Online training course: EASA Part-IS Regulation and Implementation Manager

The digitalization of the aviation industry brings numerous benefits, including improved operational efficiency, faster data exchange, and automation of key processes. However, as system interconnectivity and reliance on digital technologies increase, so do security risks that may compromise the confidentiality, integrity, and availability of critical information. Cyber threats, unauthorized access, data leaks, and technological vulnerabilities present significant challenges for all aviation stakeholders.

TRAINING METHODOLOGY

This intensive course employs various teaching methods to provide participants with both theoretical knowledge and practical skills necessary for the effective implementation and management of information security systems in aviation.

Lectures

Through structured lectures, participants will be introduced to key concepts, regulatory requirements, and best practices for implementing EASA Part-IS.I.OR. The lectures are designed to cover all relevant aspects of information security in aviation organizations, emphasizing an understanding of the regulatory framework and its practical application.

Practical Exercises

To enable participants to apply their acquired knowledge in real-world scenarios, the course includes practical exercises that simulate information security challenges in aviation. These exercises cover risk assessment, incident management, and compliance with regulatory requirements.

Case Studies

A detailed analysis of real-life examples from the aviation industry will help participants understand how EASA Part-IS.I.OR is applied in practice. Case studies assist in identifying potential security threats and developing effective strategies for addressing them.

Discussions and Workshops

Active participation in discussions and interactive workshops encourages participants to exchange experiences and ideas, fostering a deeper understanding of information security challenges in aviation. This approach develops the analytical and critical thinking skills necessary for effective security decision-making.

Individualized Approach

The number of participants per group is limited to 16 to ensure quality interaction with the instructor, customization of content to meet specific participant needs, and the provision of detailed feedback. This approach maximizes the effectiveness of knowledge acquisition and practical skills necessary for implementing EASA Part-IS.I.OR in aviation organizations.

LEARNING OUTCOMES

Upon completion of this course, participants will be able to:

• Explain the purpose and key requirements of EASA Part-IS.I.OR and its role in ensuring information security in the aviation sector.
• Implement an Information Security Management System (ISMS) in aviation organizations in compliance with regulatory requirements.
• Conduct information security risk assessments with a focus on threats related to critical aviation systems, operations, and communications.
• Apply appropriate risk treatment measures to ensure the continuity of aviation operations and the protection of confidential data.
• Establish internal security event reporting processes within aviation organizations to enable timely responses and risk mitigation.
• Define procedures for incident reporting and management affecting aviation system security, including cyber threats and unauthorized data access.
• Properly document all security activities, maintain records, and manage the ISMS Manual (ISMM) in accordance with aviation industry regulations.
• Effectively manage changes within the ISMS in aviation organizations, ensuring continuous improvement of security measures and compliance with new regulatory requirements.
• Understand regulatory obligations related to reporting to aviation authorities and properly address findings from inspections and audits.
• Apply best practices when contracting ISMS activities with external service providers in aviation, ensuring compliance with regulations and security standards.

CONTENT

Introduction to Part-IS.I.OR

Information security plays a crucial role in the aviation sector, where the digitalization of operations and system interconnectivity continues to increase. The Part-IS.I.OR regulation establishes clear requirements for organizations to protect their information systems and data from threats that could compromise aviation safety. The objective of this regulatory framework is to establish a systematic and consistent approach to information security management through policy development, security control implementation, and continuous risk monitoring. Organizations subject to this regulation must ensure the effective implementation of an Information Security Management System (ISMS) and compliance with the requirements set by the European Union Aviation Safety Agency (EASA). Additionally, Part-IS.I.OR aligns with other international standards and regulatory frameworks, such as ISO 27001 and NIS2, further strengthening the security system within the aviation sector.

Scope

This section defines the application of Part-IS.I.OR requirements to organizations and competent aviation authorities. The regulation applies to all entities using information systems in their operations to protect aviation security from information security-related threats. Its goal is to ensure a consistent approach to information security risk management across the entire aviation ecosystem, including operators, service providers, and regulatory bodies. Additionally, covered organizations must demonstrate compliance through internal processes and oversight activities, ensuring the sustainability of the security management system.

Information Security Management System (ISMS)

ISMS is a framework for managing information security risks. Organizations are required to establish and maintain an ISMS that include policies, procedures, resources, and responsibilities for information protection. The ISMS must be proportionate to the organization's size and complexity and include measures to safeguard confidentiality, integrity, and availability of data. The effectiveness of the ISMS is assessed through continuous monitoring, internal audits, and reporting to the competent authorities.

Information Security Risk Assessment

This activity involves identifying, analyzing, and evaluating potential threats to information systems. Organizations must use recognized risk assessment methodologies and ensure that all identified risks are adequately documented and addressed. The risk assessment must consider threats from both internal and external sources, including cyberattacks, operational errors, and system vulnerabilities. Furthermore, the assessment must be regularly updated to reflect changes in the technological environment and regulatory requirements.

Information Security Risk Treatment

Based on risk assessments, organizations must select appropriate measures to mitigate, transfer, accept, or eliminate risks. These measures must align with regulatory requirements and the organization's operational needs. When making risk treatment decisions, organizations should apply a priority-based approach to ensure optimal resource allocation. Additionally, all decisions and related activities must be documented to ensure traceability and effective implementation.

Information Security Internal Reporting Scheme

IS.I.OR.215 mandates that organizations establish mechanisms for internally reporting incidents and security threats. The goal is to ensure rapid identification and an effective response to security events within the organization. The internal reporting system must be accessible to all employees and allow anonymous reporting to encourage transparency. Furthermore, organizations must define clear procedures for analyzing and handling reported events.

Information Security Incidents

Organizations must implement systems for detecting, reporting, and managing information security incidents. This includes defined response protocols, impact mitigation, and notifying competent authorities in accordance with IS.I.OR.220. Incidents may include unauthorized system access, data breaches, or unplanned disruptions to information systems. Each organization must have an incident response plan that minimizes negative consequences and accelerates recovery.

Information Security External Reporting Scheme

Under IS.I.OR.230, organizations must report significant incidents to competent authorities and relevant stakeholders. The goal is to ensure timely coordination and minimize the impact of incidents on aviation security. Incident reports must include detailed information on causes, corrective actions taken, and planned improvements. Additionally, regular analysis of reports is essential to identify threat patterns and enhance security mechanisms.

Contracting ISM Activities

If an organization delegates certain information security activities to external providers, it must ensure that contracted entities comply with Part-IS requirements. This includes defining responsibilities, monitoring implementation, and conducting security assessments. All contractual agreements must be formally documented in accordance with regulatory requirements to prevent security gaps. Organizations are also responsible for periodically evaluating the effectiveness of external service providers.

Personnel Requirements

Organizations must ensure that personnel responsible for information security have appropriate competencies, training, and access to necessary resources. IS.I.OR.240 defines the minimum qualification requirements and the need for continuous professional development. Employee training must include real-world threat scenarios to enhance resilience against cyberattacks. Additionally, organizations are responsible for conducting security background checks for employees in sensitive roles.

Record-Keeping

IS.I.OR.245 requires organizations to maintain precise and up-to-date records of all ISMS-related activities. The objective is to ensure traceability and transparency in information security management. Records must be protected from unauthorized access and made available for inspection by competent authorities. Documentation should be regularly reviewed and updated to reflect changes in security requirements.

Continuous Improvement

IS.I.OR.260 requires organizations to regularly assess ISMS effectiveness and implement improvements based on new threats, technological changes, and internal audit findings. This process enables organizations to identify and eliminate security weaknesses in a timely manner. Continuous ISMS improvement is based on incident analysis, employee feedback, and supervisory reports to maintain optimal security levels. Organizations should also implement systems for monitoring emerging security threats and adapting policies in line with global security trends.

Conclusion

The implementation of Part-IS.I.OR provides organizations with a structured approach to managing information security risks, ensuring the protection of critical systems and data. Successful ISMS implementation requires continuous monitoring of security incidents, regular risk assessments, and adaptation of policies and procedures to address new challenges. Organizations must recognize the importance of continuously improving security measures and training personnel to remain resilient against increasingly sophisticated threats. Compliance with this regulation not only reduces operational risks but also strengthens trust in the aviation industry. As the next step, organizations should ensure the proper implementation of Part-IS.I.OR requirements by assessing their current state, identifying necessary improvements, and developing a strategy for achieving long-term resilience against security threats.

RECOMMENDED PARTICIPANTS

This course is designed for professionals in the aviation industry responsible for implementing and managing an information security system in compliance with EASA Part-IS.I.OR.

Recommended for.

• Information security managers and officers in aviation organizations seeking regulatory compliance and enhanced system resilience against threats.
• Aviation operators and service providers required to implement an Information Security Management System (ISMS) to protect critical operations.
• Security managers and compliance officers involved in risk assessment, risk treatment, and the implementation of security measures in line with EASA regulations.
• IT and cybersecurity specialists engaged in securing aviation information systems who wish to gain a deeper understanding of regulatory requirements.
• Representatives of competent authorities and regulators overseeing compliance and seeking a comprehensive understanding of Part-IS.I.OR requirements for aviation organizations.
• Auditors and information security consultants aiming to expand their expertise in the specific requirements of aviation information security.

REQUIREMENTS FOR OBTAINING THE EASA PART-IS.I.OR LEAD IMPLEMENTATER CERTIFICATE

To obtain the EASA Part-IS.I.OR Lead Implementer Certificate, participants must fulfill three requirements: attend all course modules, actively participate in discussions and workshops, and successfully pass the final exam.

Assessment Criteria:

Attendance of all course modules

Participants are required to attend all lectures and workshops throughout the course to acquire the necessary knowledge and skills for implementing EASA Part-IS.I.OR. Attendance is confirmed by signing the attendance sheet for each training day.

Participation in discussions and workshops

Active engagement in discussions and workshops is essential for understanding and applying acquired knowledge. Participants are encouraged to share experiences and ask questions to enhance the learning process. Throughout the course, the instructor evaluates participants as either an "Active Participant" or an "Inactive Participant," with the "Active Participant" status required for successful course completion.

Final Exam

Upon course completion, participants must take a final exam covering the theoretical and practical knowledge acquired during the training. The exam is designed to assess the understanding of key EASA Part-IS.I.OR concepts and their application in real-world scenarios. The final exam is not graded but consists of three sections where participants must correctly answer at least 60% of the questions. All questions are based exclusively on the training materials provided during the course.

Upon successfully meeting all requirements, participants will be awarded the EASA Part-IS.I.OR Lead Implementater Certificate, confirming their competence in implementing and maintaining an information security management system in aviation organizations. This certification ensures compliance with regulatory requirements and enhances resilience against security threats.

Additional information: Bojan Varga, phone: +386 (01) 4778 108, e-mail: bojan.varga@siq.si