Secure Your EASA Information Security Compliance!

Secure Your EASA Information Security ComplianceSofema Aviation Services Releases Essential EASA Part-IS Information Security Management Manual (ISMM) and Compliance Toolkit

ISMS Manual Template Plus 30 Form Pack Only - 699 Euro*

  • Upgrade to Template & Forms Pack plus Special Training Access 1500 Euro (includes up to 2000 Euros of online ISMS Training with Sofema Online

Sofema Aviation Services (SAS) is proud to announce the immediate availability of its comprehensive Information Security Management Manual (ISMM) – Issue 1.1 – a turnkey solution for the European aviation sector racing to meet the forthcoming EASA compliance deadlines.

This essential manual and its accompanying toolkit, developed by SAS and first adopted by a Part-145 organization are meticulously designed to guide organizations through the complexities of EU Regulation 2023/203 (Part-IS), which introduces mandatory information security requirements to protect aviation safety.

Achieve EASA Part-IS Compliance by February 2026 

  • With the mandatory compliance deadline of February 22, 2026, rapidly approaching for Part-145 Maintenance Organisations (MROs) and others under Implementing Regulation (EU) 2023/203, establishing a fully functional Information Security Management System (ISMS) is no longer optional, it is a regulatory requirement for continued operational approval.
  • The SAS solution offers the immediate, ready-to-implement documentation necessary to demonstrate to your Competent Authority that your organization is managing information security risks with a potential impact on aviation safety.

Key Features of the Sofema Aviation Services ISMS Solution

The manual is an EASA Part 145 Compliant Information Security Manual, fully integrating the requirements of EASA’s Easy Access Rules for Information Security with the structured framework of ISO 27001.

  • Complete Documentation: The ISMM contains all mandatory procedures and policies , including the commitment statement to be signed by the Accountable Manager and CEO (if different).
  • Integrated Risk Management: It defines a systematic methodology for the identification, analysis, and treatment of Information Security Risks , clearly defining Acceptable, Conditionally Acceptable, and Not Acceptable risks based on the Risk Assessment Score (RAS) model.
  • Risk-Based Controls: The manual includes a comprehensive list of organizational, people, physical, and technological controls (aligned with the Statement of Applicability), covering critical areas like Multi-Factor Authentication (MFA), Least Privilege, and secure remote working.
  • Incident Response & Compliance: Detailed procedures ensure compliance with mandatory reporting, including the obligation to notify the competent authority of incidents with a potential impact on aviation safety within 72 hours.
  • Mandatory Forms and Registers (30-Form Pack): The accompanying toolkit includes over 30 controlled documents, forms, and registers required for system operation and auditable record-keeping. This includes essential items such as:
    • Information Security Risk Register (IS 2)
    • ISMS Audit Programme and Schedule (IS 4)
    • Cyber Incident Register (IS 22)
    • Access Request & Access Review Report (IS 8, IS 11)

See the following extract from the Manual

Access Control & Authentication: Key Requirements

The procedure focuses on three core principles: Least Privilege, Strong Authentication (MFA), and Rigorous Lifecycle Management (JML: Joiner/Mover/Leaver).

  1. Principle of Least Privilege (RBAC)

Access is granted based on the principle of least privilege, ensuring users only have access to information and resources absolutely necessary for their job functions.

  • Model: Access is primarily managed using a Role-Based Access Control (RBAC) model.
  • Approval: All access requests must be initiated by the Line Manager and require mandatory security approval from the Information Security Manager (ISM) for all privileged or remote access.
  • Review: Line Managers and the ISM must conduct mandatory semi-annual access reviews to confirm continued adherence to the least privilege principle.
  1. Mandatory Multi-Factor Authentication (MFA)

MFA is a mandatory control to verify identity and is enforced across the organization to counter credential theft.

  • Mandatory Use Cases: MFA is mandatory for all remote accessall privileged actions, and all systems holding safety-critical, maintenance, or Personally Identifiable Information (PII).
  • Preferred Options: The organization prefers highly secure, phishing-resistant options, including:
    • Hardware Security Keys (Highest Security/Phishing-resistant).
    • Software Tokens / Authenticator Apps (e.g., TOTP codes).
  • Discouraged Options: SMS One-Time Passcodes (OTP) are discouraged due to lower security (vulnerability to SIM-swapping) and are only permitted via documented ISM exception.
  • KPI Monitoring: Compliance is measured by the MFA Coverage KPI, with a target of  of in-scope users/systems.
  1. Account Lifecycle Management (JML)

The process ensures immediate revocation of access upon change or separation, which is a key Compliance Monitoring KPI.

  • Joiners: Access is created no earlier than two working days prior to the start date and remains disabled until Day 1.
  • Leavers: Line Managers must notify IT/ISM before the last working day. IT must disable all accounts at the end of the last shift; privileged accounts are disabled immediately upon notification.
  • KPI Target: The KPI for Leaver Account Disablement Timeliness requires  of leaver accounts to be disabled on the same day as the last shift.
  • Call to Action: The Clock is Ticking!
  • The final deadline for EASA Information Security compliance (Implementing Regulation (EU) 2023/203) is February 22, 2026.
  • Implementation of an ISMS is a complex project that includes policy development, risk assessment, staff training, and deep organizational change. Don't wait until the last quarter!

Next Steps

Visit Sofema Aviation Services to acquire ISMM – Issue 1.1 and the 30-Form Compliance Toolkit today to accelerate your path to compliance and safeguard your organization's operation and approval status. Protect your airworthiness, integrity, and future.Email Team@sassofia.com