According to IS.D.OR.205(b), what interfaces should an organization identify regarding information security risks?

The organization should identify interfaces with other organizations that could result in mutual exposure to information security risks.

What elements should an organization identify as potentially exposed to information security risks according to IS.D.OR.205(a)?

The organization should identify its activities, facilities, resources, and services, including those it operates, provides, receives, or maintains. It should also identify the equipment, systems, data, and information that contribute to the functioning of these elements.

When does Regulation (EU) 2022/1645, which includes IS.D.OR.205, become applicable?

Regulation (EU) 2022/1645 becomes applicable on 16 October 2025.

Under what circumstances should an organization review and update its information security risk assessment according to IS.D.OR.205(d)?

The risk assessment should be reviewed and updated when there is a change in the elements subject to information security risks, a change in interfaces with other organizations, a change in the information used for risk analysis, or lessons learned from information security incidents.

What should an organization do with identified information security risks that may impact aviation safety, according to IS.D.OR.205(c)?

For each identified risk, the organization must assign a risk level according to a predefined classification and associate each risk and its level with the corresponding element or interface.

IS.D.OR.205 Information security risk assessment

Q: What factors should the predefined risk classification consider when assigning a risk level, as per IS.D.OR.205(c)?

The classification should consider the potential of occurrence of the threat scenario and the severity of its safety consequences.

Navigate / EASA

Ask question Discover more Add to collection

Regulation (EU) 2022/1645

(a) The organisation shall identify all of its elements, which could be exposed to information security risks. That shall include:

(1) the organisation’s activities, facilities and resources, as well as the services the organisation operates, provides, receives or maintains;

(2) the equipment, systems, data and information that contribute to the functioning of the elements listed in point (1).

(b) The organisation shall identify the interfaces that it has with other organisations, and which could result in the mutual exposure to information security risks.

(c) With regard to the elements and interfaces referred to in points (a) and (b), the organisation shall identify the information security risks which may have a potential impact on aviation safety. For each identified risk, the organisation shall:

(1) assign a risk level according to a predefined classification established by the organisation;

(2) associate each risk and its level with the corresponding element or interface identified in accordance with points (a) and (b).

The predefined classification referred to in point (1) shall take into account the potential of occurrence of the threat scenario and the severity of its safety consequences. Based on that classification, and taking into account whether the organisation has a structured and repeatable risk management process for operations, the organisation shall be able to establish whether the risk is acceptable or needs to be treated in accordance with point IS.D.OR.210.

In order to facilitate the mutual comparability of risks assessments, the assignment of the risk level pursuant to point (1) shall take into account relevant information acquired in coordination with the organisations referred to in point (b).

(d) The organisation shall review and update the risk assessment carried out in accordance with points (a), (b) and (c) in any of the following situations:

(1) there is a change in the elements subject to information security risks;

(2) there is a change in the interfaces between the organisation and other organisations, or in the risks communicated by the other organisations;

(3) there is a change in the information or knowledge used for the identification, analysis and classification of risks;

(4) there are lessons learnt from the analysis of information security incidents.

Details

Source-Title: IS.D.OR.205 Information security risk assessment

Erulesid: ERULES-1963177438-19910 Compare versions

Domain: Information Security (IS)

Applicabilitydate: 16 October 2025

Entryintoforcedate: 16 October 2022

Regulatorysource: Regulation (EU) 2022/1645 Navigate

Regulatorysubject: Part-IS.D.OR

Typeofcontent: DR (Delegated rule)

Origin: EASA

Category: EAR

Details

Related sections: