Once the first step has been taken and the systemic and organizational foundations for an information security management system (ISMS) have been established, aviation organizations often face the following questions:
How can this ISMS be efficiently integrated into existing management systems? How can the numerous EASA documentation requirements be efficiently met? How can I pass an audit without losing track of the various supporting documents?
A well-structured guide to the ISMS—the Information Security Management Manual (ISMM)—can help address this issue.
Why an ISMS without an overarching structure has its limitations
As the scope and depth of regulations expand, the picture becomes more complex. In the aviation sector, there are numerous requirements regarding (cyber) security, safety, management systems, and organizational responsibilities. While clearly defined in theory, these are often addressed in practice through a pragmatic and cross-functional approach.
But: Is this documented in such a way that it can be easily verified during an audit?
What an Information Security Management Manual (ISMM) Does
At first, additional documentation requirements are often seen as an unnecessary burden that consumes valuable resources. Investments in security—or their value—are generally not immediately apparent, and the risks involved are not directly quantifiable.
With the help of an ISMM or a well-documented ISMS, security gaps—such as incomplete or missing processes, responsibilities, reporting channels, etc.—can be identified and subsequently addressed in practice. In this way, an ISMM can make a significant contribution to enhancing information security within your organization.
An ISMM serves as the central (evidence) document of an ISMS in accordance with EASA Part-IS and refers, where appropriate, to the relevant key documentation applicable to specific topics.
The ISMM describes how your ISMS is organized: its scope and boundaries, responsibilities, integration into existing management systems, interfaces with service providers and government agencies, and the process for the continuous improvement of the ISMS.
EASA Part-IS: What the Regulation Requires of the ISMM
With Regulation (EU) 2022/1645, EASA has now defined information security as an integral part of aviation safety.
The requirements of the aforementioned regulation go beyond those of relevant frameworks—such as ISO/IEC 27001. For example, ISO/IEC 27001 addresses more traditional security objectives such as confidentiality, integrity, and availability, whereas EASA Part-IS raises an additional question: Which threat scenarios could potentially impact aviation safety, and thus pose a risk to flight safety?
This is not about traditional technical malfunctions that occur without deliberate human intervention, but rather about the deliberate, malicious manipulation of these systems.
Examples of this at airports include tampered maintenance data, blocked ATC information, or compromised ground handling systems. Such safety risks should be identified, assessed, and addressed through a process documented in the ISMM. In addition to risk management, the ISMM must also document other responsibilities, processes, and procedures, such as those related to training and qualification, the handling of information security incidents and vulnerabilities, and continuous improvement.
What is required to develop an ISMM
First things first: An ISMM cannot be created as a standard document without additional effort. It should describe in detail the actual responsibilities, processes, and structure of the ISMM and be tailored to the complexity of the organization. For example, a major international airport requires a significantly more complex ISMS than a small maintenance company in terms of security needs and the volume of data and information flows—and the content of the ISMM is correspondingly more extensive.
In addition to determining which processes and systems fall within the scope of the ISMS, it is also important to analyze how external interfaces with service providers are defined and to what extent information security risks might affect flight safety.
This requires cross-departmental coordination between IT, operational units, safety management, and compliance. It also requires knowledge of Part-IS requirements and an efficient approach to determining how existing structures can be leveraged where appropriate. AviaCert supports airports and aviation organizations in precisely this step—from analyzing existing structures and mapping regulatory requirements to establishing a complete, audit-ready documentation framework.