Air Traffic Management - Information security for organisations supporting civil aviation operations

This European Standard defines guidelines and general principles for the implementation of an information security management system in organisations supporting civil aviation operations.
Not included are activities of the organisations that do not have any impact on the security of civil aviation operations like for example airport retail and service business and corporate real estate management.
For the purpose of this European Standard, Air Traffic management is seen as functional expression covering responsibilities of all partners of the air traffic value chain. This includes but is not limited to airspace users, airports and air navigation service providers.
The basis of all requirements in this European Standard is trust and cooperation between the parties involved in Air Traffic Management.

Flugverkehrsmanagement - Informationssicherheit für Organisationen im Bereich der Zivilluftfahrt

Diese Europäische Norm legt Leitlinien und allgemeine Grundsätze für die Umsetzung eines Informations-sicherheits-Managementsystems in Organisationen im Bereich der Zivilluftfahrt fest.
Nicht in den Anwendungsbereich fallen Handlungen der Organisationen, die sich nicht auf die Sicherheit von Tätigkeiten im Bereich der Zivilluftfahrt auswirken, wie z. B. Management von Einzelhandelsgeschäften am Flughafen und Dienstleistungsunternehmen sowie Management von Unternehmensimmobilien (en: corpo-rate real estate management).
Für die Zwecke dieser Europäischen Norm wird Flugverkehrsmanagement als funktioneller Begriff betrachtet, der die Verantwortlichkeiten aller an der Wertschöpfungskette im Luftverkehr Beteiligten abdeckt. Das betrifft Luftraumnutzer, Flughäfen und Flugsicherungsorganisationen, ist jedoch nicht allein darauf beschränkt.
Grundlage für alle Anforderungen in dieser Europäischen Norm sind das Vertrauen und die Zusammenarbeit zwischen den Parteien, die am Flugverkehrsmanagement beteiligt sind.

Gestion du trafic aérien - Sécurité de l'information pour les organismes assurant le soutien des opérations de l'aviation civile

La présente Norme européenne définit les lignes directrices et les principes généraux pour la mise en oeuvre d'un système de management de la sécurité de l'information dans les organismes assurant le soutien des opérations de l'aviation civile.
Les activités des organismes qui n'ont pas d'incidence sur la sécurité des activités de l'aviation civile comme, par exemple, la gestion des commerces de détail, des activités de service aéroportuaires ainsi que de l'immobilier corporatif, ne sont pas incluses.
Pour les besoins de la présente Norme européenne, la gestion du trafic aérien est vue comme une expression fonctionnelle couvrant les responsabilités de tous les partenaires de la chaîne de valeur du trafic aérien. Cela comprend, mais sans y être limité, les utilisateurs aérospatiaux, les aéroports et les prestataires de services de la navigation aérienne.
Toutes les exigences de la présente Norme européenne sont fondées sur la confiance et la coopération entre les parties impliquées dans la gestion du trafic aérien.

Upravljanje zračnega prometa - Varnost informacij za organizacije na področju dejavnosti civilnega letalstva

Ta evropski standard določa smernice in splošna načela za izvajanje sistema upravljanja varnosti informacij v organizacijah na področju dejavnosti civilnega letalstva.
Ne vključuje dejavnosti organizacij, ki ne vplivajo na varnost dejavnosti civilnega letalstva, kot na primer prodaja na letališču, storitvene dejavnosti in upravljanje s poslovnimi nepremičninami.
Za potrebe tega evropskega standarda se upravljanje zračnega prometa obravnava kot funkcionalni izraz, ki zajema odgovornosti vseh partnerjev vrednostne verige zračnega prometa. To med drugim vključuje uporabnike zračnega prostora, letališča in ponudnike zračne navigacije.
Osnova vseh zahtev tega evropskega standarda je zaupanje ter sodelovanje med vpletenimi strankami in upravljavcem zračnega prometa.

General Information

Status
Published
Public Enquiry End Date
05-Sep-2018
Publication Date
08-Aug-2019
Technical Committee
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
24-Jul-2019
Due Date
28-Sep-2019
Completion Date
09-Aug-2019

Relations

Buy Standard

Standard
EN 16495:2019 - BARVE
English language
65 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day
Draft
prEN 16495:2018 - BARVE
English language
68 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)

SLOVENSKI STANDARD
SIST EN 16495:2019
01-september-2019
Nadomešča:
SIST EN 16495:2014
Upravljanje zračnega prometa - Varnost informacij za organizacije na področju
dejavnosti civilnega letalstva
Air Traffic Management - Information security for organisations supporting civil aviation
operations
Flugverkehrsmanagement - Informationssicherheit für Organisationen im Bereich der
Zivilluftfahrt
Gestion du trafic aérien - Sécurité de l'information pour les organismes assurant le
soutien des opérations de l'aviation civile
Ta slovenski standard je istoveten z: EN 16495:2019
ICS:
03.220.50 Zračni transport Air transport
35.240.60 Uporabniške rešitve IT v IT applications in transport
prometu
SIST EN 16495:2019 sl,en,fr
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST EN 16495:2019

---------------------- Page: 2 ----------------------

SIST EN 16495:2019


EN 16495
EUROPEAN STANDARD

NORME EUROPÉENNE

July 2019
EUROPÄISCHE NORM
ICS 03.100.70; 03.220.50; 35.240.60 Supersedes EN 16495:2014
English Version

Air Traffic Management - Information security for
organisations supporting civil aviation operations
Gestion du trafic aérien - Sécurité de l'information pour Flugverkehrsmanagement - Informationssicherheit für
les organismes assurant le soutien des opérations de Organisationen im Bereich der Zivilluftfahrt
l'aviation civile
This European Standard was approved by CEN on 12 May 2019.

CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this
European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references
concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN
member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management
Centre has the same status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,
Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and
United Kingdom.





EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2019 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN 16495:2019 E
worldwide for CEN national Members.

---------------------- Page: 3 ----------------------

SIST EN 16495:2019
EN 16495:2019 (E)
Contents Page
European foreword . 7
Introduction . 8
1 Scope . 9
2 Normative references . 9
3 Terms, definitions and abbreviations . 9
3.1 Terms and definitions . 9
3.2 Abbreviations . 10
4 Aviation specific requirements related to EN ISO/IEC 27001:2017 . 11
4.1 Structure of this European Standard . 11
4.2 Refinement of EN ISO/IEC 27001:2017 requirements . 11
5 Information Security policies . 11
5.1 Management direction for Information security . 11
5.1.1 Policies for information security . 11
5.1.2 Review of the policies for information security . 11
6 Organization of information security . 11
6.1 Internal organization . 11
6.1.1 Information security roles and responsibilities . 11
6.1.2 Segregation of duties . 12
6.1.3 Contact with authorities . 12
6.1.4 Contact with special interest groups . 12
6.1.5 Information security in project management . 12
6.2 Mobile devices and teleworking . 12
7 Human resources security . 12
7.1 Prior to employment . 12
7.1.1 Screening . 12
7.1.2 Terms and conditions of employment . 13
7.2 During employment . 13
7.2.1 Management responsibilities . 13
7.2.2 Information security awareness, education and training . 13
7.2.3 Disciplinary process . 13
7.3 Termination and change of employment . 13
8 Asset management . 13
8.1 Responsibility for assets . 13
8.1.1 Inventory of assets . 13
8.1.2 Ownership of assets . 13
8.1.3 Acceptable use of assets . 13
8.1.4 Return of assets . 14
8.2 Information classification . 14
8.2.1 Classification of information . 14
8.2.2 Labelling of information . 14
8.2.3 Handling of assets . 14
8.3 Media Handling . 14
9 Access control . 14
9.1 Business requirement for access control . 14
9.2 User access management . 14
2

---------------------- Page: 4 ----------------------

SIST EN 16495:2019
EN 16495:2019 (E)
9.2.1 User registration and de-registration . 14
9.2.2 User access provisioning . 15
9.2.3 Management of privileged access rights . 15
9.2.4 Management of secret authentication information of users. 15
9.2.5 Review of user access rights . 15
9.2.6 Removal or adjustment of access rights . 15
9.2.7 Digital Identity Management . 15
9.2.8 Unique representation of entities across organisations . 16
9.3 User responsibilities . 16
9.4 System and application access control . 16
9.4.1 Information access restriction . 16
9.4.2 Secure log-on procedures . 16
9.4.3 Password management system . 16
9.4.4 Use of privileged utility programs . 16
9.4.5 Access control to program source code . 16
9.4.6 Web Application Firewalls . 16
10 Cryptography . 17
10.1 Cryptographic controls . 17
10.1.1 Policy on the use of cryptographic controls . 17
10.1.2 Key management . 17
11 Physical and environmental security . 17
11.1 Secure areas . 17
11.1.1 Physical security perimeter . 17
11.1.2 Physical entry controls . 18
11.1.3 Securing offices, rooms, and facilities . 18
11.1.4 Protecting against external and environmental threats . 18
11.1.5 Working in secure areas . 18
11.1.6 Delivery and loading areas. 18
11.2 Equipment . 18
11.2.1 Equipment siting and protection . 18
11.2.2 Supporting utilities . 18
11.2.3 Cabling security . 18
11.2.4 Equipment maintenance . 18
11.2.5 Removal of assets . 18
11.2.6 Security of equipment and assets off-premises . 18
11.2.7 Secure disposal or re-use of equipment . 18
11.2.8 Unattended user equipment . 18
11.2.9 Clear desk and clear screen policy . 18
12 Operations security. 19
12.1 Operational procedures and responsibilities . 19
12.2 Protection from malware . 19
12.3 Information Back-up . 19
12.4 Logging and monitoring . 19
12.4.1 Event logging . 19
12.4.2 Protection of log information . 19
12.4.3 Administrator and operator logs . 19
12.4.4 Clock synchronisation . 19
12.5 Control of operational software . 19
12.6 Technical Vulnerability Management . 19
12.7 Information systems audit considerations . 19
13 Communications security . 19
13.1 Network security management . 19
3

---------------------- Page: 5 ----------------------

SIST EN 16495:2019
EN 16495:2019 (E)
13.1.1 Network controls . 19
13.1.2 Security of network services . 20
13.1.3 Segregation in networks . 20
13.2 Information transfer . 20
14 System acquisition, development and maintenance . 20
14.1 Security requirements of information systems . 20
14.1.1 Information Security requirements analysis and specification . 20
14.1.2 Securing application services on public networks . 20
14.1.3 Protecting application services transactions. 20
14.2 Security in development and support processes . 20
14.2.1 Secure development policy . 20
14.2.2 System change control procedures. 20
14.2.3 Technical review of applications after operating platform changes . 20
14.2.4 Restrictions on changes to software packages . 21
14.2.5 Secure system engineering principles . 21
14.2.6 Secure development environment. 21
14.2.7 Outsourced development . 21
14.2.8 System security testing . 21
14.2.9 System acceptance testing . 21
14.3 Test data . 21
15 Supplier relationships . 21
15.1 Information security in supplier relationships. 21
15.1.1 Information security policy for supplier relationships . 21
15.1.2 Addressing security within supplier agreements . 21
15.1.3 Information and communication technology supply chain . 21
15.2 Supplier service delivery management . 21
16 Information security incident management . 22
16.1 Management of information security incidents and improvements . 22
16.1.1 Responsibilities and procedures . 22
16.1.2 Reporting information security events . 22
16.1.3 Reporting information security weaknesses . 22
16.1.4 Assessment of and decision on information security events . 22
16.1.5 Response to information security incidents . 22
16.1.6 Learning from information security incidents . 22
16.1.7 Collection of evidence . 22
17 Information security aspects of business continuity management . 23
17.1 Information security continuity . 23
17.1.1 Planning information security continuity . 23
17.1.2 Implementing information security continuity . 23
17.1.3 Verify, review and evaluate information security continuity . 23
17.1.4 Business continuity planning framework . 24
17.2 Redundancies . 24
18 Compliance . 24
18.1 Compliance with legal and contractual requirements . 24
18.1.1 Identification of applicable legislation and contractual requirements . 24
18.1.2 Intellectual property rights . 24
18.1.3 Protection of records . 24
18.1.4 Privacy and protection of personally identifiable information . 24
18.1.5 Regulation of cryptographic controls . 25
18.2 Information security reviews . 25
18.2.1 Independent review of information security . 25
4

---------------------- Page: 6 ----------------------

SIST EN 16495:2019
EN 16495:2019 (E)
18.2.2 Compliance with security policies and standards . 25
18.2.3 Technical compliance review . 25
Annex A (informative) Additional guidance related to air traffic management . 26
A.1 Assessment of information security risks . 26
A.1.1 Internal information security risk management . 26
Figure A.1 —Assessment of information security risks . 27
A.2 Interoperability issues of risk assessments . 29
A.2.1 General . 29
A.2.2 Information security risk management for multiple organisations . 29
A.2.3 Alignment of safety and security risk management. 30
A.3 Determining controls . 30
A.4 Levels of trust . 30
A.4.1 Introduction. 30
A.4.2 Scale of trust levels . 31
A.4.3 Classification criteria . 32
A.5 Statement of applicability . 32
A.6 Measurement and auditing of security . 32
Annex B (informative) Implementation examples . 33
B.1 General . 33
Table B.1 —Overview of an example for LoT-O . 33
Figure B.1 —LoT-A versus LoT-O . 34
B.2 Security of information in web applications and web services (LoT-A-WEB) . 34
B.2.1 General . 34
B.2.2 Parameters for the Level of Trust of a web application/web service . 34
B.2.3 Determination of the web application / the web service (LoT-A-WEB) . 34
Table B.2 —Level of Trust of the web application/the web service . 35
B.2.4 Consequences . 35
Table B.3 —Evaluation Criteria for LoT-A-WEB . 35
B.3 Connections between multiple organisations/external connections (LoT-A-NET) . 35
B.3.1 Determination of the necessary protection controls. 35
B.3.1.1 General .
...

SLOVENSKI STANDARD
oSIST prEN 16495:2018
01-september-2018
8SUDYOMDQMH]UDþQHJDSURPHWD9DUQRVWLQIRUPDFLM]DRUJDQL]DFLMHQDSRGURþMX
GHMDYQRVWLFLYLOQHJDOHWDOVWYD
Air Traffic Management - Information security for organisations supporting civil aviation
operations
Flugverkehrsmanagement - Informationssicherheit für Organisationen im Bereich der
Zivilluftfahrt
Gestion du trafic aérien - Sécurité de l'information pour les organismes assurant le
soutien des opérations de l'aviation civile
Ta slovenski standard je istoveten z: prEN 16495
ICS:
03.220.50 =UDþQLWUDQVSRUW Air transport
35.240.60 Uporabniške rešitve IT v IT applications in transport
prometu
oSIST prEN 16495:2018 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST prEN 16495:2018

---------------------- Page: 2 ----------------------
oSIST prEN 16495:2018


DRAFT
EUROPEAN STANDARD
prEN 16495
NORME EUROPÉENNE

EUROPÄISCHE NORM

June 2018
ICS 03.100.70; 03.220.50; 35.240.60 Will supersede EN 16495:2014
English Version

Air Traffic Management - Information security for
organisations supporting civil aviation operations
Gestion du trafic aérien - Sécurité de l'information pour Flugverkehrsmanagement - Informationssicherheit für
les organismes assurant le soutien des opérations de Organisationen im Bereich der Zivilluftfahrt
l'aviation civile
This draft European Standard is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee
CEN/TC 377.

If this draft becomes a European Standard, CEN members are bound to comply with the CEN/CENELEC Internal Regulations
which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.

This draft European Standard was established by CEN in three official versions (English, French, German). A version in any other
language made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and United Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without
notice and shall not be referred to as a European Standard.


EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2018 CEN All rights of exploitation in any form and by any means reserved Ref. No. prEN 16495:2018 E
worldwide for CEN national Members.

---------------------- Page: 3 ----------------------
oSIST prEN 16495:2018
prEN 16495:2018 (E)
Contents Page
European foreword . 5
Introduction . 6
1 Scope . 7
2 Normative references . 7
3 Terms and definitions . 7
4 Information security management in aviation . 8
4.1 Structure of this European Standard . 8
4.2 Aviation specific requirements related to ISO/IEC 27001:2013 . 8
5 Information Security policies . 9
5.1 Management direction for Information security . 9
6 Organisation of information security . 9
6.1 Internal organisation . 9
6.2 Mobile devices and teleworking . 10
7 Human resources security . 10
7.1 Prior to employment . 10
7.2 During employment . 11
7.3 Termination and change of employment . 11
8 Asset management . 11
8.1 Responsibility for assets . 11
8.2 Information classification . 11
8.3 Media Handling . 12
9 Access control . 12
9.1 Business requirement for access control . 12
9.2 User access management . 12
9.3 User responsibilities . 14
9.4 System and application access control . 14
10 Cryptography . 15
10.1 Cryptographic controls . 15
11 Physical and environmental security . 15
11.1 Secure areas . 15
11.2 Equipment . 16
12 Operations security . 16
12.1 Operational procedures and responsibilities . 16
12.2 Protection from malware . 16
12.3 Back-up . 17
12.4 Logging and monitoring . 17
12.5 Control of operational software . 17
12.6 Technical Vulnerability Management . 17
12.7 Information systems audit considerations . 17
13 Communications security. 17
13.1 Network security management . 17
2

---------------------- Page: 4 ----------------------
oSIST prEN 16495:2018
prEN 16495:2018 (E)
13.2 Information transfer . 18
14 System acquisition, development and maintenance . 18
14.1 Security requirements of information systems . 18
14.2 Security in development and support processes . 18
14.3 Test data . 19
15 Supplier relationships . 19
15.1 Information security in supplier relationships . 19
15.2 Supplier service delivery management . 19
16 Information security incident management . 20
16.1 Management of information security incidents and improvements . 20
17 Information security aspects of business continuity management. 21
17.1 Information security continuity . 21
17.2 Redundancies . 22
18 Compliance . 22
18.1 Compliance with legal and contractual requirements . 22
18.2 Information security reviews . 23
Annex A (informative) Additional guidance related to air traffic management . 24
A.1 Assessment of information security risks . 24
A.1.1 Internal information security risk management . 24
A.2 Interoperability issues of risk assessments . 27
A.2.1 General . 27
A.2.2 Information security risk management for multiple organisations . 28
A.2.3 Alignment of safety and security risk management. 28
A.3 Selecting controls . 28
A.4 Levels of trust . 29
A.4.1 Introduction. 29

A.5 Statement of applicability . 30
A.6 Measurement and auditing of security . 31
Annex B (informative) Implementation examples . 32
B.1 General . 32
Table B.1 — Overview of an example for LoT-O . 32
B.2 Security of information in web applications and web services (LoT-A-WEB) . 33
B.2.1 General . 33
B.2.2 Parameters for the Level of Trust of a web application / web service . 33
B.2.3 Determination of the web application / the web service (LoT-A-WEB) . 33
Table B.2 — Level of Trust of the web application / the web service . 34
B.2.4 Consequences . 34
Table B.3 — Evaluation Criteria for LoT-A-WEB . 34
B.3 Connections between multiple organisations /external connections (LoT-A-NET) . 34
B.3.1 Determination of the necessary protection controls. 34
3

---------------------- Page: 5 ----------------------
oSIST prEN 16495:2018
prEN 16495:2018 (E)
B.3.1.1 General . 34
B.3.1.2 Identity of the User . 35
B.3.1.3 Owner of the terminal device . 36
B.3.1.4 Connection point / Protection of the terminal device: . 36
B.3.1.5 Authentication of the connection . 36
B.3.1.6 Transfer net . 36
Table B.4 — Maximum Level of Trust depending on the respective technical parameters . 37
B.3.2 Effects of the coupling of networks . 40
B.4 Certificates / Public Key Infrastructure (LoT-A-PKI). 41
B.4.1 Parameters for the Level of Trust of the certificate management . 41
B.4.2 Determination of the Level of Trust of the certificate management (LoT-A-PKI) . 41
Table B.5 — Trust of identity management . 41
B.4.3 Effects: Recognition of Certificates / PK . 41
B.5 Identity Management (LoT-A-IDM) . 42
B.5.1 Parameters for the Level of Trust of Identity Management . 42
B.5.2 Determination of the Level of Trust of the Identity Management (LoT-A-IDM) . 42
Table B.6 — Level of Trust of the Identity Management . 42
B.5.3 Effects: Recognition of identities . 43
Annex C (informative) Level of trust – Implementation Example . 44
Table C.1 — Security requirements appropriate to different levels of trust . 44
Annex D (informative) Application of Controls in Regulatory Oversight – Implementation
Example . 63
Table D.1 — Mapping of Controls . 64
Bibliography . 68

4

---------------------- Page: 6 ----------------------
oSIST prEN 16495:2018
prEN 16495:2018 (E)
European foreword
This document (prEN 16495:2018) has been prepared by Technical Committee CEN/TC 377 “Air Traffic
Management”, the secretariat of which is held by DIN.
This document is currently submitted to the CEN Enquiry.
This document will supersede EN 16495:2014.
In comparison with the previous edition, the following technical modifications have been made:
• Adaptation to the structures of ISO/IEC 27002:2013 and ISO/IEC DIS 27009:2015
• Advise on alignment of safety and security management
• Advise on Security specific to development & production and maintenance
• Advise on security assurance
• Informative Annex on
5

---------------------- Page: 7 ----------------------
oSIST prEN 16495:2018
prEN 16495:2018 (E)
Introduction
This document provides guiding principles based on ISO/IEC 27001:2013 "Information technology —
Security techniques — Information security management systems — Requirements" applied to security
management systems in aviation organisations. The aim of this document is to extend the contents of
ISO/IEC 27002:2013 to the domain of aviation, thus allowing aviation organisations to implement a
standardized and specific information security management system (ISMS) and to extend it from the
level of an individual organisation to the transorganisational level.
In addition to the security objectives and measures that are set forth in ISO/IEC 27002:2013, security
management in aviation organisations are subject to further special requirements: Service delivery in
aviation is greatly defined by the cooperation of the individual participants. An organisation's
information security management is therefore dependent on the information security management of
the organisations with which it cooperates to deliver service. This European Standard therefore focuses
on aspects of cooperation.
This cooperation requires
• sharing the results of risk assessments along the business process chain,
• agreement on the required level of trust,
• agreement on the required security controls and their implementation.
6

---------------------- Page: 8 ----------------------
oSIST prEN 16495:2018
prEN 16495:2018 (E)
1 Scope
This European Standard defines guidelines and general principles for the implementation of an
information security management system in organisations supporting civil aviation operations.
Not included are activities of the organisations that do not have any impact on the security of civil
aviation operations like for example airport retail and service business and corporate real estate
management.
For the purpose of this European Standard, Air Traffic management is seen as functional expression
covering responsibilities of all partners of the air traffic value chain. This includes but is not limited to
airspace users, airports and air navigation service providers.
The basis of all requirements in this European Standard is trust and cooperation between the parties
involved in Air Traffic Management.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000:2018, Information technology — Security techniques — Information security
management systems — Overview and vocabulary
ISO/IEC 27001:2013, Information technology — Security techniques — Information security
management systems — Requirements
ISO/IEC 27002:2013, Information technology — Security techniques — Code of practice for information
security controls
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000:2018 and the
following apply
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
• IEC Electropedia: available at http://www.electropedia.org/
• ISO Online browsing platform: available at http://www.iso.org/obp
3.1
air traffic management
functional system comprised of an aggregation of the airborne and ground-based functions (air traffic
services, airspace management and air traffic flow management) required to ensure the safe and
efficient movement of aircraft during all phases of operations
3.2
trust
situation where one party is willing to rely on the actions of another party
Note 1 to entry: Trust is more than what can be achieved by assurance. However, assurance represents a
supporting instrument to trust building
7

---------------------- Page: 9 ----------------------
oSIST prEN 16495:2018
prEN 16495:2018 (E)
4 Information security management in aviation
4.1 Structure of this European Standard
This European Standard is structured in line with ISO/IEC 27002. ISO/IEC 27002 is merely referenced
in all cases in which its measures can be applied without being amended or supplemented:
— in all cases in which the implementation of ISO/IEC 27002 measures requires supplementation
specific to aviation, this has been integrated directly in the respective section;
— implementation examples for specific application areas are described in Annex A (informative).
This relates to the following areas:
— security of information in web applications and web services;
— connections between multiple organisations /external connections;
— certificates / Public Key Infrastructure;
— identity Management.
4.2 Aviation specific requirements related to ISO/IEC 27001:2013
ISO/IEC 27001:2013 Requirements on 4.2 “Understanding the needs and expectations of interested
parties” are amended by a note:
Interested parties include other organizations with interfaces to the organization which involve
network connections and/or the exchange of data and/or information
ISO/IEC 27001:2013 Requirements on 5.3 “Organizational roles, responsibilities and authorities” are
amended as follows:
Top Management shall ensure seamlessness of information security management within the own
organisation including transorganisational processes.
ISO/IEC 27001:2013 Requirements on 6.1 ”Actions to address risks and opportunities” are amended by a
new section 6.1.4 “Information security risk information sharing”:
The organization shall assess the risk due to external network connections and/or the exchange of data
and/or information by:
a) Identifying information flows across external interfaces with other organizations
b) Including such flows and interfaces explicitly in the risk assessment described in 6.1.2
c) Seeking risk assessment and risk treatment information from the organization(s) sharing the
external interface and controlling the information which crosses it, as input to the risk assessment
d) Sharing appropriate risk assessment information created in 6.1.2 and risk treatment information
created in 6.1.3 with organizations which share the external interface
ISO/IEC 27001:2013 Requirements on 6.1.2c on “Information security risk assessment” are amended by a
3rd item:
Identify system interfaces with other organizations which involve network connections and/or the
exchange of data and/or information that may pose a risk to the organization
Add a reference to 27001:2013, 6.1.2 c) 3) to 6.1.2 d) 1) and 2)
8

---------------------- Page: 10 ----------------------
oSIST prEN 16495:2018
prEN 16495:2018 (E)
ISO/IEC 27001:2013 Requirement s on 7.4 “Communication” are refined by the following note
There will be a need for external communications with organizations with which the organization
shares data and/or information and/or network connections, as described in 6.1.4.
ISO/IEC 27001:2013 Requirements on 8.2 “Information risk assessment” are amended as follows:
The organization shall share appropriate risk assessment information with organizations with which it
shares data and/or information and/or network connections as described in 6.1.4.
ISO/IEC 27001:2013 Requirements on 8.3 “Information security risk treatment” are amended as follows:
The organization shall share appropriate risk treatment information with organizations with which it
shares data and/or information and/or network connections as described in 6.1.4.
5 Information Security policies
5.1 Management direction for Information security
5.1.1 Policies for information security
Additional Implementation guidance for ISO/IEC 27002:2013, 5.1.1
The policies for information security should be coordinated with the various security requirements in
other areas of aviation (e.g.: physical security of secure areas). The distinctions and mutual
dependencies between the individual areas should be documented in the policies or in separate
documents.
5.1.2 Review of the policies for information security
No additional information specific to aviation organisations for ISO/IEC 27002:2013, 5.1.2.
6 Organisation of information security
6.1 Internal organisation
6.1.1 Information security roles and responsibilities
Additional Implementation guidance for ISO/IEC 27002:2013, 6.1.1
The organisation should appoint a person responsible to serve as a point of contact for strategic
information security issues for third parties (e.g. for the planning and implementation of joint
measures, etc.).
6.1.2 Segregation of duties
No additional information specific to aviation organisations for ISO/IEC 27002:2013, 6.1.2.
6.1.3 Contact with authorities
Additional Implementation guidance for ISO/IEC 27002:2013, 6.1.3
The organisation should cooperate with the appropriate specialist and supervisory authorities,
particularly in the areas of IT security and prosecution, and with other critical infrastructures as well.
This includes contacts to authorities involved in critical infrastructure protection at the national and
European level.
9

---------------------- Page: 11 ----------------------
oSIST prEN 16495:2018
prEN 16495:2018 (E)
6.1.4 Contact with special interest groups
Additional Implementation guidance for ISO/IEC 27002:2013, 6.1.4
The organisation should establish an interface to other organisations
Contacts should also consider the needs and expectations of interested parties, in particular
organisations with which the organisation shares information security risks in terms of the creation or
contribution to aviation safety hazards and the management thereof.
The establishment of formal interfaces to critical organisations should be considered
The organisation should also be aware of the criticality of its services at a regional, national and
international level. It may therefore participate in associations and alliances as well as national and
international programs to provide comprehensive support to air safety.
Given the special nature of threats to
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.