IS.I.OR.205 Information security risk assessment

(a)     The organisation shall identify all its elements which could be exposed to information security risks. That shall include:

(1)     the organisation’s activities, facilities and resources, as well as the services the organisation operates, provides, receives or maintains;

(2)     the equipment, systems, data and information that contribute to the functioning of the elements listed in point (1).

(b)     The organisation shall identify the interfaces that it has with other organisations, and which could result in the mutual exposure to information security risks.

(c)      With regard to the elements and interfaces referred to in points (a) and (b), the organisation shall identify the information security risks which may have a potential impact on aviation safety. For each identified risk, the organisation shall:

(1)     assign a risk level according to a predefined classification established by the organisation;

(2)     associate each risk and its level with the corresponding element or interface identified in accordance with points (a) and (b).

The predefined classification referred to in point (1) shall take into account the potential of occurrence of the threat scenario and the severity of its safety consequences. Based on that classification, and taking into account whether the organisation has a structured and repeatable risk management process for operations, the organisation shall be able to establish whether the risk is acceptable or needs to be treated in accordance with point IS.I.OR.210.

In order to facilitate the mutual comparability of risks assessments, the assignment of the risk level pursuant to point (1) shall take into account relevant information acquired in coordination with the organisations referred to in point (b).

(d)     The organisation shall review and update the risk assessment carried out in accordance with points (a), (b) and, as applicable, points (c) or (e), in any of the following situations:

(1)     there is a change in the elements subject to information security risks;

(2)     there is a change in the interfaces between the organisation and other organisations, or in the risks communicated by the other organisations;

(3)     there is a change in the information or knowledge used for the identification, analysis and classification of risks;

(4)     there are lessons learnt from the analysis of information security incidents.

(e)     By derogation from point (c), organisations required to comply with Subpart C of Annex III (Part-ATM/ANS.OR) to Regulation (EU) 2017/373 shall replace the analysis of the impact on aviation safety by an analysis of the impact on their services as per the safety support assessment required by point ATM/ANS.OR.C.005. This safety support assessment shall be made available to the air traffic service providers to whom they provide services and those air traffic service providers shall be responsible for evaluating the impact on aviation safety.