Introduction

This course will enhance comprehension of the evolving regulatory landscape surrounding Information Security Management Systems (ISMS). It addresses the current requirements for equipping organizations with the competence needed to establish robust ISMS, bolster resilience, and safeguard the aviation system against information security risks.

This course provides a detailed overview of the new regulatory framework by EASA in connection with the requirements for the management of information security risks with a potential impact on aviation safety for organisations and authorities [ISMS].

Course Content

Introduction on Cyber

• Importance of achieving Resilience
• Interdependencies between safety and security in cyber
• Overview of the current regulatory framework including the security and cyber security regulations, the safety regulations and regulations in other domains (NIS 2).

EASA

• EASA and its role in Cyber
• EASA and its work on the regulatory framework on Safety
• Regulation 2018/1139 (extending EASA competence to cyber security having safety consequences)
• Introduction of Management of Information Security Risk Regulatory Framework
• EASA Opinion 3/2021 on the Management of Information Security Risks
• ISMS – Information Security Management Systems

 Management of Information Security Risks Regulatory Framework

• Commission Implementing Regulation (EU) 2023/203
• Commission Delegated Regulation (EU) 2022/1645
• Part IS AR / Part IS or
• Guidance Material and Acceptable Means of Compliance
• Identification and Management of Information security risks; detection of information security event; identification of incidents; response and recover.

 Relation of the ISMS framework with other regulatory frameworks; amendments and overlap in compliance

• Security: Regulation 2015/1998
• Cyber: Regulation 2019/1583
• Directive 2022/2555
• Other Regulations mentioned within the Regulatory Framework

Conclusion

• Difficulties that may be encountered within organisation / authority on implementation

Learning Objectives

Upon completion of this course you will be able to:

• Recognise the objective of the EASA regulatory framework and the importance thereof in relation to safety.
• Explain the EASA Regulatory framework and the requirements relating to the Management of Information Security Risks.
• Describe what implementation requirements one is to apply in their authority or organisation.
• Compare the requirements within this regulatory framework with the requirements in other regulatory frameworks in order to avoid duplication and over-lapping.
• Have a good understanding of the regulatory framework, including the AMC and Guidance Material.

Who should take this course

• Regulatory Authorities (CAA)
• Industry
• Organisations (as specified within the regulatory framework, such as maintenance organisation, CAMO’s, Air Operators, ATCO TO’s, U-Space Service Providers, ATO’s, Aircrew Aero-medical centres, FSTD operators)

Pre-requisites

Participants are kindly requested to bring a laptop to the course to access course material which will only be provided in electronic format.

Duration

3 days, starting at 09:00 and ending at approx. 16:30.