The European Union Aviation Safety Agency (EASA) has published its first Easy Access Rules (EAR) for Information Security. The publication contains the rules and procedures for the management of information security risks with a potential impact on aviation safety for organizations and authorities.
Information security risks are a growing threat to the civil aviation environment as the current information systems are becoming more and more interconnected. They are also increasingly becoming the target of malicious actors. The risks are not limited to cyberattacks, but also encompass threats which may affect processes and procedures as well as the insider threat.
Many organizations already use international standards, such as ISO 27001, in order to address the security of digital information and data. But EASA says those standards may not fully address all the requirements and challenges of civil aviation.
The EAR for Information Security covers the relevant EU Commission Implementing Regulation 2023/203 and Delegated Regulation 2022/1645 and Decisions 2023/008/R, 2023/009/R and 2023/010/R, which provide for acceptable means of compliance and guidance material to support information security and cybersecurity.
For example, the EAR includes requirements relating to information security policy, information security management systems, risk assessments and compliance monitoring. The publication also covers the detection, response and recovery from information security incidents.
EASA says the EAR will be updated regularly to incorporate further changes and evolutions to its content.