Information Security Risk Treatment under EASA Part-IS: A Practical Guide

In my previous article, I explained how organisations can assess information security risks under EASA Part-IS using a practical, safety-focused approach. We walked through the process of identifying safety-relevant elements, defining threat scenarios, and determining whether a risk is acceptable or unacceptable to aviation safety.

However, identifying a risk is sometimes only half the story.

Once a risk is assessed, organisations must decide what to do about it. This is where Information Security Risk Treatment comes in.

Under IS.I.OR.210, organisations must develop and implement measures to address unacceptable risks identified during the risk assessment process. These measures must reduce risk to an acceptable level while ensuring they do not introduce new risks to aviation safety.

This article explains how aviation organisations should treat information security risks under EASA Part-IS once they have been identified and assessed. It focuses on how unacceptable risks are reduced to acceptable levels while ensuring aviation safety is protected.

I share regular, practical insights on EASA Part-IS and aviation cybersecurity. Subscribers also receive my Free Part-IS Starter Checklist.

Subscribe to the Aviation Cybersecurity Brief now!

Setting the Stage

Let’s consider a realistic example for this article.

Flight operations today depend on a wide range of digital systems. Dispatch platforms, electronic flight bag applications, operational communication tools, and weather data services all support the safe and efficient operation of aircraft.

Take the Electronic Flight Bag (EFB), for example. An airline uses an EFB system that provides pilots with operational flight plans, weather briefings, airport charts, and performance calculations. Before each flight, pilots use the EFB to review operational information and confirm that the aircraft can safely conduct the planned flight.

During an information security risk assessment, the airline identifies a threat scenario where an attacker could gain unauthorised access to the system responsible for distributing operational flight plan data to pilot EFBs.

If this system were compromised, an attacker could potentially manipulate operational data such as routing, fuel calculations, or performance information before it reaches the flight crew.

Even if pilots perform cross-checks, manipulated data could create confusion during flight preparation, increase workload, or introduce incorrect assumptions into operational decision-making.

After analysing the scenario, the organisation determines that the inherent risk level is too high.

The risk is therefore unacceptable and must be treated.

From Risk Identification to Risk Treatment

After completing the risk assessment, organisations will have identified risks with different severity levels. Some may already fall within acceptable levels, meaning they can simply be monitored.

Others will not.

Under Part-IS, if a risk is deemed unacceptable or too high, the organisation must take action to reduce it As Low As Reasonably Practicable (ALARP).

This principle is well known in aviation safety and applies equally to information security risks affecting aviation operations.

Reducing risk to ALARP means the organisation must implement reasonable measures that lower the likelihood or impact of the threat scenario until the remaining risk becomes acceptable to the organisation and does not threaten aviation safety.

Importantly, this is not optional. When a risk threatens aviation safety or operational resilience, doing nothing is not an option.

Applying Risk Treatment to the EFB Example

Returning to the EFB example, the organisation has determined that the inherent risk associated with manipulation of operational flight data is unacceptable.

The system distributing data to pilot EFBs directly supports flight preparation and operational decision making. If compromised, it could introduce incorrect operational information into the cockpit environment.

At this stage, Part-IS requires the organisation to define and implement risk treatment measures, or controls, that reduce the likelihood of this threat scenario occurring.

Selecting the Risk Treatment Strategy

Under IS.I.OR.210, risk treatment measures must achieve at least one of the following objectives:

• Control the circumstances that allow the threat scenario to occur.

• Reduce the consequences to aviation safety.

• Avoid the risk entirely.

Most treatment strategies would likely focus on reducing the likelihood of the threat scenario occurring, rather than reducing the impact.

This is particularly true for aviation systems. Once a safety-critical system has been compromised, the potential impact is often difficult to limit. Preventing the compromise from occurring in the first place is therefore usually the most effective strategy.

For the EFB example, treatment measures could involve strengthening authentication mechanisms, improving access control to the operational data infrastructure, or implementing monitoring capabilities that detect suspicious changes to flight planning information before it reaches the flight crew.

The objective is not simply to add security controls randomly. Each measure must address the conditions that allow the threat scenario to occur, reduce the consequences on aviation safety, if possible, or avoid the risk entirely.

The Risk Treatment Plan

Once the treatment strategy is defined, it must be documented in a risk treatment plan.

Part-IS guidance explains that this plan should clearly describe the measures that will be implemented, the objectives they aim to achieve, and the timeline for implementation.

The risk treatment plan typically includes several key elements.

First, the risk being treated, including its original risk rating.

Second, the risk owner responsible for ensuring the treatment actions are implemented.

Third, the security measures or controls that will be introduced.

Fourth, the implementation timeline and any dependencies.

Finally, the expected residual risk level once the treatment measures are applied.

This documentation is important not only for internal management but also for demonstrating compliance during oversight activities.

More importantly, the risk treatment plan must be communicated to the relevant stakeholders.

Under Part-IS, the outcome of the risk assessment and the associated treatment measures should be communicated to the Accountable Manager, the Part-IS appointed person, and other affected personnel within the organisation.

If the risk involves systems shared with external organisations or partners, the relevant interfacing organisations should also be informed.

Information security risks in aviation rarely exist in isolation.

Accountability Cannot Be Transferred

One important principle within Part-IS is often misunderstood.

Organisations cannot transfer their responsibility for aviation safety risks.

While certain operational risks may sometimes be shared or contractually allocated in other industries, information security risks that could impact aviation safety remain the responsibility of the organisation itself.

This means unacceptable risks cannot simply be transferred to a supplier or service provider.

For example, if the EFB system infrastructure is hosted by a cloud provider or managed by an external technology vendor, the airline remains responsible for ensuring the associated risks are properly treated.

If a risk threatens aviation safety, the organisation must ensure it is reduced or avoided.

In extreme cases, avoiding the risk could even require stopping the operation of the affected system or process entirely.

Reassessing Risk After Treatment

Once treatment measures are implemented, the organisation must reassess the risk.

The original risk identified during the assessment phase is referred to as the inherent risk.

After treatment measures are introduced, the organisation evaluates what remains. This remaining exposure is called the residual risk.

Residual risk represents the level of risk that still exists after the implemented controls have reduced the likelihood or impact of the threat scenario.

If the residual risk is still considered unacceptable, additional treatment measures may be required.

In some cases, the organisation may need to reconsider the operational activity itself and determine whether the risk should be avoided entirely.

However, if the residual risk falls within acceptable levels, the organisation may formally accept it and continue to monitor it as part of its ongoing risk management activities.

Regular reviews of both risk assessments and treatment measures are expected under Part-IS to ensure they remain effective over time.

Risk Treatment as a Living Process

Risk treatment under Part-IS is not a one-time exercise.

Systems evolve. Threats change. Operational environments shift.

Because of this, the effectiveness of risk treatment measures must be reviewed periodically to ensure they continue to protect aviation operations.

Changes to systems, suppliers, infrastructure, or operational procedures may introduce new vulnerabilities or alter the risk landscape.

A risk that was once acceptable may no longer remain so.

For this reason, risk treatment should be viewed as part of a continuous improvement process, integrated within the organisation’s Information Security Management System and aligned with existing safety management principles.

Looking Ahead

Risk treatment answers an important question.

Once a risk is identified, how do we actually reduce it?

However, this article has deliberately focused on the principles and responsibilities defined by Part-IS rather than the specific security controls that organisations should implement.

Understanding the regulatory expectations is the foundation. Implementing effective security measures requires another layer of expertise.

The next step is understanding how practical security controls that can be used to treat aviation information security risks, and how organisations can select the right measures to protect critical aviation systems without unnecessarily complicating operations.

The goal is not to implement as many controls as possible, but it is to implement the right ones.

Want More Part-IS Guidance You Can Actually Use?

I regularly share clear, safety-focused insights to help aviation professionals implement the core elements of an ISMS under EASA Part-IS.

The focus is on aligning information security with existing safety and compliance systems, using real-world experience rather than theory.

Subscribe to the Aviation Cybersecurity Brief to receive these insights, along with my Free Part-IS Starter Checklist, designed to help you validate your approach and strengthen the foundations of your ISMS.

👉 Subscribe here to implement Part-IS with clarity.