Dear Alex, I would say "work in progress".
With the introduction of information security risk management for aviation organisations, as proposed by EASA with the Opinion 03/2021 (https://www.easa.europa.eu/document-library/opinions/opinion-032021), there will be the need to clarify how existing standards (such as ISO 27k) could be used to fulfill the new provisions.
EASA, supported by the ESCP (https://www.easa.europa.eu/community/content/european-strategic-coordin…), is working on this topic by developing guidance material, linking back to existing standards and filling the gaps where needed.
Naviair is using the tool that https://www.rismasystems.com/ provides.
Remember cybersecurity is not aviation specific (and most of the systems will never leave ground ;) )
And if you are using a public cloud, for example Microsoft Azure, you could use Azure Policy to check compliance with ISO27001, in the case of Microsoft 365 there is Microsoft Compliance Manager. Integrity in Azure would be at great level.
[~43896] I will have a deeper look at Rismasystems :-). Thx.
Indeed, cybersecurity in general is not aviation specific. However, I wonder about airplane specific vulnerabilities too. Maybe, you know about a pen test against an airplane? I found data of aircraft manufacturer stolen by ransomware gang on the dw. Kind of scary.
Hi Alex, please get in touch, we have a toolkit which is capable tracking compliance to most major regulatory requirements including UK CAF, NIST, ISO and Cyber Essentials. www.lemaurey.co.uk
following but i believe there is not an aviation oriented tool. for the RA i use SIRA and controls of the ISO (the applicable ones)
Dear Alex, I would say "work in progress".
With the introduction of information security risk management for aviation organisations, as proposed by EASA with the Opinion 03/2021 (https://www.easa.europa.eu/document-library/opinions/opinion-032021), there will be the need to clarify how existing standards (such as ISO 27k) could be used to fulfill the new provisions.
EASA, supported by the ESCP (https://www.easa.europa.eu/community/content/european-strategic-coordin…), is working on this topic by developing guidance material, linking back to existing standards and filling the gaps where needed.
More info in the Cybersecurity Community Resources Hub - Regulations & Standards: https://www.easa.europa.eu/community/content/regulations-standards
To be updated regularly as commented by @Davide Martini
Naviair is using the tool that https://www.rismasystems.com/ provides.
Remember cybersecurity is not aviation specific (and most of the systems will never leave ground ;) )
Many thanks for your feedback, much appreciated.
[~676] Looking forward to Q3 related to Opion 03/2021. Agree, a clarification would make sense and even as ISO 27001, I believe.
A compliance SW make sense and despite industry independence of that standard, some isms tools establish as a de-facto standard in an industry.
Have a look at this list:
https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standa… (Overwhelming)
And if you are using a public cloud, for example Microsoft Azure, you could use Azure Policy to check compliance with ISO27001, in the case of Microsoft 365 there is Microsoft Compliance Manager. Integrity in Azure would be at great level.
[~43896] I will have a deeper look at Rismasystems :-). Thx.
Indeed, cybersecurity in general is not aviation specific. However, I wonder about airplane specific vulnerabilities too. Maybe, you know about a pen test against an airplane? I found data of aircraft manufacturer stolen by ransomware gang on the dw. Kind of scary.
[~27955] SIRA RA tool...do you have a link? I found this: https://www.sirainc.com/
[~1829] Excellent, thanks.
We are using ERAMBA (https://www.eramba.org/) to track this. Not a fullblown GRC tool but good price/functionality ratio.
[~45264] Kind of interesting you are proposing this tool, as I worked with Esteban (founder and owner of Eramba) before he founded his company.
Try the ISO27k Toolkit. It's not aviation specific, but it is free under the "Creative Commons" license. You find it here. https://www.iso27001security.com/html/toolkit.html
[~23609] Many thanks Christoph.
Hi Alex, please get in touch, we have a toolkit which is capable tracking compliance to most major regulatory requirements including UK CAF, NIST, ISO and Cyber Essentials. www.lemaurey.co.uk
Sign up or Log in to join the discussion