99 sections · 579 audit questions · Implementing Rule, AMC and GM · v2025-12-05
Part-IS.D.OR is one of the rare EASA regimes where the AMC carries as much audit weight as the IR — most controls are stated in the IR and operationalised in the AMC, and the regulator’s review focuses on whether the AMC-level controls are actually in place. The DR (Delegated Regulation) route applies to organisations approved under Part-21, Part-145, Part-M and similar Subpart-G/Subpart-J approvals.
The checklist treats every AMC item as its own audit row rather than rolling them under the parent IR, because that’s how an information-security audit actually proceeds — auditors review controls, not citations.
Click a row's citation to jump to it. The audit-question count shows how many auditable rows the checklist generates from that leaf (zero means the leaf is informational only).
| Citation | Kind | Title | Audit questions |
|---|---|---|---|
| IS.D.OR.100 | IR | Scope | 1 |
| IS.D.OR.200 | IR | Information security management system (ISMS) | 17 |
| IS.D.OR.200 | GM | Information security management system (ISMS) — ISMS subject areas | 22 |
| IS.D.OR.200(a)(1)((a)(1)) | AMC | Information security management system (ISMS) — establish IS policy | 13 |
| IS.D.OR.200(a)(1)((a)(1)) | GM | Information security management system (ISMS) — IS policy and objectives | 10 |
| IS.D.OR.200(a)(12)((a)(12)) | AMC | Information security management system (ISMS) — compliance monitoring function | 3 |
| IS.D.OR.200(a)(12)((a)(12)) | GM | Information security management system (ISMS) — internal audit conduct | 4 |
| IS.D.OR.200(a)(13)((a)(13)) | AMC | Information security management system (ISMS) — confidentiality of received information | 3 |
| IS.D.OR.200(c)((c)) | AMC | Information security management system (ISMS) — ISMS documentation | 12 |
| IS.D.OR.200(c)((c)) | GM | Information security management system (ISMS) — documentation list | 8 |
| IS.D.OR.200(d)((d)) | GM | Information security management system (ISMS) — proportionality | 19 |
| IS.D.OR.200(e)((e)) | AMC | Information security management system (ISMS) — derogation | 2 |
| IS.D.OR.200(e)((e)) | GM | Information security management system (ISMS) — derogation regime | 18 |
| IS.D.OR.205 | IR | Information security risk assessment | 12 |
| IS.D.OR.205 | GM | Information security risk assessment — framework choice and references | 3 |
| IS.D.OR.205(a)((a)) | AMC | Information security risk assessment — elements in scope | 2 |
| IS.D.OR.205(a)((a)) | GM | Information security risk assessment — scope and boundaries identification | 2 |
| IS.D.OR.205(b)((b)) | AMC | Information security risk assessment — interfaces with other parties | 1 |
| IS.D.OR.205(b)((b)) | GM | Information security risk assessment — interfaces and risk information sharing | 10 |
| IS.D.OR.205(b)((b)) | GM | Information security risk assessment — examples of aviation services (informational) | 0 |
| IS.D.OR.205(c)((c)) | AMC | Information security risk assessment — risk management framework and process robustness | 11 |
| IS.D.OR.205(c)((c)) | GM | Information security risk assessment — risk classification, acceptance criteria, threat scenarios | 24 |
| IS.D.OR.205(d)((d)) | AMC | Information security risk assessment — review periodicity | 3 |
| IS.D.OR.205(d)((d)) | GM | Information security risk assessment — review purposes and documentation | 12 |
| IS.D.OR.205(d)((d)) | GM | Information security risk assessment — examples of review-triggering changes + non-Part-IS interface Note | 1 |
| IS.D.OR.210 | IR | Information security risk treatment | 9 |
| IS.D.OR.210 | GM | Information security risk treatment — guidance | 16 |
| IS.D.OR.210(a)((a)) | AMC | Information security risk treatment — process and documentation | 5 |
| IS.D.OR.215 | IR | Information security internal reporting scheme | 11 |
| IS.D.OR.215(a)&(b)((a)(b)) | AMC | Information security internal reporting scheme — combined AMC for §(a) and §(b) | 8 |
| IS.D.OR.215(a)&(b)((a)(b)) | GM | Information security internal reporting scheme — relationship between internal and external reporting | 3 |
| IS.D.OR.215(a)&(b)((a)(b)) | GM | Information security internal reporting scheme — organisation of collection and evaluation | 2 |
| IS.D.OR.215(a)&(b)((a)(b)) | GM | Information security internal reporting scheme — relevant information for incidents and vulnerabilities | 1 |
| IS.D.OR.215(c)((c)) | GM | Information security internal reporting scheme — contracted organisations | 4 |
| IS.D.OR.215(d)((d)) | GM | Information security internal reporting scheme — cooperation on investigations | 5 |
| IS.D.OR.220 | IR | Information security incidents — detection, response and recovery | 10 |
| IS.D.OR.220 | GM | Information security incidents — events include vulnerabilities (umbrella GM) | 2 |
| IS.D.OR.220(a)((a)) | AMC | Information security incidents — detection strategy | 5 |
| IS.D.OR.220(a)((a)) | GM | Information security incidents — detection strategy (GM) | 4 |
| IS.D.OR.220(b)((b)) | AMC | Information security incidents — response strategy (incidents and vulnerabilities) | 13 |
| IS.D.OR.220(b)((b)) | GM | Information security incidents — terminology (warning, deception) | 1 |
| IS.D.OR.220(b)&(c)((b)(c)) | GM | Information security incidents — recovery objectives and timing | 2 |
| IS.D.OR.220(c)((c)) | AMC | Information security incidents — recovery procedure content | 5 |
| IS.D.OR.225 | IR | Response to findings notified by the competent authority | 4 |
| IS.D.OR.225 | AMC | Response to CA findings — domain-regulation linkage | 1 |
| IS.D.OR.225 | GM | Response to CA findings — categorisation and period source | 1 |
| IS.D.OR.230 | IR | Information security external reporting scheme | 9 |
| IS.D.OR.230 | GM | External reporting scheme — competent authority determination | 5 |
| IS.D.OR.230(a)&(b)((a)(b)) | AMC | External reporting scheme — what to report | 3 |
| IS.D.OR.230(a)&(b)((a)(b)) | GM | External reporting scheme — §376/2014 relation, follow-up, significant-risk threshold | 7 |
| IS.D.OR.230(c)((c)) | AMC | External reporting scheme — urgency by safety impact | 1 |
| IS.D.OR.230(c)((c)) | GM | External reporting scheme — guidance source and forensic-analysis note | 1 |
| IS.D.OR.235 | IR | Contracting of information security management activities | 4 |
| IS.D.OR.235 | GM | Contracting — objectives of §235 | 3 |
| IS.D.OR.235 | GM | Contracting — accountability remains with contracting organisation | 1 |
| IS.D.OR.235 | GM | Contracting — illustrative examples per §200 obligation (informational) | 0 |
| IS.D.OR.235(a)((a)) | AMC | Contracting — oversight and risk management of contracted activities | 11 |
| IS.D.OR.235(a)((a)) | GM | Contracting — prior assessment and risk assessment of contracted activities | 7 |
| IS.D.OR.235(a)((a)) | GM | Contracting — audit of contracted organisations | 3 |
| IS.D.OR.235(b)((b)) | AMC | Contracting — competent authority access clause | 2 |
| IS.D.OR.235(b)((b)) | GM | Contracting — CA-access scope and COTS / on-premises considerations | 2 |
| IS.D.OR.240 | IR | Personnel requirements | 15 |
| IS.D.OR.240 | GM | Personnel — objectives of (a)–(e) | 2 |
| IS.D.OR.240(a)(2)((a)(2)) | AMC | Personnel — promotion of IS policy | 1 |
| IS.D.OR.240(a)(3)((a)(3)) | AMC | Personnel — basic understanding of the Regulation | 1 |
| IS.D.OR.240(a)(3)((a)(3)) | GM | Personnel — AM/HDOA training option for basic understanding | 2 |
| IS.D.OR.240(b)((b)) | AMC | Personnel — appointment of compliance person/group | 8 |
| IS.D.OR.240(b)((b)) | GM | Personnel — definition of "lengthy absence" | 1 |
| IS.D.OR.240(b)&(c)((b)(c)) | GM | Personnel — appointment form and titles | 2 |
| IS.D.OR.240(c)((c)) | GM | Personnel — compliance monitoring function alignment | 1 |
| IS.D.OR.240(d)((d)) | AMC | Personnel — coordination criteria for CRP | 4 |
| IS.D.OR.240(e)((e)) | GM | Personnel — common responsible person (CRP) | 5 |
| IS.D.OR.240(f)((f)) | AMC | Personnel — sufficient personnel | 3 |
| IS.D.OR.240(f)((f)) | GM | Personnel — sufficient personnel scope and Appendix II | 1 |
| IS.D.OR.240(g)((g)) | AMC | Personnel — necessary competence | 5 |
| IS.D.OR.240(g)((g)) | GM | Personnel — competence and training programme | 6 |
| IS.D.OR.240(h)((h)) | AMC | Personnel — acknowledgement of responsibilities | 2 |
| IS.D.OR.240(h)((h)) | GM | Personnel — traceable proof of acknowledgement | 1 |
| IS.D.OR.240(i)((i)) | AMC | Personnel — identity and trustworthiness | 2 |
| IS.D.OR.240(i)((i)) | GM | Personnel — identity and trustworthiness establishment methods | 8 |
| IS.D.OR.245 | IR | Record-keeping | 19 |
| IS.D.OR.245 | GM | Record-keeping — records as factual immutable artefacts; "approval" includes domain certificates | 1 |
| IS.D.OR.245(a)(1)(vi)&(a)(5)((a)(1)(vi)(a)(5)) | AMC | Record-keeping — data retention policy for events to be reassessed | 3 |
| IS.D.OR.245(a)(1)(vi)&(a)(5)((a)(1)(vi)(a)(5)) | GM | Record-keeping — events-to-be-reassessed scope and policy guidance | 1 |
| IS.D.OR.245(c)&(d)((c)(d)) | AMC | Record-keeping — format, integrity, protection, destruction | 4 |
| IS.D.OR.245(c)&(d)((c)(d)) | GM | Record-keeping — accessibility, integrity and access protection methods | 2 |
| IS.D.OR.250 | IR | Information security management manual (ISMM) | 20 |
| IS.D.OR.250(a)((a)) | GM | ISMM — separate documents, multi-authorisation entity, common language | 5 |
| IS.D.OR.255 | IR | Changes to the information security management system | 7 |
| IS.D.OR.255 | AMC | Changes to the ISMS — procedure design and CA submission content | 8 |
| IS.D.OR.255 | GM | Changes to the ISMS — structure and procedure-vs-per-change regimes | 3 |
| IS.D.OR.255 | GM | Changes to the ISMS — relation to continuous improvement; example impact categories | 1 |
| IS.D.OR.260 | IR | Continuous improvement | 4 |
| IS.D.OR.260 | AMC | Continuous improvement — process design (CIP) | 8 |
| IS.D.OR.260 | GM | Continuous improvement — overall guidance | 5 |
| IS.D.OR.260(a)((a)) | AMC | Continuous improvement — effectiveness evaluation and maturity assessment | 14 |
| IS.D.OR.260(a)((a)) | GM | Continuous improvement — minimum monitoring scope and existing maturity models | 5 |
| IS.D.OR.260(b)((b)) | AMC | Continuous improvement — deficiency-handling process | 8 |
| IS.D.OR.260(b)((b)) | GM | Continuous improvement — necessary improvement measures process | 7 |
The Compliance Matrix is the verification document — every paragraph in scope on one PDF. The audit checklist bundle is the per-question working document (579 questions, 5 artefact formats).