IS.I.OR.215 Information security internal
reporting scheme
Regulation
(EU) 2023/203
(a) The organisation shall establish an
internal reporting scheme to enable the collection and evaluation of
information security events, including those to be reported pursuant to point IS.I.OR.230.
(b) That scheme and the process referred to in
point IS.I.OR.220 shall enable the organisation to:
(1) identify which of the events reported pursuant
to point (a) are considered information security incidents or vulnerabilities
with a potential impact on aviation safety;
(2) identify the causes of, and contributing
factors to, the information security incidents and vulnerabilities identified in
accordance with point (1), and address them as part of the information
security risk management process in accordance with points IS.I.OR.205
and IS.I.OR.220;
(3) ensure an evaluation of all known,
relevant information relating to the information security incidents and
vulnerabilities identified in accordance with point (1);
(4) ensure the implementation of a method to distribute
internally the information as necessary.
(c) Any contracted organisation which may
expose the organisation to information security risks with a potential impact
on aviation safety shall be required to report information security events to
the organisation. Those reports shall be submitted using the procedures
established in the specific contractual arrangements and shall be evaluated in
accordance with point (b).
(d) The organisation shall cooperate on
investigations with any other organisation that has a significant contribution
to the information security of its own activities.
(e) The organisation may integrate that reporting
scheme with other reporting schemes it has already implemented.
Loading collections...