-
Notifications
You must be signed in to change notification settings - Fork 281
/
Copy pathpart-is.d.or.yaml
1144 lines (1144 loc) · 58.8 KB
/
part-is.d.or.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
urn: urn:intuitem:risk:library:part-is.d.or
locale: en
ref_id: EASA-PART-IS.D.OR
name: PART-IS.D.OR (Delegated Regulation (EU) 2022/1645)
description: "COMMISSION DELEGATED REGULATION (EU) 2022/1645 of 14 July 2022 laying\
\ down rules for the application of Regulation (EU) 2018/1139 of the European Parliament\
\ and of the Council, as regards requirements for the management of information\
\ security risks with a potential impact on aviation safety for organisations covered\
\ by Commission Regulations (EU) No 748/2012 and (EU) No 139/2014 and amending Commission\
\ Regulations (EU) No 748/2012 and (EU) No 139/2014\n\nHere is the link to the delegated\
\ regulation : \nhttps://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022R1645"
copyright: EU COMMISSION
version: 1
provider: EU COMMISSION
packager: intuitem
objects:
framework:
urn: urn:intuitem:risk:framework:part-is.d.or
ref_id: EASA-PART-IS.D.OR
name: PART-IS.D.OR (Delegated Regulation (EU) 2022/1645)
description: "\"COMMISSION DELEGATED REGULATION (EU) 2022/1645 of 14 July 2022\
\ laying down rules for the application of Regulation (EU) 2018/1139 of the\
\ European Parliament and of the Council, as regards requirements for the management\
\ of information security risks with a potential impact on aviation safety for\
\ organisations covered by Commission Regulations (EU) No 748/2012 and (EU)\
\ No 139/2014 and amending Commission Regulations (EU) No 748/2012 and (EU)\
\ No 139/2014\n\nHere is the link to the delegated regulation : \nhttps://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022R1645\""
requirement_nodes:
- urn: urn:intuitem:risk:req_node:part-is.d.or:annex
assessable: false
depth: 1
ref_id: ANNEX
name: "INFORMATION SECURITY \u2013 ORGANISATION REQUIREMENTS"
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.100
assessable: false
depth: 2
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:annex
ref_id: IS.D.OR.100
name: Scope
- urn: urn:intuitem:risk:req_node:part-is.d.or:node4
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.100
description: This Part establishes the requirements to be met by the organisations
referred to in Article 2 of this Regulation.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200
assessable: false
depth: 2
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:annex
ref_id: IS.D.OR.200
name: Information security management system (ISMS)
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200-a
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200
ref_id: IS.D.OR.200-a
description: 'In order to achieve the objectives set out in Article 1, the organisation
shall set up, implement and maintain an information security management system
(ISMS) which ensures that the organisation:'
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200-a.1
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200-a
ref_id: IS.D.OR.200-a.1
description: establishes a policy on information security setting out the overall
principles of the organisation with regard to the potential impact of information
security risks on aviation safety;
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200-a.2
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200-a
ref_id: IS.D.OR.200-a.2
description: identifies and reviews information security risks in accordance
with point IS.D.OR.205;
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200-a.3
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200-a
ref_id: IS.D.OR.200-a.3
description: defines and implements information security risk treatment measures
in accordance with point IS.D.OR.210;
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200-a.4
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200-a
ref_id: IS.D.OR.200-a.4
description: implements an information security internal reporting scheme in
accordance with point IS.D.OR.215;
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200-a.5
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200-a
ref_id: IS.D.OR.200-a.5
description: defines and implements, in accordance with point IS.D.OR.220, the
measures required to detect information security events, identifies those
events which are considered incidents with a potential impact on aviation
safety except as permitted by point IS.D.OR.205(e), and responds to, and recovers
from, those information security incidents;
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200-a.6
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200-a
ref_id: IS.D.OR.200-a.6
description: implements the measures that have been notified by the competent
authority as an immediate reaction to an information security incident or
vulnerability with an impact on aviation safety;
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200-a.7
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200-a
ref_id: IS.D.OR.200-a.7
description: takes appropriate action, in accordance with point IS.D.OR.225,
to address findings notified by the competent authority;
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200-a.8
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200-a
ref_id: IS.D.OR.200-a.8
description: implements an external reporting scheme in accordance with point
IS.D.OR.230 in order to enable the competent authority to take appropriate
actions;
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200-a.9
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200-a
ref_id: IS.D.OR.200-a.9
description: complies with the requirements contained in point IS.D.OR.235 when
contracting any part of the activities referred to in point IS.D.OR.200 to
other organisations;
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200-a.10
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200-a
ref_id: IS.D.OR.200-a.10
description: complies with the personnel requirements laid down in point IS.D.OR.240;
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200-a.11
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200-a
ref_id: IS.D.OR.200-a.11
description: complies with the record-keeping requirements laid down in point
IS.D.OR.245;
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200-a.12
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200-a
ref_id: IS.D.OR.200-a.12
description: monitors compliance of the organisation with the requirements of
this Regulation and provides feedback on findings to the accountable manager
or, in the case of design organisations, to the head of the design organisation,
in order to ensure effective implementation of corrective actions;
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200-a.13
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200-a
ref_id: IS.D.OR.200-a.13
description: protects, without prejudice to applicable incident reporting requirements,
the confidentiality of any information that the organisation may have received
from other organisations, according to its level of sensitivity.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200-b
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200
ref_id: IS.D.OR.200-b
description: In order to continuously meet the requirements referred to in Article
1, the organisation shall implement a continuous improvement process in accordance
with point IS.D.OR.260.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200-c
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200
ref_id: IS.D.OR.200-c
description: The organisation shall document, in accordance with point IS.D.OR.250,
all key processes, procedures, roles and responsibilities required to comply
with point IS.D.OR.200(a) and establish a process for amending that documentation.
Changes to those processes, procedures, roles and responsibilities shall be
managed in accordance with point IS.D.OR.255.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200-d
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200
ref_id: IS.D.OR.200-d
description: The processes, procedures, roles and responsibilities established
by the organisation in order to comply with point IS.D. OR.200(a) shall correspond
to the nature and complexity of its activities, based on an assessment of
the information security risks inherent to those activities, and may be integrated
within other existing management systems already implemented by the organisation.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200-e
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200
ref_id: IS.D.OR.200-e
description: Without prejudice to the obligation to comply with the reporting
requirements contained in Regulation (EU) No 376/2014 of the European Parliament
and of the Council (1) and the requirements of point IS.D.OR.200 (a) (13),
the organisation may be granted approval by the competent authority not to
implement the requirements referred to in points (a) to (d)) and the related
requirements contained in points IS.D.OR.205 through IS.D.OR.260, if it demonstrates
to the satisfaction of that authority that its activities, facilities and
resources, as well as the services it operates, provides, receives and maintains,
do not pose any information security risks with a potential impact on aviation
safety neither to itself nor to other organisations. The approval shall be
based on a documented information security risk assessment carried out by
the organisation or a third party in accordance with point IS.D.OR.205 and
reviewed and approved by its competent authority.
- urn: urn:intuitem:risk:req_node:part-is.d.or:node24
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.200
description: The continued validity of that approval will be reviewed by the
competent authority following the applicable oversight audit cycle and whenever
changes are implemented in the scope of work of the organisation.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.205
assessable: false
depth: 2
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:annex
ref_id: IS.D.OR.205
name: Information security risk assessment
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.205-a
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.205
ref_id: IS.D.OR.205-a
description: 'The organisation shall identify all of its elements, which could
be exposed to information security risks. That shall include:'
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.205-a.1
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.205-a
ref_id: IS.D.OR.205-a.1
description: "the organisation\u2019s activities, facilities and resources,\
\ as well as the services the organisation operates, provides, receives or\
\ maintains;"
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.205-a.2
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.205-a
ref_id: IS.D.OR.205-a.2
description: the equipment, systems, data and information that contribute to
the functioning of the elements listed in point (1).
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.205-b
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.205
ref_id: IS.D.OR.205-b
description: The organisation shall identify the interfaces that it has with
other organisations, and which could result in the mutual exposure to information
security risks.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.205-c
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.205
ref_id: IS.D.OR.205-c
description: 'With regard to the elements and interfaces referred to in points
(a) and (b), the organisation shall identify the information security risks
which may have a potential impact on aviation safety. For each identified
risk, the organisation shall:'
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.205-c.1
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.205-c
ref_id: IS.D.OR.205-c.1
description: assign a risk level according to a predefined classification established
by the organisation;
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.205-c.2
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.205-c
ref_id: IS.D.OR.205-c.2
description: associate each risk and its level with the corresponding element
or interface identified in accordance with points (a) and (b).
- urn: urn:intuitem:risk:req_node:part-is.d.or:node33
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.205
description: The predefined classification referred to in point (1) shall take
into account the potential of occurrence of the threat scenario and the severity
of its safety consequences. Based on that classification, and taking into
account whether the organisation has a structured and repeatable risk management
process for operations, the organisation shall be able to establish whether
the risk is acceptable or needs to be treated in accordance with point IS.D.OR.210.
- urn: urn:intuitem:risk:req_node:part-is.d.or:node34
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.205
description: In order to facilitate the mutual comparability of risks assessments,
the assignment of the risk level pursuant to point (1) shall take into account
relevant information acquired in coordination with the organisations referred
to in point (b).
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.205-d
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.205
ref_id: IS.D.OR.205-d
description: 'The organisation shall review and update the risk assessment carried
out in accordance with points (a), (b) and (c) in any of the following situations:'
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.205-d.1
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.205-d
ref_id: IS.D.OR.205-d.1
description: ' there is a change in the elements subject to information security
risks;'
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.205-d.2
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.205-d
ref_id: IS.D.OR.205-d.2
description: ' there is a change in the interfaces between the organisation
and other organisations, or in the risks communicated by the other organisations;'
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.205-d.3
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.205-d
ref_id: IS.D.OR.205-d.3
description: ' there is a change in the information or knowledge used for the
identification, analysis and classification of risks;'
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.205-d.4
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.205-d
ref_id: IS.D.OR.205-d.4
description: ' there are lessons learnt from the analysis of information security
incidents.'
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.210
assessable: false
depth: 2
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:annex
ref_id: IS.D.OR.210
name: ' Information security risk treatment'
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.210-a
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.210
ref_id: IS.D.OR.210-a
description: 'The organisation shall develop measures to address unacceptable
risks identified in accordance with point IS.D. OR.205, implement them in
a timely manner and check their continued effectiveness. Those measures shall
enable the organisation to:'
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.210-a.1
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.210-a
ref_id: IS.D.OR.210-a.1
description: control the circumstances that contribute to the effective occurrence
of the threat scenario;
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.210-a.2
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.210-a
ref_id: IS.D.OR.210-a.2
description: reduce the consequences on aviation safety associated with the
materialisation of the threat scenario;
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.210-a.3
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.210-a
ref_id: IS.D.OR.210-a.3
description: avoid the risks.
- urn: urn:intuitem:risk:req_node:part-is.d.or:node45
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.210-a
description: Those measures shall not introduce any new potential unacceptable
risks to aviation safety.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.210-b
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.210
ref_id: IS.D.OR.210-b
description: The person referred to in point IS.D.OR.240 (a) and (b) and other
affected personnel of the organisation shall be informed of the outcome of
the risk assessment carried out in accordance with point IS.D.OR.205, the
corresponding threat scenarios and the measures to be implemented.
- urn: urn:intuitem:risk:req_node:part-is.d.or:node47
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.210
description: The organisation shall also inform organisations with which it
has an interface in accordance with point IS.D.OR.205 (b) of any risk shared
between both organisations.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.215
assessable: false
depth: 2
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:annex
ref_id: IS.D.OR.215
name: Information security internal reporting scheme
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.215-a
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.215
ref_id: IS.D.OR.215-a
description: The organisation shall establish an internal reporting scheme to
enable the collection and evaluation of information security events, including
those to be reported pursuant to point IS.D.OR.230.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.215-b
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.215
ref_id: IS.D.OR.215-b
description: 'That scheme and the process referred to in point IS.D.OR.220 shall
enable the organisation to:'
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.215-b.1
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.215-b
ref_id: IS.D.OR.215-b.1
description: identify which of the events reported pursuant to point (a) are
considered information security incidents or vulnerabilities with a potential
impact on aviation safety;
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.215-b.2
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.215-b
ref_id: IS.D.OR.215-b.2
description: identify the causes of, and contributing factors to, the information
security incidents and vulnerabilities identified in accordance with point
(1), and address them as part of the information security risk management
process in accordance with points IS.D.OR.205 and IS.D.OR.220;
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.215-b.3
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.215-b
ref_id: IS.D.OR.215-b.3
description: ensure an evaluation of all known, relevant information relating
to the information security incidents and vulnerabilities identified in accordance
with point (1);
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.215-b.4
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.215-b
ref_id: IS.D.OR.215-b.4
description: ensure the implementation of a method to distribute internally
the information as necessary.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.215-c
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.215
ref_id: IS.D.OR.215-c
description: Any contracted organisation which may expose the organisation to
information security risks with a potential impact on aviation safety shall
be required to report information security events to the organisation. Those
reports shall be submitted using the procedures established in the specific
contractual arrangements and shall be evaluated in accordance with point (b).
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.215-d
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.215
ref_id: IS.D.OR.215-d
description: The organisation shall cooperate on investigations with any other
organisation that has a significant contribution to the information security
of its own activities.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.215-e
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.215
ref_id: IS.D.OR.215-e
description: The organisation may integrate that reporting scheme with other
reporting schemes it has already implemented.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.220
assessable: false
depth: 2
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:annex
ref_id: IS.D.OR.220
name: "Information security incidents \u2013 detection, response and recovery"
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.220-a
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.220
ref_id: IS.D.OR.220-a
description: 'Based on the outcome of the risk assessment carried out in accordance
with point IS.D.OR.205 and the outcome of the risk treatment performed in
accordance with point IS.D.OR.210, the organisation shall implement measures
to detect incidents and vulnerabilities that indicate the potential materialisation
of unacceptable risks and which may have a potential impact on aviation safety.
Those detection measures shall enable the organisation to:'
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.220-a.1
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.220-a
ref_id: IS.D.OR.220-a.1
description: identify deviations from predetermined functional performance baselines;
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.220-a.2
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.220-a
ref_id: IS.D.OR.220-a.2
description: trigger warnings to activate proper response measures, in case
of any deviation.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.220-b
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.220
ref_id: IS.D.OR.220-b
description: 'The organisation shall implement measures to respond to any event
conditions identified in accordance with point (a) that may develop or have
developed into an information security incident. Those response measures shall
enable the organisation to:'
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.220-b.1
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.220-b
ref_id: IS.D.OR.220-b.1
description: initiate the reaction to the warnings referred to in point (a)(2)
by activating predefined resources and course of actions;
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.220-b.2
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.220-b
ref_id: IS.D.OR.220-b.2
description: contain the spread of an attack and avoid the full materialisation
of a threat scenario;
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.220-b.3
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.220-b
ref_id: IS.D.OR.220-b.3
description: control the failure mode of the affected elements defined in point
IS.D.OR.205(a).
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.220-c
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.220
ref_id: IS.D.OR.220-c
description: 'The organisation shall implement measures aimed at recovering
from information security incidents, including emergency measures, if needed.
Those recovery measures shall enable the organisation to:'
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.220-c.1
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.220-c
ref_id: IS.D.OR.220-c.1
description: remove the condition that caused the incident, or constrain it
to a tolerable level;
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.220-c.2
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.220-c
ref_id: IS.D.OR.220-c.2
description: reach a safe state of the affected elements defined in point IS.D.OR.205(a)
within a recovery time previously defined by the organisation.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.225
assessable: false
depth: 2
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:annex
ref_id: IS.D.OR.225
name: Response to findings notified by the competent authority
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.225-a
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.225
ref_id: IS.D.OR.225-a
description: 'After receipt of the notification of findings submitted by the
competent authority, the organisation shall:'
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.225-a.1
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.225-a
ref_id: IS.D.OR.225-a.1
description: identify the root cause or causes of, and contributing factors
to, the non-compliance;
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.225-a.2
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.225-a
ref_id: IS.D.OR.225-a.2
description: define a corrective action plan;
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.225-a.3
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.225-a
ref_id: IS.D.OR.225-a.3
description: demonstrate the correction of the non-compliance to the satisfaction
of the competent authority.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.225-b
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.225
ref_id: IS.D.OR.225-b
description: The actions referred to in point (a) shall be carried out within
the period agreed with the competent authority.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.230
assessable: false
depth: 2
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:annex
ref_id: IS.D.OR.230
name: Information security external reporting scheme
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.230-a
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.230
ref_id: IS.D.OR.230-a
description: The organisation shall implement an information security reporting
system that complies with the requirements laid down in Regulation (EU) No
376/2014 and its delegated and implementing acts if that Regulation is applicable
to the organisation.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.230-b
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.230
ref_id: IS.D.OR.230-b
description: 'Without prejudice to the obligations of Regulation (EU) No 376/2014,
the organisation shall ensure that any information security incident or vulnerability,
which may represent a significant risk to aviation safety, is reported to
their competent authority. Furthermore:'
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.230-b.1
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.230-b
ref_id: IS.D.OR.230-b.1
description: where such an incident or vulnerability affects an aircraft or
associated system or component, the organisation shall also report it to the
design approval holder;
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.230-b.2
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.230-b
ref_id: IS.D.OR.230-b.2
description: where such an incident or vulnerability affects a system or constituent
used by the organisation, the organisation shall report it to the organisation
responsible for the design of the system or constituent.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.230-c
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.230
ref_id: IS.D.OR.230-c
description: 'The organisation shall report the conditions referred to in point
(b) as follows:'
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.230-c.1
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.230-c
ref_id: IS.D.OR.230-c.1
description: a notification shall be submitted to the competent authority and,
if applicable, to the design approval holder or to the organisation responsible
for the design of the system or constituent, as soon as the condition has
been known to the organisation;
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.230-c.2
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.230-c
ref_id: IS.D.OR.230-c.2
description: a report shall be submitted to the competent authority and, if
applicable, to the design approval holder or to the organisation responsible
for the design of the system or constituent, as soon as possible, but not
exceeding 72 hours from the time the condition has been known to the organisation,
unless exceptional circumstances prevent this.
- urn: urn:intuitem:risk:req_node:part-is.d.or:node83
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.230-c
description: The report shall be made in the form defined by the competent authority
and shall contain all relevant information about the condition known to the
organisation;
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.230-c.3
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.230-c
ref_id: IS.D.OR.230-c.3
description: a follow-up report shall be submitted to the competent authority
and, if applicable, to the design approval holder or to the organisation responsible
for the design of the system or constituent, providing details of the actions
the organisation has taken or intends to take to recover from the incident
and the actions it intends to take to prevent similar information security
incidents in the future.
- urn: urn:intuitem:risk:req_node:part-is.d.or:node85
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.230-c
description: The follow-up report shall be submitted as soon as those actions
have been identified, and shall be produced in the form defined by the competent
authority.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.235
assessable: false
depth: 2
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:annex
ref_id: IS.D.OR.235
name: Contracting of information security management activities
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.235-a
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.235
ref_id: IS.D.OR.235-a
description: The organisation shall ensure that when contracting any part of
the activities referred to in point IS.D.OR.200 to other organisations, the
contracted activities comply with the requirements of this Regulation and
the contracted organisation works under its oversight. The organisation shall
ensure that the risks associated with the contracted activities are appropriately
managed.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.235-b
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.235
ref_id: IS.D.OR.235-b
description: The organisation shall ensure that the competent authority can
have access upon request to the contracted organisation to determine continued
compliance with the applicable requirements laid down in this Regulation.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.240
assessable: false
depth: 2
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:annex
ref_id: IS.D.OR.240
name: Personnel requirements
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.240-a
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.240
ref_id: IS.D.OR.240-a
description: 'The accountable manager of the organisation or, in the case of
design organisations, the head of the design organisation, designated in accordance
with Regulation (EU) No 748/2012 and Regulation (EU) No 139/2014 as referred
to in points 1(a) and (b) of Article 2 of this Regulation, shall have corporate
authority to ensure that all activities required by this Regulation can be
financed and carried out. That person shall:'
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.240-a.1
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.240-a
ref_id: IS.D.OR.240-a.1
description: ensure that all necessary resources are available to comply with
the requirements of this Regulation;
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.240-a.2
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.240-a
ref_id: IS.D.OR.240-a.2
description: establish and promote the information security policy referred
to in point IS.D.OR.200(a)(1);
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.240-a.3
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.240-a
ref_id: IS.D.OR.240-a.3
description: demonstrate a basic understanding of this Regulation.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.240-b
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.240
ref_id: IS.D.OR.240-b
description: The accountable manager or, in the case of design organisations,
the head of the design organisation, shall appoint a person or group of persons
to ensure that the organisation is in compliance with the requirements of
this Regulation, and shall define the extent of their authority. That person
or group of persons shall report directly to the accountable manager or, in
the case of design organisations, to the head of the design organisation,
and shall have the appropriate knowledge, background and experience to discharge
their responsibilities. It shall be determined in the procedures who deputises
for a particular person in the case of lengthy absence of that person.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.240-c
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.240
ref_id: IS.D.OR.240-c
description: The accountable manager or, in the case of design organisations,
the head of the design organisation shall appoint a person or group of persons
with the responsibility to manage the compliance monitoring function referred
to in point IS.D.OR.200(a)(12).
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.240-d
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.240
ref_id: IS.D.OR.240-d
description: Where the organisation shares information security organisational
structures, policies, processes and procedures, with other organisations or
with areas of their own organisation which are not part of the approval or
declaration, the accountable manager or, in the case of design organisations,
the head of the design organisation, may delegate its activities to a common
responsible person.
- urn: urn:intuitem:risk:req_node:part-is.d.or:node97
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.240
description: In such a case, coordination measures shall be established between
the accountable manager of the organisation or, in the case of design organisations,
the head of the design organisation, and the common responsible person to
ensure adequate integration of the information security management within
the organisation.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.240-e
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.240
ref_id: IS.D.OR.240-e
description: The accountable manager or the head of the design organisation,
or the common responsible person referred to in point (d), shall have corporate
authority to establish and maintain the organisational structures, policies,
processes and procedures necessary to implement point IS.D.OR.200.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.240-f
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.240
ref_id: IS.D.OR.240-f
description: The organisation shall have a process in place to ensure that they
have sufficient personnel on duty to carry out the activities covered by this
Annex.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.240-g
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.240
ref_id: IS.D.OR.240-g
description: The organisation shall have a process in place to ensure that the
personnel referred to in point (f) have the necessary competence to perform
their tasks.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.240-h
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.240
ref_id: IS.D.OR.240-h
description: The organisation shall have a process in place to ensure that personnel
acknowledge the responsibilities associated with the assigned roles and tasks
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.240-i
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.240
ref_id: IS.D.OR.240-i
description: The organisation shall ensure that the identity and trustworthiness
of the personnel who have access to information systems and data subject to
the requirements of this Regulation are appropriately established.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245
assessable: false
depth: 2
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:annex
ref_id: IS.D.OR.245
name: Record-keeping
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245-a
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245
ref_id: IS.D.OR.245-a
description: The organisation shall keep records of its information security
management activities
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245-a.1
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245-a
ref_id: IS.D.OR.245-a.1
description: 'The organisation shall ensure that the following records are archived
and traceable:'
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245-a.1.i
assessable: true
depth: 5
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245-a.1
ref_id: IS.D.OR.245-a.1.i
description: any approval received and any associated information security risk
assessment in accordance with point IS.D.OR.200(e);
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245-a.1.ii
assessable: true
depth: 5
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245-a.1
ref_id: IS.D.OR.245-a.1.ii
description: contracts for activities referred to in point IS.D.OR.200(a)(9);
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245-a.1.iii
assessable: true
depth: 5
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245-a.1
ref_id: IS.D.OR.245-a.1.iii
description: records of the key processes referred to in point IS.D.OR.200(d);
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245-a.1.iv
assessable: true
depth: 5
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245-a.1
ref_id: IS.D.OR.245-a.1.iv
description: records of the risks identified in the risk assessment referred
to in point IS.D.OR.205 along with the associated risk treatment measures
referred to in point IS.D.OR.210;
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245-a.1.v
assessable: true
depth: 5
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245-a.1
ref_id: IS.D.OR.245-a.1.v
description: records of information security incidents and vulnerabilities reported
in accordance with the reporting schemes referred to in points IS.D.OR.215
and IS.D.OR.230;
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245-a.1.vi
assessable: true
depth: 5
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245-a.1
ref_id: IS.D.OR.245-a.1.vi
description: records of those information security events which may need to
be reassessed to reveal undetected information security incidents or vulnerabilities.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245-a.2
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245-a
ref_id: IS.D.OR.245-a.2
description: The records referred to in point (1)(i) shall be retained at least
until 5 years after the approval has lost its validity.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245-a.3
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245-a
ref_id: IS.D.OR.245-a.3
description: The records referred to in point (1)(ii) shall be retained at least
until 5 years after the contract has been amended or terminated.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245-a.4
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245-a
ref_id: IS.D.OR.245-a.4
description: The records referred to in point (1)(iii), (iv) and (v) shall be
retained at least for a period of 5 years.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245-a.5
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245-a
ref_id: IS.D.OR.245-a.5
description: The records referred to in point (1)(vi) shall be retained until
those information security events have been reassessed in accordance with
a periodicity defined in a procedure established by the organisation.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245-b
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245
ref_id: IS.D.OR.245-b
description: The organisation shall keep records of qualification and experience
of its own staff involved in information security management activities
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245-b.1
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245-b
ref_id: IS.D.OR.245-b.1
description: "The personnel\u2019s qualification and experience records be retained\
\ for as long as the person works for the organisation, and for at least 3\
\ years after the person has left the organisation."
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245-b.2
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245-b
ref_id: IS.D.OR.245-b.2
description: Members of the staff shall, upon their request, be given access
to their individual records. In addition, upon their request, the organisation
shall provide them with a copy of their individual records on leaving the
organisation.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245-c
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245
ref_id: IS.D.OR.245-c
description: "The format of the records shall be specified in the organisation\u2019\
s procedures."
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245-d
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.245
ref_id: IS.D.OR.245-d
description: Records shall be stored in a manner that ensures protection from
damage, alteration and theft, with information being identified, when required,
according to its security classification level. The organisation shall ensure
that the records are stored using means to ensure integrity, authenticity
and authorised access.
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.250
assessable: false
depth: 2
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:annex
ref_id: IS.D.OR.250
name: Information security management manual (ISMM)
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.250-a
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.250
ref_id: IS.D.OR.250-a
description: 'The organisation shall make available to the competent authority
an information security management manual (ISMM) and, where applicable, any
referenced associated manuals and procedures, containing:'
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.250-a.1
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.250-a
ref_id: IS.D.OR.250-a.1
description: a statement signed by the accountable manager or, in the case of
design organisations, by the head of the design organisation, confirming that
the organisation will at all times work in accordance with this Annex and
with the ISMM. If the accountable manager or, in the case of design organisations,
the head of the design organisation, is not the chief executive officer (CEO)
of the organisation, then such CEO shall countersign the statement;
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.250-a.2
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.250-a
ref_id: IS.D.OR.250-a.2
description: the title(s), name(s), duties, accountabilities, responsibilities
and authorities of the person or persons referred to in point IS.D.OR.240(b)
and (c);
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.250-a.3
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.250-a
ref_id: IS.D.OR.250-a.3
description: the title, name, duties, accountabilities, responsibilities and
authorities of the common responsible person referred to in point IS.D.OR.240(d),
if applicable;
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.250-a.4
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.250-a
ref_id: IS.D.OR.250-a.4
description: the information security policy of the organisation as referred
to in point IS.D.OR.200(a)(1);
- urn: urn:intuitem:risk:req_node:part-is.d.or:is.d.or.250-a.5
assessable: true
depth: 4