Regulatory Reference: IS.OR.200(a) (Accountability) & IS.OR.260 (Personnel)
In the “Generic” and “Practitioners” courses, we discussed how relevant personnel can protect the system. Now, we must discuss accountability if the system fails.
Under IS.OR.200, the accountability for Information Security does not sit with the IT Director. It sits with the Accountable Manager (AM).
Just as the AM is financially and legally responsible for Safety and Compliance, they are now responsible for the Information Security Management System (ISMS).
What does this mean legally?
It means the AM must ensure:
- Resources: Sufficient budget and personnel are allocated to cybersecurity. You cannot just say ‘we didn’t have the money for a firewall.’
- Independence: The information security function must have direct access to the AM. It cannot be buried three layers deep under the Finance department.
- Integration: The ISMS must be integrated with the Management System of the organization.
What is the Role of Nominated Persons (Postholders) within the ISMS?
If you are a Nominated Person, you are also liable. You own the risk in your domain.
- For example, as NP Flight Operations: You are responsible for the EFB and Flight Planning information security risks.
- And as NP Continuing Airworthiness: You are responsible for the Maintenance Information Security risks.
The regulation requires that the AM and the Senior Management team demonstrate ‘commitment’ to the iSMS. This is not passive. You must review the risk register, sign off on the acceptable risk levels, and lead the safety culture. If a breach occurs and the investigation shows that management ignored warnings or underfunded the security team, the regulatory finding—and potential negligence liability—sits with you.