What is the relationship between product and organisation information security, for example, how does an aircraft certified under CS 25.1319 fits in Part-IS?
Answer
Part-IS is a set of rules that aims to address information security risks at the entity level by establishing processes to ensure the protection of all elements identified as part of its scope. In order to identify which elements (and relevant assets) of an entity may be exposed to information security risks and therefore need to be included in the scope of Part-IS, an information security risk assessment shall be carried out in accordance with point IS.OR.205.
Aeronautical products, such as an aircraft whose certification includes airworthiness security objectives, will be important elements to be considered in the scope of Part-IS, for example, for an air operator. Any procedures already in place for meeting the requirements arising from the product certification will need to be complemented by the new organisational requirements under Part-IS to ensure a holistic protection of all identified assets and of their interfaces with other elements and organisations. Below is a graphic illustration of an example of the scope and interaction between Part-IS and Part-21 in relation to continuing airworthiness activities.