• Compliance Statement – A statement signed by the ISMS Manager confirming that the ISMS is compliant with EASA regulations and ready for submission.
• Corrective Action Plan – A plan to address any non-conformities identified during the internal audit.

Compile and Submit ISMS Documentation - Core ISMS Documentation Includes:

• Information Security Policy – The high-level policy defining the organization’s approach to information security.
• ISMS Manual – A detailed manual describing the structure of the ISMS, roles and responsibilities, and security controls.
• Risk Assessment Report – A documented analysis of information security risks and mitigation strategies.
• Incident Response Plan – Procedures for detecting, reporting, and resolving security incidents.
• Training Records – Proof that staff have been trained on ISMS policies and procedures.
• Audit Reports – Reports from internal audits, penetration tests, and vulnerability scans.
• Supplier and Contractual Agreements – Proof that ISMS requirements have been integrated into supplier contracts.

The documentation must be submitted to the appropriate national aviation authority or EASA depending on the organization’s operational jurisdiction.

Challenges in the Certification Phase

·?????? One challenge is ensuring that all documentation is consistent and accurately reflects the implemented ISMS controls.

·?????? Another challenge is addressing findings within the authority’s specified timeframe, especially if major gaps are identified.

·?????? Coordinating the certification process across multiple operational sites and departments can also be complex.

• Engage the authority early in the process to clarify expectations.
• Assign a dedicated compliance officer to manage the certification process.
• Conduct a pre-certification audit to identify gaps before the formal review.