Sofema Online (SOL) considers key risk assessment methodology compliant with IS.I.OR.205

Introduction

The reference IS.I.OR.205 references EASA Information Security (IS) requirements, specifically under the Information Security Operational Requirements (IS.I.OR).

Best Practices for Implementation

• Ensure top management involvement for risk criteria and acceptance levels.

• Conduct awareness sessions so all stakeholders understand risk concepts.

• Leverage automated risk registers for tracking and reporting.

• Continuously improve based on audits, incidents, and monitoring outcomes.

What is Part-IS and IS.I.OR.205?

“The organisation shall establish and maintain a risk assessment methodology to evaluate risks to the security of information and systems supporting aviation safety, considering threats, vulnerabilities, and potential impacts.”

Detailed Breakdown of IS.I.OR.205 Requirements - Establishing a Risk Assessment Methodology

• It must be formalised, documented, and approved by accountable management.

• It should be aligned with the organisation’s size, complexity, and type of operations.

• The methodology must cover risk identification, analysis, evaluation, and treatment.

Identify and Evaluate Risks

• Identify risks that can impact the confidentiality, integrity, or availability (CIA) of systems and data related to aviation safety.

• Evaluate the potential impact of risks on safe operations — not just from an IT perspective but from an aviation-specific lens.

Incorporate Threats, Vulnerabilities, and Impact

• Consider:

>> External threats (e.g., cyberattacks, supply chain risks)

>> Internal threats (e.g., insider misuse, accidental errors)

>> Vulnerabilities in systems, processes, and people

>> Consequences of a breach on aviation safety, operations, and regulatory compliance

Include Likelihood and Impact Assessment

• Use qualitative or quantitative models to determine:

>> Likelihood of occurrence

>> Severity of the impact on operations and safety

• This should result in a risk level classification (e.g., Low, Medium, High, Critical)

Documentation and Review

• Maintain a risk register with traceability of assessments and decisions.

• Review and update risk assessments:

>> At least annually

>> When significant changes occur (e.g., new systems, security incidents)

• Must feed into the Information Security Management System (ISMS) and safety risk management process.

Best Practices for IS.I.OR.205 Implementation

• Define the scope of systems and operations related to aviation safety

• Identify assets, their value, and dependencies

• Map known threats and vulnerabilities

• Analyse the likelihood and impact of potential incidents

• Prioritise risks and assign owners

• Develop mitigation/treatment plans

• Maintain documentation and regularly review

• Align with SMS and other safety-related processes

Purpose of Methodology 

The methodology aims to:

• Ensure consistency, repeatability, and traceability in assessing risks.

• Provide a structured approach for risk identification, analysis, and evaluation.

• Enable informed decision-making related to risk treatment and mitigation.

• Support the organization’s risk appetite and tolerance levels.

Risk Criteria Establishment

Define risk acceptance criteria and risk evaluation parameters, including:

• Impact categories (e.g., financial, reputational, operational, legal).

• Likelihood levels (rare to almost certain).

• Align criteria with organisational objectives and the NCA ECC Risk Matrix.

• Establish scoring mechanisms (quantitative or qualitative).

Asset Identification & Valuation

Identify information assets (hardware, software, people, data, infrastructure).

• Assign value levels (e.g., critical, high, medium, low) based on:

>> Confidentiality

>> Integrity

>> Availability

>> Regulatory/Legal obligations

• Threat and Vulnerability Identification

>> Identify threat sources (e.g., cyberattacks, insider threats, physical events).

>> Recognise vulnerabilities in people, processes, and technology.

>> Use inputs from previous incidents, vulnerability assessments, and penetration tests.

• Risk Analysis

>> Determine the likelihood of a threat exploiting a vulnerability.

>> Evaluate the impact on the organisation if the threat occurs.

>> Calculate inherent risk levels before controls:

• Inherent Risk = Likelihood x Impact

• Risk Evaluation

>> Compare risk levels against the risk acceptance criteria.

>> Classify risks into categories (e.g., Acceptable, Tolerable, Unacceptable).

>> Prioritise risks based on severity and urgency.

• Risk Treatment Planning

>> Identify appropriate controls or risk treatment options:

>> Avoid

>> Mitigate

>> Transfer (e.g., insurance)

>> Accept (with proper justification and documentation)

• Document residual risks and align with management’s risk appetite.

>> Documentation and Reporting

>> Record:

• Methodology used

• Assessment outcomes

• Risk register

• Risk treatment plans

• Report to senior management and align with ISMS performance monitoring.

• Review and Update

• Reassess risks periodically or when:

>> Major changes in IT or business occur

>> New threats are discovered

>> Significant incidents occur

• Ensure ongoing alignment with IS.I.OR.205 and ISO/IEC 27005 best practices.

• Integration with ISMS Lifecycle

>> The risk assessment methodology must be embedded into the ISMS as required by ISO/IEC 27001 (Clause 6.1.2).

>> It should support risk-based decision-making and enable the selection of Annex A controls or custom security measures as needed.

>> IS.I.OR.205 emphasizes alignment with organizational objectives, regulatory compliance, and cyber resilience planning.

• Tools and Techniques Commonly Used

>> Risk Matrix (5x5 or 3x3)

>> Heat Maps

>> Asset-Based Risk Assessment Models

>> Threat Modelling

>> Qualitative vs Quantitative Risk Analysis

>> Software Tools

 

Next Steps

Sofema Aviation Services and Sofema Online provide Information and Cyber Security Regulatory Training as Classroom, Webinar and Online Training. Please see the websites or email team@sassofia.com.