How to Reduce Information Security Risk Under EASA Part-IS

In the previous article, the concept of information security risk treatment under EASA Part-IS was introduced, focusing on what risk treatment is and why it is necessary - especially for compliance with Part-IS requirement IS.I.OR.210. However, understanding the concept alone is not sufficient. The real value lies in how that concept is applied within an operational aviation environment.

This article builds on that foundation by moving from theory into practice. It demonstrates, using a realistic flight operations context, how information security risk levels can be reduced, using structured treatment strategies aligned with Part-IS expectations. The focus remains strictly on risk treatment, translating previously defined concepts into practical, aviation-relevant action.

I share regular, practical insights on EASA Part-IS and aviation cybersecurity. Subscribers also receive my Free Part-IS Starter Checklist.

Subscribe to the Aviation Cybersecurity Brief now!

From Identified Risk to Required Action

Within a typical airline environment, flight operations rely heavily on digital systems to support critical decision-making. One such system is an organisation’s flight planning system, used to calculate routes, fuel requirements, and operational constraints. These systems are often interconnected with internal infrastructure and external data sources, increasing their exposure to potential threat scenarios.

A realistic risk in this context involves unauthorised access to the flight planning system, leading to the manipulation of operational data such as routing or fuel calculations. If such a scenario were to materialise, the consequences could extend beyond operational disruption and directly impact flight safety.

Assuming this risk has already been assessed and classified as too high and unacceptable, the organisation is required to take action. Under Part-IS, this means selecting and applying appropriate risk treatment strategies that reduce the risk to an acceptable level.

Selecting the Appropriate Risk Treatment Strategy

In aviation, particularly where safety implications exist, not all risk treatment strategies are equally viable. While risk acceptance is not appropriate for high-impact safety risks, and risk transfer has limited applicability in operational and safety contexts, two strategies become particularly relevant.

Risk avoidance and risk reduction.

Risk avoidance would involve eliminating or significantly altering the process associated with the risk. In this case, that could mean discontinuing the use of the flight planning system or removing its connectivity to external sources. Although effective in theory, such an approach is typically impractical due to operational dependencies and efficiency requirements.

As a result, organisations most commonly adopt risk reduction as the primary treatment strategy. This involves implementing targeted measures to reduce both the likelihood of a threat scenario occurring and the potential impact if it does.

Risk Reduction Through Layered Security Controls

Information security risk reduction under Part-IS is primarily achieved through the implementation of security measures, or controls. These controls act as safeguards designed to protect critical systems and data, ensuring their confidentiality, integrity, and availability in situations where certain risk scenarios would materialise.

Given the complexity of aviation systems, effective risk reduction is not often achieved through a single control, but through a layered approach. This concept, often referred to as defence in depth, ensures that multiple protective measures exist across different layers of an organisation’s environment. Should one control fail, others remain in place to continue protecting the system. Nevertheless, whether one or more controls are implemented strongly depends on the risk scenario at hand, and most importantly, how consequential it is for an organisation to minimise the chances of it materialising.

Security controls are typically categorised into three types: administrative, technical, and physical. Each plays a distinct role in reducing risk and, when combined, provides comprehensive protection.

Applying Security Controls in a Flight Operations Context

In the flight planning system scenario, a combination of administrative, technical, and physical controls would be introduced to reduce the identified risk.

Administrative controls form the foundation of the security approach. These controls define how security is governed within the organisation, establishing clear rules, responsibilities, and expectations. An access control policy, for example, would specify which personnel are authorised to access the flight planning system and what level of access is permitted. Supporting procedures would define how flight plans are created, reviewed, and modified, ensuring that changes follow a structured and controlled process.

In addition, targeted security awareness training would be implemented for dispatchers and relevant personnel. This ensures that individuals understand the risks associated with system access, recognise potential security threats, and follow established procedures consistently. By addressing human factors, administrative controls significantly reduce the likelihood of misuse, as well how the personnel can help secure the system against unauthorised access.

Technical controls then enforce these rules at the system level. Multi-factor authentication would be introduced to strengthen access control, ensuring that system access requires more than just a password. This reduces the likelihood of unauthorised access resulting from credential compromise, as an attacker would need more than just a password to gain access to a system account.

Network segmentation would be implemented to isolate the flight planning system from less trusted parts of the network. This prevents attackers who may gain access to one part of the network from reaching critical operational systems. Encryption would protect sensitive operational data both in transit and at rest, ensuring that even if data is intercepted, it cannot be easily interpreted to give away sensitive information or support further attacks.

Monitoring and logging capabilities would also be introduced as part of the technical control set. These controls enable the organisation to detect suspicious activity, identify potential incidents, and respond before the impact escalates to a safety concern.

Physical controls complement both administrative and technical measures by restricting physical access to critical systems and infrastructure. Controlled access to operational facilities, secure server environments, and authorised workstations ensures that only approved personnel can interact with systems that support flight operations.

Together, these controls significantly reduce the likelihood of unauthorised access and provide mechanisms to detect and respond to incidents should they occur.

Third-Party Supplier Risks

In certain cases, organisations may not have full control over the systems used within flight operations, particularly where these systems are provided and maintained by third-party suppliers. Within the aviation ecosystem, flight planning solutions are often externally developed and supported, meaning that the ability to directly implement specific administrative or technical controls may be limited. This creates a dependency that must be carefully managed, especially when the identified risk remains high and has the potential to impact safety.

In the context of the flight planning system, if the supplier does not support required controls such as multi-factor authentication, detailed access logging, or configurable access restrictions, the organisation may not be able to fully implement the controls necessary to lower the risk level. In such situations, risk treatment shifts from direct control implementation to supplier governance. This includes reviewing and strengthening contractual agreements to define security expectations, conducting supplier assessments or audits to evaluate their security posture, and formally requesting enhancements or changes to the system where gaps are identified.

Where necessary, additional compensating controls may be introduced within the organisation’s own environment to reduce exposure, such as restricting how the system is accessed or limiting its integration with other operational systems. In more extreme cases, where available risk treatment measures are not sufficient to reduce the risk to an acceptable level, organisations may need to consider transitioning to an alternative supplier that can meet the required security expectations.

Through this approach, an organisation retains oversight and influence over third-party risks, ensuring that dependencies do not result in uncontrolled exposure that could affect the safety of flight operations.

Structuring the Risk Treatment Plan

Under Part-IS, risk treatment should be formally documented through a structured risk treatment plan that clearly translates the identified risk into defined and accountable actions.

In the flight operations scenario, a few elements should be documented:

The Risk Treated

The risk being treated is the potential for unauthorised access to the flight planning system leading to the manipulation of operational data and impacting safety.

Ownership

Ownership of this risk and the execution of its treatment plan would typically sit with the Head of Flight Operations, or relevant Nominated Person, supported by IT and information security functions responsible for implementation.

Controls to be Implemented

The treatment controls are defined in direct relation to the risk. Administrative controls include enforcing a role-based access control policy for the system, introducing procedures for the creation and approval of flight plans, and delivering targeted security awareness training to flight operations personnel. Technical controls include the implementation of multi-factor authentication, network segmentation to isolate the system, encryption to protect operational data, and monitoring and logging to detect suspicious activity. Physical access to systems and facilities supporting flight planning is also restricted to authorised personnel.

Implementation Timeline

These controls are implemented in a phased manner based on priority, with access control and authentication measures addressed first, followed by monitoring and training enhancements. A timeline of implementation should be defined.

Expected Residual Risk

As a result of treatment, the likelihood of unauthorised access is significantly reduced, and the organisation gains the ability to detect and respond to anomalies early. The residual risk is therefore lowered to an acceptable and controlled level, aligned with both operational needs and Part-IS safety expectations. The expected residual risk level should also be documented within the treatment plan and verified after treatment execution.

Achieving Meaningful Risk Reduction

The purpose of risk treatment under Part-IS is not to eliminate risk entirely, but to reduce it to a level that can be effectively managed. In aviation, this means ensuring that information security risks do not compromise safety.

A key principle to recognise is that security breaches cannot be completely prevented. Even with multiple controls in place, there remains a possibility that an attacker may succeed. For this reason, effective risk treatment focuses not only on prevention, but also on detection and response.

By implementing a structured combination of preventative and detective controls, organisations can significantly reduce both the likelihood, as well as in some cases, the safety impact of information security incidents. This approach ensures that even when controls are bypassed, the organisation remains capable of monitoring their safety-relevant operations to identify and mitigate threats before they escalate.

Final Thoughts

Reducing information security risk levels under EASA Part-IS requires more than theoretical understanding. It requires structured decision-making, practical implementation, and alignment with operational realities.

By applying risk reduction strategies through carefully selected security controls and formalising these actions within a clear risk treatment plan, organisations can effectively manage risks that have the potential to impact the safety of their operations.

This approach reflects a shift from reactive security to proactive risk management. It reinforces the principle that information security is not a standalone discipline, but an integral part of safe and resilient aviation operations.

As the aviation ecosystem continues to evolve, the ability to translate regulatory expectations into practical, operational controls will define those organisations that lead in both compliance and safety.

Want More Part-IS Guidance You Can Actually Use?

I regularly share clear, safety-focused insights to help aviation professionals implement the core elements of an ISMS under EASA Part-IS.

The focus is on aligning information security with existing safety and compliance systems, using real-world experience rather than theory.

Subscribe to the Aviation Cybersecurity Brief to receive these insights, along with my Free Part-IS Starter Checklist, designed to help you validate your approach and strengthen the foundations of your ISMS.

👉 Subscribe here to implement Part-IS with clarity.