Online course: ISMS Documentation Management in Civil Aviation

➤ Introduction to ISMS Documentation Management

This introductory chapter provides an overview of the purpose and importance of documentation management within the Information Security Management System (ISMS). Participants will gain an understanding of the role of documented information in the context of the regulatory requirements of Part-IS.I.OR and the ISO/IEC 27001:2022 standard, as well as relevant guidelines such as ISO 10013:2021. The focus is on fundamental documentation principles, differences between document types, and the connection between documentation and risk and incident management systems. The document lifecycle is also covered, including creation, version control, approval, and archiving. The goal of this chapter is to build a foundational understanding of a systematic approach to managing documented information as the backbone of the ISMS in the aviation sector.

➤ ISMS Manual

The ISMS manual is a comprehensive document that describes the information security management system as a whole. This chapter addresses its purpose, content, and relationships with other documents. Participants will learn how to structure the manual to serve as a useful tool for oversight, communication, and implementation of the ISMS, covering its scope, key processes, policies, responsibilities, and interconnections.

Exercise 1: ISMS Manual Structure

Participants will create a draft structure of the ISMS manual including key elements such as scope, policies, processes, and links to other documents. The objective is to understand the role of the manual and how to adapt it to the specific needs of the organization. This exercise also enhances the ability to structure a clear and concise document that facilitates internal communication and external oversight.

➤ Policies

This chapter covers the types and purposes of key ISMS policies, such as the information security policy, information classification policy, asset use policy, and others. Emphasis is placed on the requirements of Part-IS.I.OR and ISO 27001, alignment with security objectives, approval by top management, and regular policy reviews.

Exercise 2: Developing an Information Security Policy
Participants analyze a sample information security policy and propose changes to ensure compliance with Part-IS and ISO 27001. The goal is to understand how to design a compliant, actionable, and controlled policy. The exercise also helps participants understand the relationship between strategic goals, organizational culture, and documented obligations.

➤ Methodologies

This chapter addresses documented methodologies such as those for risk assessment and treatment, incident evaluation, compliance management, and other key areas. It includes the structure of a methodology and its connection to ISO/IEC 27005 and ISO 31000 standards.
Exercise 3: Developing a Risk Assessment Methodology
Participants create a simple but functional draft of a risk assessment methodology, including criteria, data sources, and decision logic. The goal is to understand how a methodological approach becomes the foundation for systematic decision-making and documentation. The exercise also helps distinguish between methodology structure and procedures.

➤ Procedures

This chapter explains how to develop procedures that enable the implementation of policies and methodologies, including procedures for incident management, change management, access control, monitoring, and others. Emphasis is placed on a clear structure and defined roles.

Exercise 4: Developing an Incident Management Procedure
Participants develop a procedure for managing information security incidents in line with the requirements of Part-IS and ISO/IEC 27035. The goal is to create a procedure that is operationally useful and clearly defined. The exercise also teaches participants how to connect individual steps with appropriate records and responsibilities.

➤ Plans
Plans represent concrete steps toward achieving ISMS objectives. This includes training plans, business continuity, recovery, incident response, and others, with emphasis on linking them to risk analysis and organizational goals.
Exercise 5: Awareness and Training Plan for ISMS Personnel
Participants develop a plan for conducting internal training and awareness programs on information security, with defined objectives, responsibilities, and deadlines. The goal is to link planned activities with ISMS business goals and effectiveness measures. The exercise also includes developing proposed performance indicators.
➤ Records
Records serve as evidence of activities conducted under the ISMS. The chapter covers types of records, how they are controlled, stored, and connected to audits and corrective actions. Special focus is given to the requirement of Part-IS.I.OR.245.
Exercise 6: Developing a Security Incident Record Template
Participants design a record template that enables structured logging, analysis, and tracking of security incidents. The goal is to create useful records that support analysis, trend monitoring, and oversight. The exercise encourages critical thinking about the necessary information for effective processing and corrective actions.

➤ Registers
Registers allow the tracking of assets, risks, incidents, access, and other ISMS elements. The focus is on their structure, maintenance, and functional role in supporting decision-making and auditing.
Exercise 7: Developing a Risk Register
Participants develop a functional risk register based on a previously developed methodology, including identifiers, risk levels, treatments, and status. The goal is to understand the importance of up-to-date, systematically maintained registers for ISMS management. The exercise also develops categorization skills and dynamic content updating based on new data.
➤ Reports
Reports are used for formal communication within the organization and with competent authorities. This includes audit reports, management reviews, incident reports, and regulatory compliance. Emphasis is placed on structure, clarity, and connection with documentation.
Exercise 8: Summary Report on ISMS Effectiveness for Management
Participants prepare a report summary based on key findings, analysis, and improvement recommendations. The goal is to learn how to structure reports that support decision-making and fulfill oversight requirements. The exercise strengthens the ability to present data to target groups (e.g., management, regulators).
➤ Other Documents
This chapter covers documents such as the Statement of Applicability (SoA), responsibility assignments, communication matrices, internal forms, and auxiliary records. Their functional role, maintenance, and connection to formal documentation are explained.
Exercise 9: Documenting Responsibilities of the Incident Team
The objective is to understand how documented responsibility allocation within the Incident Response Team (IRT) ensures functional connections between roles, communication, and authority, and how such documentation supports incident response effectiveness and compliance with formal requirements such as the SoA, communication matrices, and other records.

➤ Operational Usability of ISMS Documentation
The effectiveness of ISMS documentation lies not in its existence, but in its operational usability — the ability to support actual organizational processes, ensure regulatory compliance, and facilitate decision-making. Documents like policies, procedures, records, and reports must be functionally linked to business activities and clearly demonstrate how information is protected and managed in practice. This workshop allows participants to test documentation effectiveness in a simulated environment and develop the skills necessary to prove its operational application.
Exercise: Simulated Proof of Documentation Effectiveness in a Process
Participants analyze one organizational process and prepare documentation for a simulated audit. The goal is to demonstrate documentation functionality and its ability to serve as evidence of compliance and effectiveness. The exercise also includes presenting the prepared documentation package to an "auditor" and defending the consistency of the documents.
➤ Final Exam
At the end of the course, a final exam is conducted covering all topics. The exam includes a combination of theoretical questions, practical tasks, and scenarios. The objective is to confirm understanding of the ISMS documentation system and the ability to apply it in an organizational context.

Literature

• PART-IS.I.OR – Information Security and Oversight Requirements (EASA)
• ISO/IEC 27001:2022 – Information Security, Cybersecurity and Privacy Protection – Requirements
• ISO/IEC 27002:2022 – Code of Practice for Information Security Controls
• ISO 10013:2021 – Quality Management Systems – Guidance for Documented Information
• ISO/IEC 27005:2022 – Guidance on Managing Information Security Risks
• ISO/IEC 27035-1:2023 – Information Security Incident Management – Principles and Process
• ISO 31000:2018 – Risk Management – Guidelines

We offer attractive discounts for group registrations. The applicable rates are as follows:

• 5 % discount for 2 participants,
• 10 % for 3 participants,
• 15 % for 4 participants,
• and a generous 20% discount for groups of more than 5 participants