Online Course: Information Security Risk Assessment in Civil Aviation

➤ Introduction to Risk Assessment

Participants are introduced to the fundamentals of the risk concept in the context of information security, the role of risk management within the ISMS framework, and the applicable regulatory requirements and standards. The importance of IS.I.OR.205 is explained as a core requirement of the Part-IS framework, along with its correlation to the ISO 31000, ISO 27001, and ISO 27005 standards. This introduction provides essential understanding of the purpose of risk assessment and its place within the information security management system of an aviation organization.

➤ Scope, Context and Criteria

Participants learn the steps for defining the scope of the risk assessment and establishing the context in line with ISO guidelines. The topic covers the development of both internal and external context, including stakeholder identification and the definition of risk assessment criteria – such as levels of likelihood and impact, as well as the boundaries of risk acceptability. The organisation must first clearly understand its own context, including assets, processes, and relationships with external parties, and based on that, define criteria that enable a structured and consistent approach to information security risk assessment.
Exercise 1: Context Analysis and Definition of Risk Criteria
Participants, working in groups, create a representation of the organisation's scope and context using a predefined template. They then define risk assessment criteria based on given parameters. The objective of the exercise is to understand how the fundamental assumptions of risk assessment are established and how they influence all subsequent steps.

➤ Risk Identification

This topic addresses the process of identifying information assets, threats, vulnerabilities, and potential incidents that could affect the safety of aviation operations. Participants learn how to collect information using available documentation, interviews with key personnel, workshops, and the use of checklists. Special emphasis is placed on understanding the interconnection between assets and external relationships that may increase exposure to risk. The concept of risk scenarios is also introduced, helping to visualise possible consequences of events based on real operational contexts. The content is aligned with the identification requirements of Part-IS.I.OR and the principles of international standards that define a systematic approach to identifying risks within an organisation’s information system.

Exercise 2: Identification of Assets, Threats and Vulnerabilities
Based on a given scenario, participants complete an asset register and identify threats and vulnerabilities associated with them. The objective of the exercise is to learn how to systematically identify risks and how to link threats and vulnerabilities to specific assets and processes.
➤ Risk Analysis
Participants practise methods for assessing the level of identified risks by analysing their likelihood and potential impact. They become familiar with both qualitative and quantitative approaches, including the use of risk matrices as tools for visual and numerical interpretation of results. The concepts of inherent risk, which exists before controls are applied, and residual risk, which remains after treatment measures, are also addressed. The aim is to ensure that participants understand how to objectively assess the significance of risks based on collected data and predefined criteria. This part of the process is essential for making informed decisions on further actions and is aligned with the analysis requirements set by regulatory and normative sources.
Exercise 3: Risk Level Assessment
Participants assess the level of risk for previously identified risks using a predefined matrix and descriptive categories. The objective of the exercise is to understand how risk is quantified and how the risk level supports decision-making.
➤ Risk Evaluation
The lecture focuses on understanding the risk evaluation process as the final step before making decisions on treatment. Participants learn how to compare the results of risk analysis with predefined risk acceptance criteria and how to identify which risks need to be treated and which can be accepted or transferred. The topic also covers setting priorities based on risk levels and their impact on business and safety. Emphasis is placed on logically linking all previous steps of the analysis and preparing the basis for effective risk treatment planning, in line with regulatory and normative requirements.
Exercise 4: Risk Evaluation and Classification
Participants carry out the evaluation of previously analysed risks and make decisions on further actions. The objective of the exercise is to learn how to classify risks by priority and align evaluation results with the previously defined criteria.
➤ Risk Treatment
The lecture provides an overview of risk treatment options aimed at reducing their impact on information security in aviation. Participants are introduced to four basic strategies: risk avoidance, reduction, transfer, and acceptance. Emphasis is placed on understanding when and why to apply each strategy and how to select appropriate controls according to the type and level of risk. The preparation of a risk treatment plan is also addressed as a documented tool for implementing measures, including alignment with organisational objectives and stakeholder requirements. The content is aligned with regulatory requirements and international standards that define an effective approach to managing identified and evaluated risks.
Exercise 5: Development of Risk Treatment Plan
Participants develop a risk treatment plan based on an information security scenario in aviation. The exercise focuses on applying prescribed protection measures derived from the risk analysis and aligning them with aviation safety objectives. The aim of the exercise is to build the ability to plan and document risk treatment in accordance with PART-IS requirements, serving as a foundation for effective implementation and oversight.
➤ Practical Risk Management Workshop
Participants apply their acquired knowledge and the results of all previous exercises through group analysis covering all phases of risk assessment – from defining context and criteria, identifying assets, threats, and vulnerabilities, through risk analysis and evaluation, to planning treatment. The work is based on a real scenario from the aviation domain and includes the development of a complete and consistent risk assessment example. The exercise also includes group presentations and feedback exchange with the course instructor and other teams.
➤ Final Exam
The formal knowledge assessment covers the understanding of key concepts, methods, and approaches addressed during the course. The questions span all phases of information security risk assessment in the aviation environment and include both theoretical tasks and scenario-based exercises to evaluate the ability to apply knowledge in practice. The objective of the exam is to assess the level of acquired knowledge and the ability to link the phases of risk assessment in accordance with Part-IS requirements.

Literature

• EASA PART-IS.I.OR – Information Security and Oversight Requirements
• ISO/IEC 27001:2022 – Information Security, Cybersecurity and Privacy Protection – Information Security Management Systems – Requirements
• ISO/IEC 27005:2022 – Information Security, Cybersecurity and Privacy Protection – Guidance on Managing Information Security Risks
• ISO 31000:2018 – Risk Management – Guidelines

We offer attractive discounts for group registrations. The applicable rates are as follows:

• 5 % discount for 2 participants,
• 10 % for 3 participants,
• 15 % for 4 participants,
• and a generous 20% discount for groups of more than 5 participants