Online Course: Information Security Incident Management in Civil Aviation

➤ Introduction to Incident Management

Effective management of information security incidents is essential for maintaining the safety and reliability of aviation systems. Given the sector’s high dependency on digital infrastructure, any incident can seriously threaten aviation safety, system availability, data protection, and operational readiness. Part-IS.I.OR defines the obligations of organizations to establish an incident management system that includes detection, reporting, assessment, response, and recovery. This module introduces the fundamental concepts needed to understand how information security incidents are managed within an Information Security Management System (ISMS). Key terms such as event, incident, vulnerability, and threat indicator are explained, along with their relevance in the aviation security context.

➤ Planning and Preparation

Planning and preparation form the foundation for building an effective incident management system. According to Part-IS.I.OR, organizations must develop an incident detection and response policy and plan, define roles and responsibilities (IMT, IRT), establish communication channels, set rules for involving external stakeholders, and define training requirements for personnel. In this phase, the organization should also determine its priorities and measurable recovery objectives, including MBCO (Minimum Business Continuity Objective), RTO (Recovery Time Objective), and RPO (Recovery Point Objective), as outlined in ISO/IEC 27031:2025. All elements of the plan must be aligned with the existing ISMS and supported by appropriate resources and procedures.

Exercise 1: Development of an Incident Management Policy and Plan
Participants draft an internal policy and operational plan for managing information security incidents. The documents include the definition of objectives, scope of application, identification of internal and external stakeholders, communication protocols, roles and responsibilities, and resource allocation. In addition, the plan incorporates a framework for regular training and readiness testing, taking into account ICT Readiness for Business Continuity (IRBC) requirements such as RTO (Recovery Time Objective) and MBCO (Minimum Business Continuity Objective).

➤ Detection and Reporting

Early detection and proper reporting of information security events are essential for timely response and maintaining operational safety. Part-IS.I.OR requires organizations to establish both internal and external reporting systems, including the obligation to report events that could impact aviation safety. The reporting mechanism must be reliable, accessible, and well-known to all employees, and must also allow submissions from contracted third parties. Reported events must be appropriately analysed and forwarded to designated contacts within the organization to enable timely initiation of further actions.
Exercise 2: Reporting an Information Security Event
This exercise focuses on the correct completion of an information security event report in accordance with Part-IS.I.OR requirements. Participants analyse a simulated event that has not yet been confirmed as an incident. Their task is to complete a comprehensive reporting form, ensuring clarity, accuracy, and timeliness of the submitted information. The exercise enhances understanding of the event report as the starting point of the incident management process and as the basis for timely and effective decision-making regarding further actions.

➤ Assessment and Decision-Making
Once an information security event has been reported, the organization must promptly and accurately assess its severity and potential impact on operations and safety. Part-IS.I.OR requires the categorization of incidents and prioritization based on the risk they pose to aviation safety. Special attention must be given to escalation criteria and the initiation of response actions within a clearly defined organizational structure. The assessment should also include verification of whether agreed recovery parameters such as RTO (Recovery Time Objective) or MBCO (Minimum Business Continuity Objective) have been exceeded, as this may influence further decision-making and response strategies.
Exercise 3: Reporting an Information Security Incident
In this exercise, participants complete a formal information security incident report following the internal assessment that confirmed the event as an incident. Based on the given scenario, they fill out the official incident reporting form. The aim of the exercise is to reinforce the importance of timely, complete, and accurate reporting as a prerequisite for activating an appropriate response, ensuring effective coordination with relevant stakeholders, and fulfilling regulatory and legal obligations.

➤ Incident Response

The response phase involves the operational management of the incident with the goal of minimizing further damage, stabilizing systems, and regaining control. Part-IS.I.OR outlines the implementation of both technical and organizational measures, along with clearly defined communication procedures involving all relevant stakeholders. A key role is played by the recovery team, which is responsible for restoring system functionality as quickly as possible. Their task is to ensure that essential operations continue with minimal disruption and that recovery is achieved within the planned timeframe. The effectiveness of this phase significantly impacts the organization’s overall resilience and its readiness to handle future incidents.
Exercise 4: Executing the Response and Stakeholder Coordination
Based on a provided scenario, participants develop a response plan outlining how their organization should react to a specific information security incident. The exercise requires them to consider technical measures, communication with key stakeholders, and internal coordination. The goal is to help participants understand the importance of a fast, structured, and effective response, with clearly assigned responsibilities and reliable communication across all levels.

➤ Lessons Learned
The final phase of incident management focuses on understanding what happened, why it happened, and how to prevent similar situations in the future. Once the response phase is completed, a thorough root cause analysis should be conducted, the effectiveness of the implemented measures evaluated, and opportunities for improvement identified. The goal of this phase is to extract valuable insights that contribute to strengthening the security culture, refining existing procedures, and increasing system resilience. In addition to enhancing information security practices, the analysis also reveals how prepared the recovery system was and whether the response time was sufficient to maintain business continuity without major disruption.

Exercise 5: Preparing the Incident Report
Participants prepare a final report that includes a summary of the incident, root cause analysis, assessment of the effectiveness of response actions, and specific recommendations for improving policies, response plans, and security mechanisms. The report also contains key findings and lessons learned from the incident, along with proposals for updating IRBC indicators to improve readiness for future challenges.

➤ Practical Incident Management Workshop
The final module of the course includes a comprehensive simulation of an information security incident within an aviation organization. Participants are divided into teams and engage in all phases of the incident management process: from event detection and reporting, through assessment and response, to final analysis and report preparation. Each phase involves the use of actual forms, communication protocols, and role-specific tasks, which participants carry out independently. The incident scenario evolves dynamically — depending on the teams’ decisions, the situation may change, requiring adaptability and teamwork. The simulation also incorporates IRBC elements, particularly focusing on whether the system can withstand the incident without interrupting critical functions. 

➤ Final Exam
The exam is designed to assess the participants' understanding of key content and their ability to apply the acquired knowledge in practice. Participants take a written exam consisting of 20 questions based on two scenarios of information security incidents within an aviation organization. Each scenario presents a different security situation that may impact the operation of aviation activities. The exam results form an integral part of the overall course performance assessment. By successfully completing the exam, participants confirm their competence in managing information security incidents in accordance with the requirements of PART-IS.I.OR.

Literature

• PART-IS.I.OR – Information Security and Oversight Requirements (EASA),
• ISO/IEC 27001:2022 – Information security, cybersecurity and privacy protection – ISMS requirements,
• ISO/IEC 27035-1:2023 – Information security incident management – Part 1: Principles and process,
• ISO/IEC 27031:2025 – ICT readiness for business continuity

We offer attractive discounts for group registrations. The applicable rates are as follows:

• 5 % discount for 2 participants,
• 10 % for 3 participants,
• 15 % for 4 participants,
• and a generous 20% discount for groups of more than 5 participants