IS.D.OR.205 Information security risk assessment

• Regulation (EU) 2022/1645 found in: Information Security (No 2023/203 and 2022/1645) Part-IS (Jun 2024)

IS.D.OR.205 Information security risk assessment Regulation (EU) 2022/1645 (a)     The organisation shall identify all of its elements, which could be exposed to information security risks. That shall include: (1)     the organisation’s activities, facilities and resources, as well as the services the organisation operates, provides, receives or maintains; (2)     the equipment, systems, data and information that contribute to the functioning of the elements listed in point (1). (b)     The organisation shall identify the interfaces that it has with other organisations, and which could result in the mutual exposure to information security risks. (c)      With regard to the elements and interfaces referred to in points (a) and (b), the organisation shall identify the information security risks which may have a potential impact on aviation safety. For each identified risk, the organisation shall: (1)     assign a risk level according to a predefined classification established by the organisation; (2)     associate each risk and its level with the corresponding element or interface identified in accordance with points (a) and (b). The predefined classification referred to in point (1) shall take into account the potential of occurrence of the threat scenario and the severity of its safety consequences. Based on that classification, and taking into account whether the organisation has a structured and repeatable risk management process for operations, the organisation shall be able to establish whether the risk is acceptable or needs to be treated in accordance with point [IS.D.OR.210](#_DxCrossRefBm1193569694). In order to facilitate the mutual comparability of risks assessments, the assignment of the risk level pursuant to point (1) shall take into account relevant information acquired in coordination with the organisations referred to in point (b). (d)     The organisation shall review and update the risk assessment carried out in accordance with points (a), (b) and (c) in any of the following situations: (1)     there is a change in the elements subject to information security risks; (2)     there is a change in the interfaces between the organisation and other organisations, or in the risks communicated by the other organisations; (3)     there is a change in the information or knowledge used for the identification, analysis and classification of risks; (4)     there are lessons learnt from the analysis of information security incidents.