IS.D.OR.215 Information security internal reporting scheme

• Regulation (EU) 2022/1645 found in: Information Security (No 2023/203 and 2022/1645) Part-IS (Jun 2024)

IS.D.OR.215 Information security internal reporting scheme Regulation (EU) 2022/1645 (a)     The organisation shall establish an internal reporting scheme to enable the collection and evaluation of information security events, including those to be reported pursuant to point [IS.D.OR.230](#_DxCrossRefBm1193569509). (b)     That scheme and the process referred to in point [IS.D.OR.220](#_DxCrossRefBm1193569692) shall enable the organisation to: (1)     identify which of the events reported pursuant to point (a) are considered information security incidents or vulnerabilities with a potential impact on aviation safety; (2)     identify the causes of, and contributing factors to, the information security incidents and vulnerabilities identified in accordance with point (1), and address them as part of the information security risk management process in accordance with points [IS.D.OR.205](#_DxCrossRefBm1193569684) and [IS.D.OR.220](#_DxCrossRefBm1193569692); (3)     ensure an evaluation of all known, relevant information relating to the information security incidents and vulnerabilities identified in accordance with point (1;) (4)     ensure the implementation of a method to distribute internally the information as necessary. (c)      Any contracted organisation which may expose the organisation to information security risks with a potential impact on aviation safety shall be required to report information security events to the organisation. Those reports shall be submitted using the procedures established in the specific contractual arrangements and shall be evaluated in accordance with point (b). (d)     The organisation shall cooperate on investigations with any other organisation that has a significant contribution to the information security of its own activities. (e)     The organisation may integrate that reporting scheme with other reporting schemes it has already implemented.