My organisation would like to apply for a derogation. Is it eligible and if so, what procedure should be followed?
As per GM1 IS.D.OR.200(e):
‘Any organisation that believes that it does not pose any information security risk with a potential impact on aviation safety, either to itself or to other organisations, may consider requesting an approval for a derogation by the competent authority by performing a documented information security risk assessment following the procedure outlined in AMC1 IS.D.OR.200(e).’
Indicatively, such organisations might include design organisation approval (DOA) or production organisation approval (POA) holders that design or produce only components or parts that either are not involved in ensuring the structural integrity of the aircraft (e.g., carpets, interiors) or have no major safety-related aircraft functionalities, including but not limited to, aircraft software, navigation, avionics, engines, flight control, landing gear, hydraulic, electrical, air, communications, etc..
The aforementioned example is only indicative of what could provide an initial basis for the preparation of an information security risk assessment that justifies the exclusion of all elements of an organisation from the scope of the information security management system (ISMS). It is up to the authority to determine whether the assessment provided by the organisation is deemed satisfactory for a derogation to be granted.
If my organisation receives a derogation, does this mean that it is exempted from compliance with Part IS?
A derogation is a temporary exemption from the full requirements of a regulation. The organisation is advised to remain vigilant and, as a minimum, reassess its exposure to cybersecurity threats whenever the scope changes. In particular, the continued validity of that derogation will be reviewed by the competent authority following the applicable oversight audit cycle and whenever changes are implemented in the scope of work of the organisation.