Online course: ISMS Documentation Management in Civil Aviation

➤ Introduction to ISMS Documentation Management

This introductory chapter provides an overview of the purpose and importance of documentation management within the Information Security Management System (ISMS). Participants will gain an understanding of the role of documented information in the context of the regulatory requirements of Part-IS.I.OR and the ISO/IEC 27001:2022 standard, as well as relevant guidelines such as ISO 10013:2021. The focus is on fundamental documentation principles, differences between document types, and the connection between documentation and risk and incident management systems. The document lifecycle is also covered, including creation, version control, approval, and archiving. The goal of this chapter is to build a foundational understanding of a systematic approach to managing documented information as the backbone of the ISMS in the aviation sector.

➤ ISMS Manual

The ISMS manual is a comprehensive document that describes the information security management system as a whole. This chapter addresses its purpose, content, and relationships with other documents. Participants will learn how to structure the manual to serve as a useful tool for oversight, communication, and implementation of the ISMS, covering its scope, key processes, policies, responsibilities, and interconnections.

➤ Policies

This chapter covers the types and purposes of key ISMS policies, such as the information security policy, information classification policy, asset use policy, and others. Emphasis is placed on the requirements of Part-IS.I.OR and ISO 27001, alignment with security objectives, approval by top management, and regular policy reviews.

➤ Methodologies

This chapter addresses documented methodologies such as those for risk assessment and treatment, incident evaluation, compliance management, and other key areas. It includes the structure of a methodology and its connection to ISO/IEC 27005 and ISO 31000 standards.
Exercise 3: Developing a Risk Assessment Methodology
Participants create a simple but functional draft of a risk assessment methodology, including criteria, data sources, and decision logic. The goal is to understand how a methodological approach becomes the foundation for systematic decision-making and documentation. The exercise also helps distinguish between methodology structure and procedures.

➤ Procedures

This chapter explains how to develop procedures that enable the implementation of policies and methodologies, including procedures for incident management, change management, access control, monitoring, and others. Emphasis is placed on a clear structure and defined roles.

➤ Plans
Plans represent concrete steps toward achieving ISMS objectives. This includes training plans, business continuity, recovery, incident response, and others, with emphasis on linking them to risk analysis and organizational goals.

➤ Records
Records serve as evidence of activities conducted under the ISMS. The chapter covers types of records, how they are controlled, stored, and connected to audits and corrective actions. Special focus is given to the requirement of Part-IS.I.OR.245.

➤ Registers
Registers allow the tracking of assets, risks, incidents, access, and other ISMS elements. The focus is on their structure, maintenance, and functional role in supporting decision-making and auditing.

➤ Reports
Reports are used for formal communication within the organization and with competent authorities. This includes audit reports, management reviews, incident reports, and regulatory compliance. Emphasis is placed on structure, clarity, and connection with documentation.

➤ Other Documents
This chapter covers documents such as the Statement of Applicability (SoA), responsibility assignments, communication matrices, internal forms, and auxiliary records. Their functional role, maintenance, and connection to formal documentation are explained.

➤ Final Exam
At the end of the course, a final exam is conducted covering all topics. The exam includes a combination of theoretical questions, practical tasks, and scenarios. The objective is to confirm understanding of the ISMS documentation system and the ability to apply it in an organizational context.

Literature

• PART-IS.I.OR – Information Security and Oversight Requirements (EASA)
• ISO/IEC 27001:2022 – Information Security, Cybersecurity and Privacy Protection – Requirements
• ISO/IEC 27002:2022 – Code of Practice for Information Security Controls
• ISO 10013:2021 – Quality Management Systems – Guidance for Documented Information
• ISO/IEC 27005:2022 – Guidance on Managing Information Security Risks
• ISO/IEC 27035-1:2023 – Information Security Incident Management – Principles and Process
• ISO 31000:2018 – Risk Management – Guidelines

We offer attractive discounts for group registrations. The applicable rates are as follows:

• 5 % discount for 2 participants,
• 10 % for 3 participants,
• 15 % for 4 participants,
• and a generous 20% discount for groups of more than 5 participants