How to Assess Information Security Risks Under EASA Part-IS: A Practical Safety-Focused Approach

In my previous article, we explored why information security risk assessment is central to Part-IS compliance and how it extends established aviation safety risk management practices. We examined why information security must be evaluated through a safety lens.

This article builds on that foundation by exploring how to perform a practical risk assessment for a safety-relevant threat scenario. The aim is not to introduce unnecessary complexity or technical terms. Instead, it is to provide a structured way of thinking about information security risks that could affect the safety of operations.

The approach described here aligns with the intent of IS.I.OR.205 and mirrors the logic of safety risk management: understand what supports safe operations, identify how it could be compromised, evaluate consequences, and determine whether the risk is acceptable.

I share regular, practical insights on EASA Part-IS and aviation cybersecurity. Subscribers also receive my Free Part-IS Starter Checklist.

Subscribe to the Aviation Cybersecurity Brief now!

Starting with Safety-Relevant Elements

A meaningful risk assessment begins with understanding what enables safe operations.

Part-IS requires organisations to identify the elements, systems, interfaces, and dependencies that support aviation safety. These elements are not limited to aircraft systems. They include the digital ecosystem that ensures aircraft remain airworthy and operations remain safe.

Let’s consider a practical example. Within a CAMO environment, safety-relevant elements typically include:

• maintenance planning systems.

• aircraft technical records.

• airworthiness directives and compliance tracking.

• interfaces with maintenance organisations and operators.

• data exchanges with OEM platforms and service providers.

Looking at these elements individually is not enough. The risk emerges from how they interact. Dependencies, data flows, and interfaces reveal where compromise could occur and how safety-critical information moves through the organisation.

Understanding these relationships is essential because attackers do not target isolated components. They exploit pathways.

Building a Realistic Threat Scenario

Consider a scenario where safety-critical data within an Aircraft Maintenance Programme stored in a CAMO system is maliciously altered.

A threat scenario could involve an attacker obtaining legitimate user credentials through phishing and using them to access a CAMO maintenance system. Once inside, maintenance intervals, required inspections, or life limits for critical components could be altered.

Because the access appears authorised, the changes may not immediately raise suspicion. They could appear legitimate within the system and may remain unnoticed during routine planning activities.

Maintenance planning continues based on the manipulated data. Required tasks are deferred. Critical components remain in service beyond safe limits.

Because maintenance planners and engineers rely on the CAMO system as an accurate source of airworthiness data, the aircraft may continue operating while unknowingly unairworthy.

This is not a hypothetical risk. It reflects the increasing reliance on digital maintenance planning systems and the central role of data integrity in ensuring airworthiness.

The scenario illustrates a direct pathway from compromised information integrity to degraded safety margins.

Viewing Information Security Threats Through a Safety Lens

In safety management, hazards are conditions that could lead to adverse safety consequences if not controlled. Information security threats can be viewed in a similar way. They represent circumstances that could compromise systems or data and create operational or safety consequences.

The manipulated and altered maintenance data in the CAMO system scenario functions like a latent hazard. The unsafe condition may not be immediately visible, but may emerge over time as maintenance is deferred and component degradation progresses unnoticed.

This alignment with safety thinking helps organisations understand that information security threats are not abstract IT risks. They can introduce latent unsafe conditions into operational processes.

Assessing Safety Impact

The first step in evaluating the threat scenario is understanding its potential impact on aviation safety.

If maintenance data is altered, required inspections may not occur. Structural components, engines, or flight control systems may operate beyond safe limits. Failures could occur in flight or during critical phases of operation.

Possible safety outcomes include system failures, reduced aircraft controllability, emergency diversions, or, in worst-case scenarios, even catastrophic loss of the aircraft.

Impact should be assessed using the same safety impact or severity scale applied within your organisation’s Safety Management System (SMS). Using familiar safety severity categories ensures consistency and reinforces the link between information security threats and safety outcomes.

The objective is not to predict what will happen but to understand the worst credible consequence if the scenario materialises.

This step establishes the safety relevance of the threat and ensures information security risks are evaluated within the organisation’s safety framework.

Understanding Likelihood in a Security Context

Likelihood assessment in information security differs fundamentally from traditional safety assessments.

Safety occurrences often involve accidental failures. Security threats involve intentional actions by individuals or groups attempting to achieve a specific objective.

Because of this, likelihood cannot be calculated statistically. Instead, it must be assessed by examining the conditions that make the scenario more or less achievable.

In the CAMO data alteration scenario, several factors influence likelihood. It requires an understanding of how realistic a threat scenario may be within the organisation’s operational environment.

Several factors can influence this, including the exposure of the CAMO system, the operational value of the information involved, and the presence of access pathways that could be misused.

It is also important to consider the types of actors who could realistically exploit weaknesses, whether through external access, trusted positions, or procedural gaps.

Operational safeguards such as oversight mechanisms, verification processes, and monitoring capabilities can affect how difficult it would be to carry out or sustain unauthorised changes. Likewise, organisational conditions such as workload pressures, staffing constraints, or periods of transition may influence how vulnerabilities could be exploited.

Taken together, these considerations help determine how likely a threat scenario is within your organisation’s real operating context.

Assigning a Likelihood Level

Although likelihood is based on structured judgement rather than statistical probability, organisations can still assign numerical likelihood levels to support consistent risk evaluation.

A scenario with strong safeguards, limited exposure, and high detection probability may be considered unlikely.

A scenario with moderate exposure and partial safeguards may be considered likely.

The important factor is not precision, but transparency in reasoning.

Documenting the rationale ensures the assessment can be understood, reviewed, and defended.

Deriving and Evaluating the Risk Level

Once severity and likelihood are assessed, the organisation derives the risk level using its risk matrix. For the purpose of this article, an example matric can be seen in table 1 below:

Table 1: Example risk matrix used to derive a risk level.

In the CAMO system example scenario, the potential safety impact may be Catastrophic (5). If likelihood is assessed as Possible (3) or Likely (4), the resulting risk level of Very High (15) or Critical (20) will exceed acceptable thresholds. This outcome signals that the risk requires further evaluation, or even treatment.

The purpose of deriving risk is not to produce a number. It is to support pragmatic decision-making that is relevant to your organisation.

Evaluating Acceptability

Risk evaluation determines whether the organisation can accept the risk or whether additional measures are required.

If the risk exceeds the organisation’s acceptable level of safety, existing safeguards must be reviewed to determine whether they sufficiently reduce risk.

Existing safeguards may include:

• approval workflows for maintenance data changes.

• audit logging and traceability.

• segregation of duties.

• data validation checks.

• periodic cross-verification procedures.

If these controls do not sufficiently reduce risk, additional measures may need to be considered, or even implemented.

The objective is to ensure risks remain within acceptable safety limits.

Ownership and Accountability

Every identified risk must have a clear owner.

Within a CAMO context, responsibility typically rests with the nominated person responsible for continuing airworthiness management. The same can be said for other operational domains within which the risk is being assessed in.

Assigning ownership ensures the risk is monitored, mitigation measures are implemented, and accountability is maintained.

Clear ownership transforms risk assessment from a theoretical exercise into an operational responsibility and a safety priority.

Documentation and Integration with Safety Processes

Risk assessments should be documented and integrated into existing safety management processes rather than maintained in isolation. This reinforces that information security risks are part of operational safety.

Documentation should include the threat scenario, impact reasoning, likelihood rationale, risk evaluation, and assigned ownership.

This level of transparency supports risk communication, oversight, and audit readiness.

Accountable manager awareness and acknowledgement will also further strengthen risk awareness and accountability at all levels of your organisation.

Keeping the Assessment Current

A risk assessment is not static.

It must be reviewed when systems change, interfaces evolve, threat intelligence identifies new risks, or incidents reveal vulnerabilities.

Lessons learned from information security incidents, safety reports, or operational changes should inform reassessment.

This ensures risk assessments remain aligned with your operational reality.

Bringing Security and Safety Together

Assessing information security risks under Part-IS is not about technical complexity, but about understanding how compromised information assets can translate into unsafe operational conditions.

Take the CAMO scenario – it demonstrates how information integrity is directly linked to airworthiness and safety.

By applying structured judgement, aligning with safety risk management practices, and focusing on realistic threat scenarios, organisations can strengthen both security resilience and operational safety.

The next step is understanding how to treat risks that remain too high even after existing safeguards are considered.

That is where risk treatment becomes essential.

Want More Part-IS Guidance You Can Actually Use?

I regularly share clear, safety-focused insights to help aviation professionals implement the core elements of an ISMS under EASA Part-IS.

The focus is on aligning information security with existing safety and compliance systems, using real-world experience rather than theory.

Subscribe to the Aviation Cybersecurity Brief to receive these insights, along with my Free Part-IS Starter Checklist, designed to help you validate your approach and strengthen the foundations of your ISMS.

👉 Subscribe here to implement Part-IS with clarity.