102 sections · 600 audit questions · Implementing Rule, AMC and GM · v2025-12-05
Part-IS.I.OR is the Implementing Rule version of the information-security regime — applicable to ATM/ANS providers and a handful of other organisation types that fall outside the DR’s scope. The substantive controls are nearly identical to Part-IS.D.OR, but the obligated-party language and the audit chain differ.
Authoring both IS Parts in parallel made the structural alignment obvious — and the small but important divergences explicit. The checklist for this Part mirrors the IS.D.OR audit grain, with the IR/DR-specific language and references adjusted throughout so the auditor working under the IR isn’t reading delegated-regulation phrasing.
Click a row's citation to jump to it. The audit-question count shows how many auditable rows the checklist generates from that leaf (zero means the leaf is informational only).
| Citation | Kind | Title | Audit questions |
|---|---|---|---|
| IS.I.OR.100 | IR | Scope | 1 |
| IS.I.OR.200 | IR | Information security management system (ISMS) | 17 |
| IS.I.OR.200 | GM | Information security management system (ISMS) — ISMS subject areas | 22 |
| IS.I.OR.200(a)(1)((a)(1)) | AMC | Information security management system (ISMS) — establish IS policy | 13 |
| IS.I.OR.200(a)(1)((a)(1)) | GM | Information security management system (ISMS) — IS policy and objectives | 10 |
| IS.I.OR.200(a)(12)((a)(12)) | AMC | ISMS — compliance monitoring function | 3 |
| IS.I.OR.200(a)(12)((a)(12)) | GM | ISMS — internal audit conduct | 4 |
| IS.I.OR.200(a)(13)((a)(13)) | AMC | ISMS — confidentiality controls and need-to-know | 2 |
| IS.I.OR.200(c)((c)) | AMC | ISMS — documentation | 7 |
| IS.I.OR.200(c)((c)) | GM | ISMS — non-exhaustive documentation list | 8 |
| IS.I.OR.200(d)((d)) | GM | ISMS — proportionality, supported implementation, integration | 19 |
| IS.I.OR.200(e)((e)) | AMC | ISMS — derogation | 2 |
| IS.I.OR.200(e)((e)) | GM | ISMS — derogation regime | 18 |
| IS.I.OR.205 | IR | Information security risk assessment | 13 |
| IS.I.OR.205 | GM | Information security risk assessment — framework guidance (umbrella) | 3 |
| IS.I.OR.205(a)((a)) | AMC | Information security risk assessment — scope identification | 2 |
| IS.I.OR.205(a)((a)) | GM | Information security risk assessment — scope and boundaries | 2 |
| IS.I.OR.205(b)((b)) | AMC | Information security risk assessment — interfaces identification | 1 |
| IS.I.OR.205(b)((b)) | GM | Information security risk assessment — interfaces (risk-information sharing + categories) | 9 |
| IS.I.OR.205(b)((b)) | GM | Information security risk assessment — examples of aviation services (informational) | 0 |
| IS.I.OR.205(c)((c)) | AMC | Information security risk assessment — risk classification and acceptance | 11 |
| IS.I.OR.205(c)((c)) | GM | Information security risk assessment — risk classification, acceptance, threat scenarios | 24 |
| IS.I.OR.205(d)((d)) | AMC | Information security risk assessment — review periodicity | 2 |
| IS.I.OR.205(d)((d)) | GM | Information security risk assessment — review criteria and frequency | 12 |
| IS.I.OR.205(d)((d)) | GM | Information security risk assessment — examples of changes triggering update (informational) | 0 |
| IS.I.OR.205(e)((e)) | AMC | Information security risk assessment — safety support assessment (ATM/ANS) | 4 |
| IS.I.OR.205(e)((e)) | GM | Information security risk assessment — safety support assessment (ATM/ANS) guidance | 3 |
| IS.I.OR.210 | IR | Information security risk treatment | 9 |
| IS.I.OR.210 | GM | Information security risk treatment — guidance | 16 |
| IS.I.OR.210(a)((a)) | AMC | Information security risk treatment — process objectives, plan-based implementation, documentation | 5 |
| IS.I.OR.215 | IR | Information security internal reporting scheme | 11 |
| IS.I.OR.215(a)&(b)((a)(b)) | AMC | Information security internal reporting scheme — sources, analysis, vulnerabilities, stakeholders | 8 |
| IS.I.OR.215(a)&(b)((a)(b)) | GM | Information security internal reporting scheme — relationship between internal and external reporting | 3 |
| IS.I.OR.215(a)&(b)((a)(b)) | GM | Information security internal reporting scheme — collection/evaluation organisation (SOC/SIEM) | 2 |
| IS.I.OR.215(a)&(b)((a)(b)) | GM | Information security internal reporting scheme — relevant information for incidents and vulnerabilities | 1 |
| IS.I.OR.215(c)((c)) | GM | Information security internal reporting scheme — contracted-organisation reporting | 4 |
| IS.I.OR.215(d)((d)) | GM | Information security internal reporting scheme — cooperation on investigations | 5 |
| IS.I.OR.220 | IR | Information security incidents — detection, response and recovery | 10 |
| IS.I.OR.220 | GM | Information security incidents — events include vulnerabilities (umbrella) | 2 |
| IS.I.OR.220(a)((a)) | AMC | Information security incidents — detection strategy | 5 |
| IS.I.OR.220(a)((a)) | GM | Information security incidents — detection strategy (GM) | 4 |
| IS.I.OR.220(b)((b)) | AMC | Information security incidents — response strategy (incidents and vulnerabilities) | 13 |
| IS.I.OR.220(b)((b)) | GM | Information security incidents — terminology (warning) | 1 |
| IS.I.OR.220(b)&(c)((b)(c)) | GM | Information security incidents — recovery objectives and timing | 2 |
| IS.I.OR.220(c)((c)) | AMC | Information security incidents — recovery procedure content | 5 |
| IS.I.OR.220(c)((c)) | GM | Information security incidents — recovery procedure / plan guidance | 5 |
| IS.I.OR.225 | IR | Response to findings notified by the competent authority | 4 |
| IS.I.OR.225 | AMC | Response to CA findings — domain-regulation linkage | 1 |
| IS.I.OR.225 | GM | Response to CA findings — categorisation and period source | 1 |
| IS.I.OR.230 | IR | Information security external reporting scheme | 9 |
| IS.I.OR.230 | GM | External reporting scheme — competent authority determination | 5 |
| IS.I.OR.230(a)&(b)((a)(b)) | AMC | External reporting scheme — what to report | 3 |
| IS.I.OR.230(a)&(b)((a)(b)) | GM | External reporting scheme — §376/2014 relation, follow-up, significant-risk threshold | 7 |
| IS.I.OR.230(c)((c)) | AMC | External reporting scheme — urgency by safety impact | 1 |
| IS.I.OR.230(c)((c)) | GM | External reporting scheme — guidance source and forensic-analysis note | 1 |
| IS.I.OR.235 | IR | Contracting of information security management activities | 4 |
| IS.I.OR.235 | GM | Contracting — objectives of §235 | 3 |
| IS.I.OR.235 | GM | Contracting — accountability remains with contracting organisation | 1 |
| IS.I.OR.235 | GM | Contracting — illustrative examples per §200 obligation (informational) | 0 |
| IS.I.OR.235(a)((a)) | AMC | Contracting — oversight and risk management of contracted activities | 11 |
| IS.I.OR.235(a)((a)) | GM | Contracting — prior assessment and risk assessment of contracted activities | 7 |
| IS.I.OR.235(a)((a)) | GM | Contracting — audit of contracted organisations | 3 |
| IS.I.OR.235(b)((b)) | AMC | Contracting — competent authority access clause | 2 |
| IS.I.OR.235(b)((b)) | GM | Contracting — CA-access scope and COTS / on-premises considerations | 2 |
| IS.I.OR.240 | IR | Personnel requirements | 15 |
| IS.I.OR.240 | GM | Personnel — objectives of (a)–(e) | 2 |
| IS.I.OR.240(a)(2)((a)(2)) | AMC | Personnel — promotion of IS policy | 1 |
| IS.I.OR.240(a)(3)((a)(3)) | AMC | Personnel — basic understanding of the Regulation | 1 |
| IS.I.OR.240(a)(3)((a)(3)) | GM | Personnel — AM training option for basic understanding | 2 |
| IS.I.OR.240(b)((b)) | AMC | Personnel — appointment of person or group of persons | 8 |
| IS.I.OR.240(b)((b)) | GM | Personnel — lengthy-absence definition | 1 |
| IS.I.OR.240(b)&(c) | GM | Personnel — appointment formalisation and titles | 2 |
| IS.I.OR.240(c)((c)) | GM | Personnel — compliance monitoring function | 1 |
| IS.I.OR.240(d)((d)) | AMC | Personnel — coordination criteria | 4 |
| IS.I.OR.240(e)((e)) | GM | Personnel — common responsible person framework | 5 |
| IS.I.OR.240(f)((f)) | AMC | Personnel — sufficient personnel | 3 |
| IS.I.OR.240(f)((f)) | GM | Personnel — definition of personnel and Appendix II tasks | 2 |
| IS.I.OR.240(g)((g)) | AMC | Personnel — necessary competence | 5 |
| IS.I.OR.240(g)((g)) | GM | Personnel — training programme and role-based competence framework | 6 |
| IS.I.OR.240(h)((h)) | AMC | Personnel — acknowledgement of responsibilities | 2 |
| IS.I.OR.240(h)((h)) | GM | Personnel — traceable proof of acknowledgement | 1 |
| IS.I.OR.240(i)((i)) | AMC | Personnel — identity and trustworthiness | 2 |
| IS.I.OR.240(i)((i)) | GM | Personnel — trustworthiness establishment methods | 8 |
| IS.I.OR.245 | IR | Record-keeping | 15 |
| IS.I.OR.245 | GM | Record-keeping — nature of records and approval/certificate equivalence | 2 |
| IS.I.OR.245(a)(1)(vi)&(a)(5) | AMC | Record-keeping — data retention policy for IS events | 3 |
| IS.I.OR.245(a)(1)(vi)&(a)(5) | GM | Record-keeping — IS events retention objectives, scope, and lifecycle | 5 |
| IS.I.OR.245(c)&(d) | AMC | Record-keeping — format, accessibility, integrity and destruction | 4 |
| IS.I.OR.245(c)&(d) | GM | Record-keeping — accessibility throughout retention + integrity + access protection | 8 |
| IS.I.OR.250 | IR | Information security management manual (ISMM) | 17 |
| IS.I.OR.250(a)((a)) | GM | ISMM — separate-document option, multi-org ISMM, common language | 5 |
| IS.I.OR.255 | IR | Changes to the information security management system | 7 |
| IS.I.OR.255 | AMC | Changes to the ISMS — change-management procedure criteria + prior-approval information | 8 |
| IS.I.OR.255 | GM | Changes to the ISMS — structure of the obligation and the no-procedure case | 3 |
| IS.I.OR.255 | GM | Changes to the ISMS — relationship to continuous improvement + examples of in/out-of-scope changes | 1 |
| IS.I.OR.260 | IR | Continuous improvement | 4 |
| IS.I.OR.260 | AMC | Continuous improvement — process steps and management review | 8 |
| IS.I.OR.260 | GM | Continuous improvement — equivalence with safety assurance + framing + sources of improvement opportunities | 15 |
| IS.I.OR.260(a)((a)) | AMC | Continuous improvement — ISMS effectiveness evaluation + maturity assessment | 13 |
| IS.I.OR.260(a)((a)) | GM | Continuous improvement — minimum elements + existing maturity models | 6 |
| IS.I.OR.260(b)((b)) | AMC | Continuous improvement — deficiency response process criteria | 9 |
| IS.I.OR.260(b)((b)) | GM | Continuous improvement — necessary improvement measures + process aspects | 8 |
The Compliance Matrix is the verification document — every paragraph in scope on one PDF. The audit checklist bundle is the per-question working document (600 questions, 5 artefact formats).