EASA Information & Cyber Risk Assessment Methodology (Aligned with IS.I.OR.205)

Sofema Aviation Services (SAS) considers the key features within the Information Security and Cyber Security Aviation Ecosystem

Introduction to IS.I.OR.205 Key Components

IS.I.OR.205 establishes a framework for identifying, evaluating, and managing information security risks within the aviation sector. The key components are:

Identification of Elements at Risk (IS.I.OR.205(a))

Organizations must identify all components at risk, including activities, facilities, resources, and services, that may be vulnerable to information security threats. This covers both internal elements and those arising from interactions with external entities.

Scope and Boundaries of Identification

To effectively identify elements at risk, the scope and boundaries of the operational environment should be clearly defined:

• Physical Scope – Facilities, infrastructure, and physical assets involved in operations.
• Operational Scope – Processes, services, and activities contributing to operational output.
• Technological Scope – IT and OT systems used for data processing, communication, and operational control.
• Personnel Scope – Staff, contractors, and third parties with access to information security.
• Third-Party Scope – External entities (suppliers, partners, subcontractors) that could introduce or be affected by information security threats.

Categories of Elements at Risk

Elements at risk can be categorized as follows:

• Internal Elements (under direct organizational control):
  • Personnel – Employees, contractors, and consultants.
  • Facilities – Offices, data centers, and operational locations.
  • IT and OT Systems – Hardware, software, and network infrastructure.
  • Processes – Business and operational processes involving sensitive data.
  • Documentation – Intellectual property, technical manuals, and sensitive information.
  • Communication Systems – Internal and external communication channels (email, messaging systems, VoIP).
• External Elements (outside direct control):
  • Vendors and Suppliers – Outsourced IT services, maintenance providers.
  • Service Providers – Cloud services, cybersecurity consultants, telecommunications companies.
  • Regulators – Data-sharing requirements with EASA, ICAO, and national authorities.
  • Customers – Systems or data exchanged with customers or operators.
  • Joint Ventures and Alliances – Shared access to systems or data.
• Data and Information Assets (critical and sensitive data):
  • Operational Data – Flight plans, maintenance records, and performance data.
  • Customer Data – Passenger and crew details.
  • Confidential Information – Trade secrets and contractual details.
  • Regulatory Data – Data submitted to authorities.
  • Real-Time Operational Data – Communications and performance monitoring.
• Interfaces and Dependencies (risks at the interface between systems):
  • Air Traffic Control Systems – Data exchange with ATC.
  • Maintenance and Engineering Systems – Exchange with MRO providers.
  • Flight Operations Systems – Data exchange with flight crew.
  • Third-Party Software and Platforms – External application integration.

Structured Approach for Identification

A structured process ensures all elements at risk are identified:

• Asset Inventory – Comprehensive list of assets, ownership, maintenance responsibility, interfaces, and security classification.
• Threat Mapping – For each identified element, map potential threats using a threat matrix:

• Vulnerability Identification – Assess unauthorized access potential, system weaknesses, environmental threats, and complexity.

Assessment of Interfaces with Other Parties (IS.I.OR.205(b))

Assessing interfaces with other parties is critical to managing risk across the supply chain. A failure or breach at one point can have cascading impacts on the entire system, leading to:

• Loss of Data Integrity – Unauthorized access or tampering.
• Operational Disruption – Service interruption affecting flight schedules.
• Safety Risks – Miscommunication or system failures.
• Regulatory Non-Compliance – Breach of data protection requirements.

Types of Interfaces

• Supply Chain Interfaces – Risks from suppliers, MRO providers, and software vendors.
• Operational Interfaces – Risks from air traffic services, flight dispatch, and ground handling.
• Data Interfaces – Risks from data sharing with regulatory authorities and aircraft-to-ground systems.
• Human Interfaces – Risks from contracted staff, vetting processes, and employee turnover.

Structured Assessment Approach

• Interface Inventory – Develop a detailed inventory of all external interfaces, including:
  • Nature of the relationship (supplier, partner, regulator).
  • Type of data shared.
  • Criticality of the service.
  • Communication channels (direct, indirect).
• Threat and Vulnerability Assessment – Evaluate threats, vulnerabilities, and potential consequences using a threat matrix.
• Risk Impact and Likelihood – Assess likelihood and impact using a qualitative or quantitative scale.
• Mitigation Strategies –
  • Technical Controls – Firewalls, encryption, VPN access.
  • Operational Controls – Vendor agreements, audits.
  • Training – Staff training and security drills.
• Monitoring and Reporting – Real-time monitoring, audits, and third-party reporting requirements.

Risk Assessment Process (IS.I.OR.205(c))

A systematic and thorough risk assessment process is essential for effective information security management.

Step-by-Step Process

1. Identification – Define what could go wrong.
2. Evaluation – Assess the likelihood and severity of each threat.
3. Analysis – Understand the potential impact on aviation safety.
4. Prioritization – Use a risk matrix to allocate resources effectively.
5. Treatment and Mitigation – Define strategies to reduce or manage risk.

Regular Review and Update (IS.I.OR.205(d))

Organizations must periodically update their risk assessments to reflect changes in the operational environment, emerging threats, and organizational structure.

Safety Support Assessment for Non-ATS Providers (IS.I.OR.205(e))

Non-ATS providers must conduct a safety support assessment to evaluate information security risks and share findings with ATS providers.

Guidance and Compliance

EASA provides additional guidance and acceptable means of compliance (AMC) to support IS.I.OR.205 implementation:

• Scope and Boundaries Identification (GM1 IS.I.OR.205(a)) – Define operational scope and data flow.
• Risk Information Sharing (GM1 IS.I.OR.205(b)) – Facilitate joint risk management strategies.
• Risk Assessment Review Criteria (AMC1 IS.I.OR.205(d)) – Include criticality, residual risk, and contractual requirements in review criteria.

Summary and Key Takeaways

• The identification phase should result in a comprehensive inventory of assets and vulnerabilities.
• Risk assessment should cover all operational layers and be regularly updated.
• Effective mitigation relies on collaboration, structured assessment, and real-time monitoring.
• A systematic approach strengthens the organization’s ability to manage information security risks effectively.

Next Steps

Follow this link to our Library to find & download related documents for Free.

Sofema Aviation Services and Sofema Online provide Information and Cyber Security Regulatory Training as Classroom, Webinar and Online Training – Please see the websites or email [email protected].

Tags:

EASA, Methodology, SAS blogs, Cyber Risk Assessment, IS.I.OR.205, Data Integrity, Elements at Risk, Physical Scope, Real-Time Operational Data, Maintenance and Engineering Systems, Flight Operations Systems, Asset Inventory, Risk Impact