Information and Information Security
- General introduction
- Terms and definitions, delimitation to adjacent areas (e.g., privacy protection)
- Why information security?
- Legal and regulatory requirements, in general and aviation specific (European Programme for Critical Infrastructure Protection (EPCIP), European Programme for Critical Infrastructure Protection, German IT-Sicherheitsgesetz / Kritis, etc.)
- Protection of information, protection requirements (confidentiality, availability, integrity, etc.)
- Standards for information security (ISO 2700x, German BSI Grundschutz, PCI-DSS, aviation specific EN 16495:2014, etc.).
Integrated management system
- High-level structure of the ISO management system standards
- Similarities and differences between management system standards on the basis of the standards ISO 9001:2015, ISO 27001:2013 and ISO 22301:2012
Information Security Management based on the 2700x series
- Introduction to Information Security Management System (ISMS)
- Core elements of the standard ISO 27001 (PDCA cycle, management framework, Annex A Controls / Measures)
- In Focus: specific requirements for aviation base on EN 16495:2014
- BestPractice approach to implement an information security management system based on the ISO 2700x series of standards
- Organization of information security in the company
- Policies and processes in the ISMS
- Measurability & ISMS indicators based on ISO 27004:2009
- Brief introduction to business continuity management (according to the requirements in A.17 of ISO 27001, ISO 27031 and BSI 100-4).
Information Security Risk Management based on the 2700x series
- General introduction to risk management
- Requirements for IS risk management according to ISO 27001, ISO 27005 and other requirements (laws, other standards, etc.)
- Risk management for information security
- The risk management process (asset inventory, protection, threats, vulnerabilities, risk, risk treatment)
- Best practice for risk assessment
- Treatment of IS risks
- Selection of measures
- Detailed explanation of the process using case studies and self-performed risk analysis.