FAQ n.139303

It is possible to include the ISMS requirements in an overarching management system comprising information security, aviation safety, quality management etc. Moreover, as explained in further detail in FAQ n.139288, already existing ISMSs (e.g., from ISO/IEC 27001) can be tailored to the needs of Part-IS. From an organisational perspective, different types of risks interact with each other, and the implementation of certain controls (measures) may address more than one type of risks. Interacting bow ties allow for a higher-level and non-exhaustive illustration of how different disciplines of risk assessment may need to collaborate to establish a common risk perspective, as depicted in Figure 1 below:

Figure 1 — Bow-tie representation of management of aviation safety risks posed by information security (IS) threats