An EASA-certified operator is required to maintain a Safety Management System (SMS) under Regulation (EU) No 965/2012 (Air Operations Regulation).
• EASA has introduced specific requirements for the integration of an ISMS with the existing SMS under Regulation (EU) 2022/1645 (amending Regulation (EU) No 965/2012) to address these risks systematically.
• The integration of ISMS with an existing SMS in an EASA-certified operator requires a structured and phased approach.
• While SMS focuses on operational safety, ISMS addresses information and cyber security.
• By combining the two under a unified governance and risk management framework, operators can build a more resilient and responsive organization.
• Successful integration will enhance overall risk awareness, improve response effectiveness, and ensure compliance with EASA's evolving regulatory landscape.
The integration of an ISMS with an existing SMS aims to create a unified framework that allows operators to manage both operational safety risks and information security risks in a cohesive manner. The key objectives are:
• Ensure that cyber threats do not compromise operational safety.
• Minimize the impact of information security incidents on safety-critical systems.
• Align security management with the operator's overall risk management framework.
• Improve the resilience of operational systems and infrastructure against cyber-attacks.
• Provide a streamlined approach to reporting and oversight.
• EASA requires an SMS under Part-ORO (Organisation Requirements for Air Operators) and ICAO Annex 19, which includes:
>> Safety policy and objectives
>> Safety risk management
>> Safety assurance
>> Safety promotion
• EASA’s new ISMS requirements under Regulation (EU) 2022/1645 mandate operators to:
>> Identify, assess, and mitigate information security risks.
>> Monitor and respond to information security incidents.
>> Establish an information security governance framework.
>> Ensure alignment with operational risk management.
• SMS primarily deals with operational safety threats (e.g., human error, mechanical failure), while ISMS addresses cybersecurity threats (e.g., data breaches, hacking, malware).
• Safety incidents are often immediate and visible; cyber incidents may be covert and ongoing before detection.
• Safety culture tends to focus on human factors and procedural compliance.
• Information security culture emphasizes technological defenses and data protection.
• Safety and security risk management may fall under different organizational departments (e.g., Safety Office vs. IT Department).
• Integrated responsibility and oversight can lead to conflicts over ownership and accountability.
To successfully integrate ISMS with SMS, EASA-certified operators should focus on the following elements:
• Establish a single risk governance framework where both safety and security risks are managed within a unified process.
• Appoint a Security and Safety Manager or establish a joint Safety and Security Committee.
• Ensure top management support for integrated governance.
• Use a common risk assessment framework to evaluate both safety and security risks:
>> Threat identification
>> Vulnerability assessment
>> Risk evaluation and mitigation
• Introduce information security threats into the operator's hazard identification and risk assessment processes under SMS.
• Establish a single reporting channel for both safety and security events.
• Ensure that information security incidents that impact safety (e.g., GPS jamming, aircraft hacking) are treated with the same urgency as operational safety events.
• Harmonize the investigation of safety and security events.
• Expand the operator's Emergency Response Plan (ERP) to cover security-related incidents (e.g., data breaches, system intrusions).
• Cross-train safety and security teams to handle overlapping incidents.
• Develop integrated training programs covering both safety and information security.
• Train safety personnel to recognize and respond to cyber threats that may compromise safety.
• Train IT and security personnel on the operational safety impact of information security events.
• Incorporate information security KPIs into the SMS performance review process.
• Evaluate the effectiveness of the ISMS alongside SMS performance in safety audits and management reviews.
• Update risk management strategies based on performance data and incident feedback.
• Enhanced Risk Awareness – Safety and security risks are considered collectively rather than in isolation.
• Improved Response Times – Streamlined reporting and incident management increase response effectiveness.
• Reduced Costs – Consolidation of systems and processes reduces duplication of effort and administrative costs.
• Regulatory Compliance – Ensures compliance with both EASA SMS and ISMS regulations.
• Increased Resilience – Improves overall organizational resilience to both operational and cyber threats.
Resistance to Change – Integration may face resistance from separate safety and IT departments.
Complexity in Implementation – Integrating two distinct management systems can lead to operational confusion.
Underestimating Cyber Risks – Failure to properly integrate the ISMS may result in critical vulnerabilities.
Sofema Aviation Services and Sofema Online provide Information and Cyber Security Regulatory Training as Classroom, Webinar and Online Training – Please see the websites or email team@sassofia.com.
