Online Course: Internal Audit of Information Security in Civil Aviation

➤ Introduction to Internal Audit

Internal audit is a key tool for assessing the compliance and effectiveness of an Information Security Management System (ISMS). Its purpose lies in supporting the cycle of continual improvement and strengthening internal control and accountability within the organisation. Internal audit differs from self-assessment and external audit in its internal nature and improvement-driven focus. This section includes an overview of the essential normative and regulatory requirements based on ISO/IEC 27001:2022, ISO 19011:2018, and Annex II – Information Security — Organisation Requirements (PART-IS.I.OR), with a particular emphasis on management responsibilities and the requirement for periodic internal audits as set out in IS.I.OR.200(a)(12).

➤  Audit Programme

The audit programme defines the strategic framework within which multiple audits are planned and organised over a specific period. It includes the audit objectives, criteria, scope, frequency, resources, and responsibilities, and is based on risk assessment and applicable regulatory requirements. The development of the programme must align with the guidelines set out in ISO/IEC 19011 and ISO/IEC 27007, and the documented programme should be linked to scheduled records and allocated resources to ensure the audit is effective and consistent.
Exercise 1: Developing the Audit Programme
Participants develop an audit programme for an information security management system, defining audit objectives, scope, criteria, frequency, resources involved, and responsibilities. The programme is based on regulatory requirements, the results of risk assessment, and the guidance provided in ISO/IEC 19011 and PART-IS.I.OR. 
The goal of the exercise is to enable participants to understand the difference between an audit programme and an audit plan, define the key components of the audit programme, link requirements to audit planning, and develop a document that will be used in the subsequent phases of internal audit execution.

➤ Audit Plan

The audit plan is an operational document that details specific information for each individual audit, including the date and location, audited processes, daily schedule of activities, and the members of the audit team with their assigned responsibilities. It includes information on the audit methodology, communication channels, and logistical arrangements. The audit plan is prepared based on the audit programme and must be linked to the relevant organisational documentation, while also respecting the obligation to record audit evidence in accordance with requirement IS.I.OR.245.
Exercise 2: Developing the Audit Plan
Based on the previously developed audit programme, participants prepare an audit plan that includes specific audit dates, location, an overview of the audited processes, daily activity schedule, distribution of tasks among audit team members, and the definition of logistical and communication arrangements necessary for audit implementation. 
The goal of the exercise is to help participants apply the elements of the audit programme to the level of a specific audit, plan concrete tasks and resources, structure the flow of activities within a given timeframe, and ensure the plan is aligned with regulatory requirements and relevant standards.
➤ Preparing the Auditor for the Audit

At this stage, the auditor reviews the relevant organisational documentation, prepares audit questions, identifies areas of interest, and plans the approach for conducting interviews and verifications. The auditor applies various information-gathering techniques such as interviews, observation, and record review. It is essential to know how to formulate questions, take notes, and select appropriate evidence to support audit conclusions.
Exercise 3: Developing the Checklist
In this exercise, participants develop their own audit checklist containing questions, related rules, criteria, and sources of evidence, all aligned with the previously defined audit plan and audit programme. The checklist will serve as a practical tool during the execution of the audit.
The goal of the exercise is to enable participants to recognise and translate requirements from standards and regulations into clear questions, link each question to relevant evidence and evaluation criteria, ensure consistency and clarity in the document, and prepare a practical tool for structured audit implementation.
➤ Managing Nonconformities

Nonconformities are defined and classified according to the standards ISO/IEC 27001 and ISO 19011, with a distinction made between major and minor nonconformities, observations, and recommendations. The auditor is responsible for recording audit findings and performing accurate analysis, including the identification of root causes. Proper management of nonconformities is essential for initiating effective corrective actions and for the successful closure of the audit..
Exercise 4: Classification and Analysis of Nonconformities
Based on the audit findings, participants analyse and classify identified irregularities. Each finding is categorised as a major nonconformity, minor nonconformity, observation, or recommendation, and participants must further explain the cause and potential impact.
The goal of the exercise is to enable participants to distinguish between different types of nonconformities and findings, assess the severity and potential consequences of each finding, link the finding to the relevant standard or regulatory requirement, and accurately document and justify each classification.

➤ Corrections, Corrective Actions, and Continual Improvement of the ISMS
Corrections and corrective actions represent two levels of response to identified nonconformities – a correction eliminates the immediate deviation, while a corrective action addresses the root cause of the issue to prevent recurrence. The normative requirements IS.I.OR.225, IS.I.OR.245, and IS.I.OR.260 define expectations regarding the effectiveness and documentation of these processes. In addition, requirement IS.I.OR.255 introduces the need for change management. The application of the PDCA cycle (Plan-Do-Check-Act) provides the foundation for the continual improvement of the ISMS and the enhancement of its maturity.
Exercise 5: Managing Corrective Actions and Continual Improvement
In this exercise, participants analyse the corrections and corrective actions proposed by process owners in areas where nonconformities were identified. Based on previously classified findings, participants are tasked with determining whether the proposed measures are adequate for closing the nonconformities. 
The goal of the exercise is to train participants to critically assess corrections and corrective actions in relation to observed nonconformities, determine their appropriateness and compliance with standard and regulatory requirements, and identify potential shortcomings in the approach taken by process owners. Furthermore, the exercise encourages participants to suggest additional actions that contribute to the long-term maturity and improvement of the information security management system.
➤ Practical Workshop: Conducting an Internal Audit

During this workshop, participants use previously developed materials – the audit programme and audit plan, checklist, and supporting documentation – to conduct a simulated internal audit. Activities include scenario analysis, conducting interviews, reviewing evidence, and classifying findings. Based on the results, participants prepare an audit report, propose corrective actions, and jointly evaluate the overall process. This workshop integrates all previously completed exercises and serves as a practical application of the knowledge acquired throughout the course.

➤ Final Exam

The final exam consists of a written knowledge test comprising 20 questions and two audit scenarios. The exam covers all thematic units of the course and is designed to confirm the participants’ competence in effectively conducting internal audits in accordance with the requirements of ISO standards and the regulatory framework defined by PART-IS.I.OR.

➤ Certificate of Competence
All participants who successfully complete the practical exercises and pass the final exam will be awarded a certificate of competence for conducting internal audits of information security management systems in civil aviation, in accordance with the Information Security and Oversight Requirements of the European Union Aviation Safety Agency (PART-IS.I.OR).

Literature

• PART-IS.I.OR – Information Security and Oversight Requirements (EASA),
• ISO/IEC 27001:2022 – Information security, cybersecurity and privacy protection – ISMS requirements,
• ISO/IEC 27035-1:2023 – Information security incident management – Part 1: Principles and process,
• ISO/IEC 27031:2025 – ICT readiness for business continuity

We offer attractive discounts for group registrations. The applicable rates are as follows:

• 5 % discount for 2 participants,
• 10 % for 3 participants,
• 15 % for 4 participants,
• and a generous 20% discount for groups of more than 5 participants