Frequently asked questions

The figure of the Civil Aviation Information Security Officer is defined in section 2 of Security Instruction SA-16 as the person of an entity in charge of ensuring the security of the organization's information against threats and cyberattacks that could affect AVSEC, having established the following functions and responsibilities (after the last update of SA-16 of 18/12/2023):

a. Identification of critical functions that apply to the entity. 
b. Determination of criticality of communications systems and/or critical data based on the critical functions identified. 
c. Performing risk analysis to identify vulnerabilities, select and implement security measures of the entity. 
d. Develop, maintain and update the entity's information security documentation. 
e. Assignment of profiles and responsibilities for information security. 
f. Check that the personnel comply with the provisions of section 11.1.2 (c) and Instruction SA-20. 
g. Ensure staff awareness and training on information security. 
h. Point of contact with national competent authorities and other information security entities. 
i. Information security supply chain management. 
j. Establish the procedure for reporting information security incidents and monitoring their compliance. 
k. Manage and share relevant information with competent authorities and other entities, on their own initiative or at the request of the authorities. 
l. Information security incident management and coordination with the reference CSIRT. 
m. Responsible to the competent authority for the information security audits carried out. Manage deficiencies and implement corrective measures as necessary.

Likewise, Reg. EC No 2023/203 in IS.I.OR.240(b) Personnel Requirements states that the responsible manager shall appoint a person or group of persons to ensure that the organisation complies with the requirements of this Regulation, and shall define the scope of its authority. That person or group of persons shall report directly to the responsible manager and shall have the appropriate knowledge, training and experience to carry out their responsibilities. Proceedings shall determine who replaces a particular person in the event of his or her prolonged absence.

In addition, IS.I.OR.240(d) states that, if the organization shares organizational structures, policies, processes and procedures for information security with other organizations or with areas of its own organization that are not part of the approval or declaration, the responsible manager may delegate its activities to a Common Responsible Person (CRP).

The Acceptable Means of Compliance and Guidance Material to Annex II (Part-IS.I.OR) to Commission Implementing Regulation (EU) 2023/203 clarifies that:

“The possibility of delegating a CRP applies to an organisation that shares organisational structures, policies, processes and procedures for information security with other organisations or with parts of its own organisation that are not part of the authorisation or declaration, therefore this CRP is expected to have responsibilities and competences for information security. In particular, the CRP should be able to manage the organisation’s information security strategy and its implementation to ensure the achievement of the objectives described in Article 1. According to the European Cybersecurity Skills Framework (ECSF) published by ENISA in September 2022, this person can be described, for example, as (chief) responsible for information security, director of the cybersecurity programme or responsible for information security.”

Therefore, both the AVSEC regulations, through the RSIAC, and the SAFETY regulations (PART-IS) through the CRP establish the need for a person or several to be appointed to guarantee compliance with the Information Security requirements established by said regulations.

It will be the power of each entity to establish whether the figure responsible for compliance with the information security requirements from the AVSEC point of view (RSIAC) and the figure responsible for compliance with the information security requirements from the SAFETY point of view (CRP) is a common figure or are different coordinated persons, as well as the possible organizational structure that ensures compliance with both legislations.

The Competent Authority is also required to implement an information security management system. Among the aspects covered by this management system is: the protection of the confidentiality of any information that the competent authority may hold in relation to organisations under its supervision and information received through the organisation’s external reporting systems. See requirement IS.AR.200(a) (9).

As provided in point CAMO.A.125(d)(3), a CAMO may organise the performance of limited continuing airworthiness tasks with any subcontracted undertaking, working under its Management System, which shall be included in its certificate of approval (AC-CAMO-P01-F14).
Tasks that can be outsourced include reliability control and engine health control (reliability monitoring & engine health monitoring). 
However, when these tasks are entrusted to the manufacturers or owners of the aircraft or engine designs and their feedback is limited to reporting to CAMO the reading of the data provided, it will be considered as non-subcontracting and, therefore, will not be included in the CAMO approval certificate.

“Details of maintenance work performed” according to GM M.A.305(g) are the records that must be maintained by the person or organisation responsible for the continuing airworthiness of the aircraft in accordance with M.A.201 in order to be able to fulfil its obligations under Part M. They are only part of the records referred to in points CAO.A.090(a) or 145.A.55(a).
Maintenance organizations must keep all detailed records to demonstrate that they have worked in accordance with their respective requirements and procedures.
It is not necessary to transfer all records from the maintenance organisation to the person or organisation responsible for the continuing airworthiness of the aircraft in accordance with M.A.201, unless they specifically contain information relevant to the configuration of the aircraft and its future maintenance. Therefore, it is not necessary for the person or organisation responsible in accordance with M.A.201 to keep the certificates of conformity, the references to the batch numbers of the material used or the individual work cards verified and/or generated by the maintenance organisation. However, the owner/CAMO may request such information from the maintenance organisation to verify and demonstrate the effectiveness of the aircraft maintenance programme.
Information relevant to future maintenance may be contained in specific documents related to:

• amendments;
• airworthiness directives;
• repaired and unrepaired damage;
• components mentioned in M.A.305(d); and
• measures relating to defects.

Yes, regardless of owner/operator approvals and scope, you have the option to sign a contract with a CAMO. The important thing is that continued airworthiness is managed by an appropriate CAMO.

Electric load analysis (ELA) is provided by the aircraft manufacturer to the operator.
These data are part of the ICAs (see AMC to Appendix H, H25.5 Instructions for continuing airworthiness applicable to point 5 of the EWIS). Changes to ICAs are changes to the type certificate that must be approved in accordance with Part 21.
Where relevant, a change or modification should contain a difference sheet for ELA, so that the operator can update the current ELA.
CAMO is responsible for the condition of the ELA, which must be in accordance with the design of the aircraft, including its approved changes.
The aircraft owner should have access to all relevant information to fulfil its continuing airworthiness obligations under Regulation (EU) 1321/2014, for example to provide that information to the competent authority on request or to transfer the continuing airworthiness records of the aircraft to a new owner when the aircraft changes ownership or in similar circumstances.
The new CAMO, which receives the aircraft, will verify this data when developing the aircraft maintenance program (see M.A.302).

The standard does not impose a "basic" or "generic" maintenance program; however, Chapter 1.2 of the CAME should describe how the organisation will develop the AMP. 
The organization must define the means to demonstrate that they are competent for the management that is intended to be carried out. Certain elements, such as the IT tool to manage the AMP, access to applicable technical documentation and/or staff experience in AMP matters, can contribute to achieving this objective.

Yes, an organization with Part CAMO approval may have a generic scope on its approval certificate (AC-CAMO-P01-F14). However, even if the organisation approval has a generic scope, the continuing airworthiness management exposition (CAME) shall always reflect the specific scope of the organisation; It is therefore recommended that the generic scope of approval should not be excessively broad compared to the scope defined in the CAME.  
Organisations shall request from AESA any change to the scope defined in the approval certificate.

There must be an agreement between the auditor and the auditee that includes:

• The platform to be used (e.g.: WebEx, Teams, Lync, etc.);
• Pre-audit platform compatibility testing;
• Consider using cameras when a physical evaluation is required. Check beforehand that there is data/wifi coverage in all areas to be audited and that they need to be viewed with the remote camera.
• Establish an audit plan that identifies the IT means that will be used and the use that will be given to them to optimize and, at the same time, maintain the integrity of the process;
• If necessary, consider time differences in order to be able to coordinate at reasonable times for both parties;
• A written statement that the auditee will cooperate to the fullest extent possible and provide the truthful information requested, including the cooperation of subcontracted companies if necessary;
• Data protection aspects.

This applies both to remote audits carried out by the competent authority and to audits carried out by organisations on their own suppliers and subcontractors.  
Authorities/organisations that decide to use remote audits should describe the functioning of remote audits in their procedures and should consider at least the following points:

• The use of an information technology methodology flexible enough to optimize the conventional audit process.
• The definition and implementation of controls to avoid abuses that could compromise the integrity of the audit process.
• Measures to ensure that security and confidentiality are maintained during audit activities (data protection and intellectual property of organisations must also be safeguarded).

Further information can be found in the guidance material “GM1 CAMO.A.200(a)(6) and CAMO.B.300 Management system and Oversight principles”.