Sofema Online (SOL) considers key aspects of a Cybersecurity (Information Security Risk Assessment)

Cybersecurity risk assessment under the EASA regulatory framework is safety-centric, not just data-centric.

It goes beyond IT to include operational, organizational, and human dimensions, aligning with both aviation safety management systems (SMS) and global cybersecurity standards.

Introduction - Purpose of a Cybersecurity Risk Assessment

According to IS.I.OR.205 and its associated AMC/GM, the purpose of a cybersecurity risk assessment is to:

• Identify threats to information assets,

• Assess vulnerabilities that may be exploited,

• Determine the likelihood and impact of exploitation, and

• Support risk treatment decisions to protect civil aviation operations from potential impacts on safety.

The scope is broader than IT security because it encompasses organizational operations, human factors, and inter-organizational interfaces.

Structure of the Risk Assessment Process

Based on AMC1 IS.I.OR.205(a-e) and the related GM, the cybersecurity risk assessment should follow a structured methodology:

Asset Identification - Organizations must identify:

• Information assets (e.g., databases, control systems, networks),

• Their roles in supporting aviation safety operations,

• Ownership and functional criticality.

Threat Identification - Utilise structured sources like:

• Historical incidents,

• Intelligence sources,

• Scenario-based modelling (Appendix I offers threat scenarios),

• Cyber Threat Intelligence (CTI) services.

Vulnerability Identification - Assess flaws in:

• Systems (hardware/software),

• Processes and procedures,

• Human behaviours,

• Organizational configurations.

GM1 IS.I.OR.205(b) highlights the importance of leveraging penetration testing, audits, and real-world attack simulations.

Risk Estimation - Using a risk matrix, assess:

• Likelihood (from rare to almost certain),

• Impact (on aviation safety, confidentiality, availability, integrity).

Organizations may use qualitative, semi-quantitative, or quantitative scales. The assessment must be repeatable, traceable, and updated regularly.

Risk Evaluation

Compare assessed risks against predefined risk acceptance criteria to determine whether:

• Risks are acceptable,

• Or require mitigation via control measures.

Continuous Monitoring and Review - The assessment is not a one-off task. AMC1 IS.I.OR.205(d) requires:

• Periodic reviews,

• Reassessment after significant changes (e.g., new technology, organizational restructuring),

• Continuous validation of assumptions and threat landscape updates.

Integration into the ISMS (Information Security Management System) - Risk assessments are central to the ISMS under IS.I.OR.200 and must be:

• Documented,

• Communicated across the relevant functions,

• Integrated with other SMS and QMS processes.

They also feed into the risk treatment process under IS.I.OR. 210, which determines specific controls and mitigations.

Tools and Techniques - Examples of supporting techniques (not mandated but recommended in GM) include:

ISO/IEC 27005 methodologies,

• NIST SP 800-30 for risk assessment,

• Threat modelling

• Asset classification and dependency mapping.

Personnel and Competence - IS.I.OR.240 mandates that individuals involved in risk assessments must be:

• Competent and trained in cybersecurity and risk methodologies,

• Kept up-to-date with emerging threats and evolving regulatory guidance.

Reporting and Governance

Risk assessments must inform:

• Internal decision-making,

• External reporting (e.g., NIS competent authorities where required under Article 7 of Regulation (EU) 2023/203),

• Management reviews and audit findings.

Compliance and Harmonization EASA encourages harmonization with:

• ISO/IEC 27001 and 27005,

• NIST Cybersecurity Framework (CSF),

• While tailoring for aviation-specific impacts — including the “functional chain” principle where risks pass across organizational boundaries.

Next Steps

Sofema Aviation Services and Sofema Online provide Information and Cyber Security Regulatory Training as Classroom, Webinar and Online Training – Please see the websites or email team@sassofia.com