A common misconception is that cybersecurity is solely the responsibility of the IT department. You might think, ‘I am a pilot,’ or ‘I work in Human Resources; I don’t configure firewalls, so this regulation doesn’t apply to me.’
Under Part-IS.OR.240, that assumption is not only wrong. It is a regulatory finding.
The regulation explicitly states that the organization shall ensure that all personnel have acquired and maintain information security competence appropriate to their role. Why did the regulators write it this way? Because in the modern threat landscape, the Human Factor is the primary target.
Sophisticated cyber-criminals know that breaking through a corporate firewall using brute force is difficult and expensive. It requires time, supercomputers, and advanced coding skills. But sending a phishing email to a busy employee can be cheap, easy, and effective.
Think of the organization as a castle. The IT department builds the high walls and the moat (the firewalls and antivirus software). But you—the employee—are the gatekeeper. You have a key to the castle: your username and password. You have access to the inside: your email account and your physical access badge. If an attacker can trick you into handing over your key, the height of the walls does not matter, they can walk right in through the front door.
This is why IS.OR.240 mandates that everyone be trained. However, the regulation also applies the principle of proportionality, which means your training is tailored to what you actually do.
If you are a System Administrator, your training must cover complex network protocols and server encryption.
If you are a Pilot, your competence focuses on the flight deck: recognizing if your EFB is behaving strangely, understanding the risks of connecting personal devices to onboard systems, and knowing how to validate navigation data.
If you are Administrative Staff, your competence focuses on the office environment: spotting fake invoices, identifying fraud emails, and ensuring sensitive documents aren’t left on the printer.
Regardless of your specific job title, you have two universal responsibilities under this regulation:
First, Adherence to Policy. You must follow the rules laid out in the organisation’s Information Security Policy. This isn’t optional guidance; it is part of the organization’s compliance system. Bypassing security controls—like using unauthorized USB drives or sharing passwords to ‘get the job done faster’—is a violation of the regulation.
Second, Vigilance and Reporting. You are the sensor in our network. Automated systems can catch viruses, but they are often bad at catching subtle anomalies. You know what ‘normal’ looks like for your job. If your computer slows down unexpectedly, or if you receive a request that feels ‘off,’ you are the only one who can flag it.
By taking this course, you are building the competence required by law. You are transforming from a potential vulnerability into our strongest defense.