THAKUR INSTITUTE OF AVIATION TECHNOLOGY

TRAINING NOTES APRIL 2024

FORWORD
UNCONTROLLED COPY

 IT IS IMPORTANT TO NOTE THAT THE INFORMATION IN THIS BOOK IS OF STUDY/ TRAINING PURPOSES ONLY
AND NO REVISION SERVICE WILL BE PROVIDED TO THE HOLDER.
 WHEN CARRYING OUT A PROCEDURE/ WORK ON AIRCRAFT/ AIRCRAFT EQUIPMENT YOU MUST ALWAYS REFER
TO THE RELEVANT AIRCRAFT MAINTENANCE MANUAL OR EQUIPMENT MANUFACTURER'S HANDBOOK.
 FOR HEALTH AND SAFETY IN THE WORKPLACE YOU SHOULD FOLLOW THE REGULATIONS/ GUIDELINES AS
SPECIFIED BY THE EQUIPMENT MANUFACTURER, YOUR COMPANY, NATIONAL SAFETY AUTHORITIES AND
NATIONAL GOVERNMENTS.

Copyright Notice
© Copyright. All worldwide rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any
form by any other means whatsoever : i.e. photocopy, electronic, mechanical recording or otherwise without the prior written permission of
Thakur Institute of Aviation Technology.

TIAT MODULE 10.10 10-1

 THAKUR INSTITUTE OF AVIATION TECHNOLOGY

Knowledge Levels – Category A, B1, B2, B3 and C Aircraft Maintenance Licence

Basic knowledge for categories A, B1, B2 and B3 are indicated by the allocation of knowledge levels indicators (1, 2 or 3) against each
application subject. Category C applicants must meet either the category B1 or the category B2 basic knowledge levels.
The knowledge level indicators are defined as follows :

LEVEL 1
 A familiarization with the principal elements of the subject.
Objectives : The applicant should be familiar with the basic elements of the subject.
 The applicant should be able to give a simple description of the whole subject, using common words and examples.
 The applicant should be able to use typical terms.

LEVEL 2
 A general knowledge of the theoretical and practical aspects of the subject.
 An ability to apply that knowledge.
Objectives : The applicant should be able to understand the theoretical fundamentals of the subject.
 The applicant should be able to give a general description of the subject using, as appropriate, typical examples.
 The applicant should be able to use mathematical formulae in conjunction with physical laws describing the subject.
 The applicant should be able to read and understand sketches, drawings and schematics describing the subject.
 The applicant should be able to apply his knowledge in a practical manner using detailed procedures.

LEVEL 3
 A detailed knowledge of the theoretical and practical aspects of the subject.
 A capacity to combine and apply the separate elements of knowledge in a logical and comprehensive manner.
Objectives : The applicant should know the theory of the subject and interrelationships with other subjects.
 The applicant should be able to give a detailed description of the subject using theoretical fundamentals and specific examples.
 The applicant should understand and be able to use mathematical formulae related to the subject.
 The applicant should be able to read, understand and prepare sketches, simple drawings and schematics describing the subject.
 The applicant should be able to apply his knowledge in a practical manner using manufacturer’s instructions.
 The applicant should be able to interpret results from various sources and measurements and apply corrective action where
appropriate.

TIAT MODULE 10.10 10-2

THAKUR INSTITUTE OF AVIATION TECHNOLOGY

INFORMATION SECURITY – ORGANISATION REQUIREMENTS

TIAT MODULE 10.10 10-3

THAKUR INSTITUTE OF AVIATION TECHNOLOGY

10.10 Cybersecurity in aviation maintenance

Certification Statement
These Study Notes comply with the syllabus of EASA Regulation (EC) No.1321/2014 Annex III (Part-66) Appendix I, as amended by
Regulation (EC) No.989/2023, and the associated Knowledge Levels as specified below:

Objective EASA 66 Level

Reference B1 B2
10.10 Cybersecurity in aviation maintenance 10.10 1 1

Regulation on the introduction of organisation requirements for the

management of information security risks related to aeronautical information
systems used in civil aviation.

TIAT MODULE 10.10 10-4

 THAKUR INSTITUTE OF AVIATION TECHNOLOGY
10.10 INFORMATION SECURITY – ORGANISATION In order to provide organisations with sufficient time to ensure
REQUIREMENTS compliance with the new rules and procedures, this Regulation should
In accordance with the essential requirements set out in Annex VIII, apply 3 years after its entry into force, except for the air navigation
to Regulation (EU) 2018/1139, air traffic management and air service provider of the European Geostationary Navigation Overlay
navigation service providers, U-space service providers and single Service (EGNOS) defined in Implementing Regulation (EU)
common information service providers, and training organisations 2017/373, where due to the ongoing security accreditation of the
and aero-medical centres for air traffic controllers are to implement EGNOS system and services in line with Regulation (EU) 2021/696, it
and maintain a management system to manage safety risks. should become applicable from 1 January 2026.

Those safety risks may derive from different sources, such as design Article 1
and maintenance flaws, human performance aspects, environmental Subject matter
threats and information security threats. Therefore, the management This Regulation sets out the requirements to be met by the
systems implemented by the European Union Aviation Safety Agency organisations and competent authorities in order:
(‘the Agency’) and the national competent authorities and
organisations referred to in the recitals above, should take into account (a) to identify and manage information security risks with potential
not only safety risks stemming from random events, but also safety impact on aviation safety which could affect information and
risks deriving from information security threats where existing flaws communication technology systems and data used for civil aviation
may be exploited by individuals with a malicious intent. Those purposes,
information security risks are constantly increasing in the civil
aviation environment as the current information systems are becoming (b) to detect information security events and identify those which are
more and more interconnected, and increasingly becoming the target considered information security incidents with potential impact on
of malicious actors. aviation safety,

The risks associated with those information systems are not limited to (c) to respond to, and recover from, those information security
possible attacks to the cyberspace, but encompass also threats, which incidents.
may affect processes and procedures as well as the performance of
human beings. Article 2
Scope
A significant number of organisations already use international
standards, such as ISO 27001, in order to address the security of 1. This Regulation applies to the following organisations:
digital information and data. Those standards may not fully address all (a) maintenance organisations subject to Section A of Annex II (Part-
the specificities of civil aviation. Therefore, it is appropriate to set out 145) to Regulation (EU) No 1321/2014, except those solely involved
requirements for the management of information security risks with a in the maintenance of aircraft in accordance with Annex Vb (Part-ML)
potential impact on aviation safety. to Regulation (EU) No 1321/2014;

TIAT MODULE 10.10 10-5

 THAKUR INSTITUTE OF AVIATION TECHNOLOGY

(b) continuing airworthiness management organisations (CAMOs) those solely involved in the operation of FSTDs for ELA2 aircraft as
subject to Section A of Annex Vc (Part-CAMO) to Regulation (EU) defined in Article 1 (2), point (j) of Regulation (EU) No 748/2012;
No 1321/2014, except those solely involved in the continuing
airworthiness management of aircraft in accordance with Annex Vb (g) air traffic controller training organisations (ATCO TOs) and
(Part-ML) to Regulation (EU) No 1321/2014; ATCO aero-medical centres subject to Annex III (Part ATCO.OR) to
Regulation (EU) 2015/340;
(c) air operators subject to Annex III (Part-ORO) to Regulation (EU)
No 965/2012, except those solely involved in the operation of any of (h) organisations subject to Annex III (Part-ATM/ANS.OR) to
the following: Implementing Regulation (EU) 2017/373, except the following service
(i) an ELA 2 aircraft as defined in Article 1(2), point (j) of providers:
Regulation (EU) No 748/2012;
(ii) single-engine propeller-driven aeroplanes with a Maximum (i) air navigation service providers holding a limited certificate in
Operational Passenger Seating Configuration of 5 or less that accordance with point ATM/ANS.OR.A.010 of that Annex;
are not classified as complex motor-powered aircraft, when
taking off and landing at the same aerodrome or operating site (ii) flight information service providers declaring their activities in
and operating under Visual Flight Rules (VFR) by day rules; accordance with point ATM/ANS.OR.A.015 of that Annex;
(iii) single-engine helicopters with a Maximum Operational
Passenger Seating Configuration of 5 or less that are not (i) U-space service providers and single common information
classified as complex motor-powered aircraft, when taking off service providers subject to Implementing Regulation (EU)
and landing at the same aerodrome or operating site and 2021/664.
operating under VFR by day rules.
(d) approved training organisations (ATOs) subject to Annex VII 2. This Regulation applies to the competent authorities, including the
(Part-ORA) to Regulation (EU) No 1178/2011, except those solely European Union Aviation Safety Agency (‘the Agency’), referred to
involved in training activities of ELA2 aircraft as defined in Article Article 6 of this Regulation and in Article 5 of Commission Delegated
1(2), point (j) of Regulation (EU) No 748/2012, or solely involved in Regulation (EU) 2022/1645 ( 14 ).
theoretical training;
3. This Regulation also applies to the competent authority responsible
(e) aircrew aero-medical centres subject to Annex VII (Part-ORA) to for the issuance, continuation, change, suspension or revocation of
Regulation (EU) No 1178/2011;EN L 31/4 Official Journal of the aircraft maintenance licences in accordance with Annex III (Part-66)
European Union 2.2.2023 to Regulation (EU) No 1321/2014.

(f) flight simulation training device (FSTD) operators subject to 4. This Regulation is without prejudice to information security and
Annex VII (Part-ORA) to Regulation (EU) No 1178/2011, except cybersecurity requirements laid down in point 1.7 of the Annex to

TIAT MODULE 10.10 10-6

 THAKUR INSTITUTE OF AVIATION TECHNOLOGY

Implementing Regulation (EU) 2015/1998 and in Article 14 of IS.I.OR.100 Scope

Directive (EU) 2016/1148. This Part establishes the requirements to be met by the organisations
Article 3 referred to in Article 2(1) of this Regulation.
Definitions
IS.I.OR.200 Information security management system (ISMS)
(1) ‘information security’ means the preservation of confidentiality,
integrity, authenticity and availability of network and information (a) In order to achieve the objectives set out in Article 1, the
systems; organisation shall set up, implement and maintain an information
security management system (ISMS) which ensures that the
(2) ‘information security event’ means an identified occurrence of a organisation:
system, service or network state indicating a possible breach of the
information security policy or failure of information security controls, 1) establishes a policy on information security setting out the overall
or a previously unknown situation that can be relevant for information principles of the organisation with regard to the potential impact of
security; information security risks on aviation safety;

(3) ‘incident’ means any event having an actual adverse effect on the 2) identifies and reviews information security risks in accordance
security of network and information systems as defined in Article 4(7) with point IS.I.OR.205;
of Directive (EU) 2016/1148;
3) defines and implements information security risk treatment
(4) ‘information security risk’ means the risk to organisational civil measures in accordance with point IS.I.OR.210;
aviation operations, assets, individuals, and other organisations due to
the potential of an information security event. Information security 4) implements an information security internal reporting scheme in
risks are associated with the potential that threats will exploit accordance with point IS.I.OR.215;
vulnerabilities of an information asset or group of information assets;
5) defines and implements, in accordance with point IS.I.OR.220, the
(5) ‘threat’ means a potential violation of information security measures required to detect information security events, identifies
which exists when there is an entity, circumstance, action or event those events which are considered incidents with a potential impact
that could cause harm; on aviation safety except as permitted by point IS.I.OR.205(e), and
responds to, and recovers from, those information security
(6) ‘vulnerability’ means a flaw or weakness in an asset or a incidents;EN L 31/14 Official Journal of the European Union
system, procedures, design, implementation, or information
security measures that could be exploited and results in a breach 6) implements the measures that have been notified by the competent
or violation of the information security policy. authority as an immediate reaction to an information security incident
or vulnerability with an impact on aviation safety;

TIAT MODULE 10.10 10-7

 THAKUR INSTITUTE OF AVIATION TECHNOLOGY
process for amending that documentation. Changes to those
7) takes appropriate action, in accordance with point IS.I.OR.225, to processes, procedures, roles and responsibilities shall be managed in
address findings notified by the competent authority; accordance with point IS.I.OR.255.

8) implements an external reporting scheme in accordance with point (d) The processes, procedures, roles and responsibilities established
IS.I.OR.230 in order to enable the competent authority to take by the organisation in order to comply with point IS.I.OR.200(a) shall
appropriate actions; correspond to the nature and complexity of its activities, based on an
assessment of the information security risks inherent to those
9) complies with the requirements contained in point IS.I.OR.235 activities, and may be integrated within other existing management
when contracting any part of the activities referred to in point systems already implemented by the organisation.
IS.I.OR.200 to other organisations;
(e) Without prejudice to the obligation to comply with the reporting
10) complies with the personnel requirements laid down in point requirements laid down in Regulation (EU) No 376/2014 and the
IS.I.OR.240; requirements laid down in point IS.I.OR.200 (a)(13), the organisation
may be approved by the competent authority not to implement the
11) complies with the record-keeping requirements laid down in point requirements referred to in points (a) to (d) and the related
IS.I.OR.245; requirements contained in points IS.I.OR.205 through IS.I.OR.260, if
it demonstrates to the satisfaction of that authority that its activities,
12) monitors compliance of the organisation with the requirements of facilities and resources, as well as the services it operates, provides,
this Regulation and provides feedback on findings to the accountable receives and maintains, do not pose any information security risks
manager to ensure effective implementation of corrective actions; with a potential impact on aviation safety neither to itself nor to other
organisations. The approval shall be based on a documented
13) protects, without prejudice to applicable incident reporting information security risk assessment carried out by the organisation or
requirements, the confidentiality of any information that the a third party in accordance with point IS.I.OR.205 and reviewed and
organisation may have received from other organisations, according approved by its competent authority.
to its level of sensitivity.
The continued validity of that approval will be reviewed by the
(b) In order to continuously meet the requirements referred to in competent authority following the applicable oversight audit cycle
Article 1, the organisation shall implement a continuous improvement and whenever changes are implemented in the scope of work of the
process in accordance with point IS.I.OR.260. organisation.

(c) The organisation shall document, in accordance with point IS.I.OR.205 Information security risk assessment
IS.I.OR.250, all key processes, procedures, roles and responsibilities (a) The organisation shall identify all its elements which could be
required to comply with point IS.I.OR.200(a), and shall establish a exposed to information security risks. That shall include:

TIAT MODULE 10.10 10-8

 THAKUR INSTITUTE OF AVIATION TECHNOLOGY

1) the organisation’s activities, facilities and resources, as well as the (d) The organisation shall review and update the risk assessment
services the organisation operates, provides, receives or maintains; carried out in accordance with points (a), (b) and, as applicable,
points (c) or (e), in any of the following situations:
2) the equipment, systems, data and information that contribute to the
functioning of the elements listed in point (1). 1) there is a change in the elements subject to information security
risks;
(b) The organisation shall identify the interfaces that it has with other
organisations, and which could result in the mutual exposure to 2) there is a change in the interfaces between the organisation and
information security risks. other organisations, or in the risks communicated by the other
organisations;
(c) With regard to the elements and interfaces referred to in points (a)
and (b), the organisation shall identify the information security risks 3) there is a change in the information or knowledge used for the
which may have a potential impact on aviation safety. For each identification, analysis and classification of risks;
identified risk, the organisation shall:
4) there are lessons learnt from the analysis of information security
1) assign a risk level according to a predefined classification incidents.
established by the organisation;
(e) By derogation from point (c), organisations required to comply
2) associate each risk and its level with the corresponding element or with Subpart C of Annex III (Part-ATM/ANS.OR) to Implementing
interface identified in accordance with points (a) and (b). Regulation (EU) 2017/373 shall replace the analysis of the impact on
aviation safety by an analysis of the impact on their services as per
The predefined classification referred to in point (1) shall take into the safety support assessment required by point
account the potential of occurrence of the threat scenario and the ATM/ANS.OR.C.005. This safety support assessment shall be made
severity of its safety consequences. Based on that classification, and available to the air traffic service providers to whom they provide
taking into account whether the organisation has a structured and services and those air traffic service providers shall be responsible for
repeatable risk management process for operations, the organisation evaluating the impact on aviation safety.
shall be able to establish whether the risk is acceptable or needs to be
treated in accordance with point IS.I.OR.210. IS.I.OR.210 Information security risk treatment

In order to facilitate the mutual comparability of risks assessments, a) The organisation shall develop measures to address unacceptable
the assignment of the risk level pursuant to point (1) shall take into risks identified in accordance with point IS.I.OR.205, implement
account relevant information acquired in coordination with the them in a timely manner and check their continued effectiveness.
organisations referred to in point (b). Those measures shall enable the organisation to:

TIAT MODULE 10.10 10-9

 THAKUR INSTITUTE OF AVIATION TECHNOLOGY

1) control the circumstances that contribute to the effective 2) identify the causes of, and contributing factors to, the information
occurrence of the threat scenario; security incidents and vulnerabilities identified in accordance with
2) reduce the consequences on aviation safety associated with the point (1), and address them as part of the information security risk
materialisation of the threat scenario; management process in accordance with points IS.I.OR.205 and
IS.I.OR.220;
3) avoid the risks.
3) ensure an evaluation of all known, relevant information relating to
Those measures shall not introduce any new potential unacceptable the information security incidents and vulnerabilities identified in
risks to aviation safety. accordance with point (1);

(b) The person referred to in point IS.I.OR.240 (a) and (b) and other 4) ensure the implementation of a method to distribute internally the
affected personnel of the organisation shall be informed of the information as necessary.
outcome of the risk assessment carried out in accordance with point
IS.I.OR.205, the corresponding threat scenarios and the measures to (c) Any contracted organisation which may expose the organisation to
be implemented. information security risks with a potential impact on aviation safety
shall be required to report information security events to the
The organisation shall also inform organisations with which it has an organisation. Those reports shall be submitted using the procedures
interface in accordance with point IS.I.OR.205(b) of any risk shared established in the specific contractual arrangements and shall be
between both organisations. evaluated in accordance with point (b).

IS.I.OR.215 Information security internal reporting scheme (d) The organisation shall cooperate on investigations with any other
organisation that has a significant contribution to the information
(a) The organisation shall establish an internal reporting scheme to security of its own activities.
enable the collection and evaluation of information security events,
including those to be reported pursuant to point IS.I.OR.230. (e) The organisation may integrate that reporting scheme with other
reporting schemes it has already implemented.
(b) That scheme and the process referred to in point IS.I.OR.220 shall
enable the organisation to: IS.I.OR.220 Information security incidents – detection, response
and recovery
1) identify which of the events reported pursuant to point (a) are
considered information security incidents or vulnerabilities with a (a) Based on the outcome of the risk assessment carried out in
potential impact on aviation safety; accordance with point IS.I.OR.205 and the outcome of the risk
treatment performed in accordance with point IS.I.OR.210, the
organisation shall implement measures to detect incidents and

TIAT MODULE 10.10 10-10

 THAKUR INSTITUTE OF AVIATION TECHNOLOGY

vulnerabilities that indicate the potential materialisation of IS.I.OR.225 Response to findings notified by the competent
unacceptable risks and which may have a potential impact on aviation authority
safety. Those detection measures shall enable the organisation to:
(a) After receipt of the notification of findings submitted by the
1) identify deviations from predetermined functional performance competent authority, the organisation shall:
baselines;
2) trigger warnings to activate proper response measures, in case of 1) identify the root cause or causes of, and contributing factors to, the
any deviation. non-compliance;
2) define a corrective action plan;
(b) The organisation shall implement measures to respond to any 3) demonstrate the correction of the non-compliance to the
event conditions identified in accordance with point (a) that may satisfaction of the competent authority.
develop or have developed into an information security incident.
Those response measures shall enable the organisation to: (b) The actions referred to in point (a) shall be carried out within the
period agreed with the competent authority.
1) initiate the reaction to the warnings referred to in point (a)(2) by
activating predefined resources and course of actions; IS.I.OR.230 Information security external reporting scheme

2) contain the spread of an attack and avoid the full materialisation of (a) The organisation shall implement an information security
a threat scenario; reporting system that complies with the requirements laid down in
Regulation (EU) No 376/2014 and its delegated and implementing
3) control the failure mode of the affected elements defined in point acts if that Regulation is applicable to the organisation.
IS.I.OR.205(a).
(b) Without prejudice to the obligations of Regulation (EU) No
(c) The organisation shall implement measures aimed at recovering 376/2014, the organisation shall ensure that any information security
from information security incidents, including emergency measures, incident or vulnerability, which may represent a significant risk to
if needed. Those recovery measures shall enable the organisation to: aviation safety, is reported to their competent authority. Furthermore:

1) remove the condition that caused the incident, or constrain it to a 1) Where such an incident or vulnerability affects an aircraft or
tolerable level; associated system or component, the organisation shall also report it
to the design approval holder;
2) reach a safe state of the affected elements defined in point
IS.I.OR.205(a) within a recovery time previously defined by the 2) Where such an incident or vulnerability affects a system or
organisation. constituent used by the organisation, the organisation shall report it to

TIAT MODULE 10.10 10-11

 THAKUR INSTITUTE OF AVIATION TECHNOLOGY

the organisation responsible for the design of the system or (a) The organisation shall ensure that when contracting any part of the
constituent. activities referred to in point IS.I.OR.200 to other organisations, the
contracted activities comply with the requirements of this Regulation
(c) The organisation shall report the conditions referred to in point (b) and the contracted organisation works under its oversight. The
as follows: organisation shall ensure that the risks associated with the contracted
activities are appropriately managed.
1) a notification shall be submitted to the competent authority and, if
applicable, to the design approval holder or to the organisation (b) The organisation shall ensure that the competent authority can
responsible for the design of the system or constituent, as soon as the have access upon request to the contracted organisation to determine
condition has been known to the organisation; continued compliance with the applicable requirements laid down in
this Regulation.
2) a report shall be submitted to the competent authority and, if
applicable, to the design approval holder or to the organisation IS.I.OR.240 Personnel requirements
responsible for the design of the system or constituent, as soon as
possible, but not exceeding 72 hours from the time the condition has (a) The accountable manager of the organisation designated in
been known to the organisation, unless exceptional circumstances accordance with Regulations (EU) No 1321/2014, (EU) No 965/2012,
prevent this. (EU) No 1178/2011, (EU) 2015/340, Implementing Regulation (EU)
The report shall be made in the form defined by the competent 2017/373 or Implementing Regulation (EU) 2021/664 as applicable
authority and shall contain all relevant information about the referred to in Article 2(1) of this Regulation shall have corporate
condition known to the organisation; authority to ensure that all activities required by this Regulation can
be financed and carried out. That person shall:
3) a follow-up report shall be submitted to the competent authority
and, if applicable, to the design approval holder or to the organisation 1) ensure that all necessary resources are available to comply with the
responsible for the design of the system or constituent, providing requirements of this Regulation;
details of the actions the organisation has taken or intends to take to
recover from the incident and the actions it intends to take to prevent 2) establish and promote the information security policy referred to in
similar information security incidents in the future. point IS.I.OR.200(a)(1);
The follow-up report shall be submitted as soon as those actions have
been identified, and shall be produced in the form defined by the 3) demonstrate a basic understanding of this Regulation.
competent authority.
(b) The accountable manager shall appoint a person or group of
IS.I.OR.235 Contracting of information security management persons to ensure that the organisation complies with the
activities requirements of this Regulation, and shall define the extent of their
authority. That person or group of persons shall report directly to the

TIAT MODULE 10.10 10-12

 THAKUR INSTITUTE OF AVIATION TECHNOLOGY

accountable manager, and shall have the appropriate knowledge, (h) The organisation shall have a process in place to ensure that
background and experience to discharge their responsibilities. It shall personnel acknowledge the responsibilities associated with the
be determined in the procedures who deputises for a particular person assigned roles and tasks.
in the case of lengthy absence of that person.
(i) The organisation shall ensure that the identity and trustworthiness
(c) The accountable manager shall appoint a person or group of of the personnel who have access to information systems and data
persons with the responsibility to manage the compliance monitoring subject to the requirements of this Regulation are appropriately
function referred to in point IS.I.OR.200(a)(12). established.

IS.I.OR.245 Record-keeping

(d) Where the organisation shares information security organisational (a) The organisation shall keep records of its information security
structures, policies, processes and procedures with other management activities
organisations or with areas of their own organisation which are not
part of the approval or declaration, the accountable manager may 1) The organisation shall ensure that the following records are
delegate its activities to a common responsible person. archived and traceable:
In such a case, coordination measures shall be established between
the accountable manager of the organisation and the common (i) any approval received and any associated information security risk
responsible person to ensure adequate integration of the information assessment in accordance with point IS.I.OR.200(e);
security management within the organisation.
(ii) contracts for activities referred to in point IS.I.OR.200(a)(9);
(e) The accountable manager or the common responsible person
referred to in (d) shall have corporate authority to establish and (iii) records of the key processes referred to in point IS.I.OR.200(d);
maintain the organisational structures, policies, processes and
procedures necessary to implement point IS.I.OR.200. (iv) records of the risks identified in the risk assessment referred to in
point IS.I.OR.205 along with the associated risk treatment measures
(f) The organisation shall have a process in place to ensure that they referred to in point IS.I.OR.210;
have sufficient personnel on duty to carry out the activities covered
by this Annex. (v) records of information security incidents and vulnerabilities
reported in accordance with the reporting schemes referred to in
(g) The organisation shall have a process in place to ensure that the points IS.I.OR.215 and IS.I.OR.230;
personnel referred to in point (f) have the necessary competence to
perform their tasks.

TIAT MODULE 10.10 10-13

 THAKUR INSTITUTE OF AVIATION TECHNOLOGY

(vi) records of those information security events which may need to (d) Records shall be stored in a manner that ensures protection from
be reassessed to reveal undetected information security incidents or damage, alteration and theft, with information being identified, when
vulnerabilities. required, according to its security classification level. The
organisation shall ensure that the records are stored using means to
2) The records referred to in point (1)(i) shall be retained at least until ensure integrity, authenticity and authorised access.
5 years after the approval has lost its validity.
IS.I.OR.250 Information security management manual (ISMM)
3) The records referred to in point (1)(ii) shall be retained at least
until 5 years after the contract has been amended or terminated. (a) The organisation shall make available to the competent authority
an information security management manual (ISMM) and, where
4) The records referred to point (1)(iii), (iv) and (v) shall be retained applicable, any referenced associated manuals and procedures,
at least for a period of 5 years. containing:

5) The records referred to in point (1)(vi) shall be retained until those 1) a statement signed by the accountable manager confirming that the
information security events have been reassessed in accordance with organisation will at all times work in accordance with this Annex and
a periodicity defined in a procedure established by the organisation. with the ISMM. If the accountable manager is not the chief executive
officer (CEO) of the organisation, then the CEO shall countersign the
(b) The organisation shall keep records of qualification and statement;
experience of its own staff involved in information security
management activities 2) the title(s), name(s), duties, accountabilities, responsibilities and
authorities of the person or persons defined in point IS.I.OR.240(b)
1) The personnel’s qualification and experience records shall be and (c);
retained for as long as the person works for the organisation, and for
at least 3 years after the person has left the organisation. 3) the title, name, duties, accountabilities, responsibilities and
authority of the common responsible person defined in point
2) Members of the staff shall, upon their request, be given access to IS.I.OR.240(d), if applicable;
their individual records. In addition, upon their request, the
organisation shall provide them with a copy of their individual 4) the information security policy of the organisation as referred to in
records on leaving the organisation. point IS.I.OR.200(a)(1);

(c) The format of the records shall be specified in the organisation’s 5) a general description of the number and categories of staff and of
procedures. the system in place to plan the availability of staff as required by
point IS.I.OR.240;

TIAT MODULE 10.10 10-14

 THAKUR INSTITUTE OF AVIATION TECHNOLOGY

6) the title(s), name(s), duties, accountabilities, responsibilities and (d) The organisation may integrate the ISMM with other management
authorities of the key persons responsible for the implementation of expositions or manuals it holds, provided there is a clear cross
point IS.I.OR.200, including the person or persons responsible for the reference that indicates which portions of the management exposition
compliance monitoring function referred to in point or manual correspond to the different requirements contained in this
IS.I.OR.200(a)(12); Annex.

7) an organisation chart showing the associated chains of IS.I.OR.255 Changes to the information security management
accountability and responsibility for the persons referred to in points system
(2) and (6);
(a) Changes to the ISMS may be managed and notified to the
8) the description of the internal reporting scheme referred to in point competent authority in a procedure developed by the organisation.
IS.I.OR.215; This procedure shall be approved by the competent authority.

9) the procedures that specify how the organisation ensures (b) With regard to changes to the ISMS not covered by the procedure
compliance with this Part, and in particular referred to in point (a), the organisation shall apply for and obtain an
approval issued by the competent authority.
(i) the documentation referred to in point IS.I.OR.200(c);
(ii) the procedures that define how the organisation controls any With regard to those changes:
contracted activities as referred to in point IS.I.OR.200(a)(9);
(iii) the ISMM amendment procedure referred to in in point (c); 1) the application shall be submitted before any such change takes
place, in order to enable the competent authority to determine
10) the details of currently approved alternative means of compliance. continued compliance with this Regulation and to amend, if
necessary, the organisation certificate and related terms of approval
(b) The initial issue of the ISMM shall be approved and a copy shall attached to it;
be retained by the competent authority. The ISMM shall be amended
as necessary to remain an up-to-date description of the ISMS of the 2) the organisation shall make available to the competent authority
organisation. A copy of any amendments to the ISMM shall be any information it requests to evaluate the change;
provided to the competent authority.
3) the change shall be implemented only upon receipt of a formal
(c) Amendments to the ISMM shall be managed in a procedure approval by the competent authority;
established by the organisation. Any amendments that are not
included within the scope of this procedure and any amendments 4) the organisation shall operate under the conditions prescribed by
related to the changes referred to in point IS.I.OR.255(b) shall be the competent authority during the implementation of such changes.
approved by the competent authority.

TIAT MODULE 10.10 10-15

 THAKUR INSTITUTE OF AVIATION TECHNOLOGY

IS.I.OR.260 Continuous improvement

(a) The organisation shall assess, using adequate performance

indicators, the effectiveness and maturity of the ISMS. That
assessment shall be carried out on a calendar basis predefined by the
organisation or following an information security incident.

(b) If deficiencies are found following the assessment carried out in

accordance with point (a), the organisation shall take the necessary
improvement measures to ensure that the ISMS continues to comply
with the applicable requirements and maintains the information
security risks at an acceptable level. In addition, the organisation shall
reassess those elements of the ISMS affected by the adopted
measures.

TIAT MODULE 10.10 10-16