To distinguish between IT service providers and general vendors. To discuss essential contract template considerations, detailing regulatory obligations for oversight, incident reporting, and risk management to ensure your organization maintains compliance and operational security.
• For the IT Company (ISMS Partner): You are essentially delegating your regulatory responsibility. You need deep control, audit rights, and they must follow your manual/policy or a bridged version.
• For the General Vendor: You are managing a risk. You need notification triggers (so you can react) and basic hygiene assurances (background checks, patching), but you do not dictate their internal policy.
Regulatory Context: This relationship is governed by IS.I.OR.235 (Contracting of information security management activities). Since this company performs ISMS tasks on your behalf (e.g., monitoring, firewall management), they effectively function as part of your ISMS. You remain accountable, but they must operate under your direct oversight.
• Scope of ISMS Activities:
>> Regulation: IS.I.OR.235(a)
>> Guidance: You must clearly define which Part-IS activities are delegated (e.g., "Monitoring of detection events under IS.I.OR.220"). The contract must explicitly state that these activities are to be performed in compliance with Regulation (EU) 2023/203.
• Competent Authority Access (Mandatory):
>> Regulation: IS.I.OR.235(b) & AMC1 IS.I.OR.235(b)
>> Guidance: You must include a clause granting your Competent Authority (e.g., EASA or NAA) access to the IT company's premises, data, and personnel.
>> Sample Wording: "The Provider grants the Customer and its competent aviation authority access to premises, data, and personnel to determine continued compliance with applicable EASA regulations."
• Incident Reporting (Strict):
>> Regulation: IS.I.OR.215(c)
>> Guidance: The provider must report security events to you.
>> Manual Alignment: Your ISMS Manual requires you to report safety-relevant incidents to the Authority within 72 hours. Therefore, the contract must require the IT company to report to you significantly faster (e.g., "within 12 hours of detection") to allow you time to assess and report externally.
• Right to Audit:
>> Regulation: AMC1 IS.I.OR.235(a)
>> Guidance: You must retain the right to audit them. Your Compliance Monitoring Manager (CMM) is responsible for establishing an audit programme. The contract must allow your CMM to audit their security controls and training records.
• KPIs & Performance:
>> Regulation: AMC1 IS.I.OR.235(a)
>> Guidance: You must define KPIs to measure their performance.
>> Example: Based on your Manual's "Administrator Account Inventory" KPI, you should contractually require them to provide an inventory of admin accounts quarterly to verify no unauthorized admins exist.
• Correction of Defects:
>> Regulation: IS.I.OR.225 / AMC1 IS.D.OR.235(a)
>> Guidance: If your audit identifies non-compliance, the IT company must be contractually obliged to implement a "Remediation Plan" within a specific timeframe validated by you.
• Data Retention:
>> Regulation: IS.I.OR.245
>> Guidance: Records of incidents, risks, and maintenance must be kept for 5 years. Ensure the contract prevents the provider from deleting logs (e.g., firewall logs, detection alerts) before this period expires.
Regulatory Context: These are suppliers who do not perform IS management tasks but do have access to your data or systems (e.g., HVAC maintenance with network access, cloud storage, or software vendors). This falls under IS.I.OR.205(b) (Interfaces) and IS.I.OR.215 (Reporting).
• Notification of Incidents:
>> Regulation: IS.I.OR.215(c) & GM1 IS.I.OR.215(c)
>> Guidance: Even if they do not follow EASA rules, they must report events that could impact your safety.
>> Sample Wording: "Vendor shall notify the Customer of any security breach affecting the service/product within [X] hours." If ad-hoc reporting is not possible, they must provide an up-to-date list of known vulnerabilities affecting their product.
• Vulnerability Management:
>> Regulation: IS.I.OR.215(b)
>> Guidance: You need to respond to vulnerabilities. The contract should require the vendor to provide patches or mitigations for their specific product within a reasonable time (e.g., "Critical patches provided within 7 days").
• Coordination / Point of Contact:
>> Regulation: GM1 IS.I.OR.215(c)
>> Guidance: The contract should designate a specific Point of Contact (PoC) for security/crisis management on the vendor's side.
• Access Control (Leavers):
>> Manual Alignment: Your manual tracks "Leaver Process Adherence" (revoking access within 24 hours).
>> Sample Wording: "Vendor must notify the Customer immediately upon the termination of any Vendor personnel who possess access credentials to the Customer's systems."
• Trustworthiness / Background Checks:
>> Regulation: IS.I.OR.240(i)
>> Guidance: You must ensure the trustworthiness of anyone accessing your systems.
>> Sample Wording: "Vendor warrants that all personnel assigned to the Customer account have undergone background checks verifying identity and absence of criminal record relevant to the role."
• Interface Risk Information:
>> Regulation: IS.I.OR.205(b)
>> Guidance: The vendor should agree to provide technical details (architecture, data flows) necessary for you to perform your own Risk Assessment on the interface.
The Information Security Manager (ISM) is responsible for conducting the "risk assessments of suppliers... prior to contracting". They should use these checklists to review the current drafts before the Accountable Manager signs them.
Note - Sofema ISMM Template is available as part of the Information Security Cyber Implementation Project. For details of availability, please email team@sassofia.com.
