November 11, 2025

Steven Bentley

Sofema Aviation Services (SAS) Takes a deep dive into the Role of the Part IS Auditor

Introduction

The typical skillset required for a Part-IS Auditor or Safety System Risk Assessor primarily centers on aviation safety regulatory expertise and risk management, supplemented by information security knowledge.

The premise that the existing broad skillset (Safety/Compliance) can typically address 90% of the task is generally supported by the nature of Part-IS, which integrates information security management into existing aviation safety management systems (SMS). The core compliance and risk assessment methodologies are intentionally familiar to aviation professionals.

The additional support being provided by an IT Subject Matter Expert (SME) is necessary to cover the specific technical domain that connects cybersecurity threats to aviation safety.

Core Skillset: Part-IS Auditor / Safety Risk Assessor

The primary professional background should be rooted in aviation Safety Management Systems (SMS), compliance auditing, or risk assessment, as these individuals already possess the necessary regulatory background knowledge and understanding of aviation operations and their safety implications.

Typical Expectations

  • Deep knowledge of the relevant domain-specific EASA Implementing Regulations (e.g., Part-145, Part-ORO,  etc.), auditing processes, and compliance monitoring
  • Ability to integrate the Information Security Management System (ISMS) (Part-IS) with the existing SMS/Management System, including governance, policy, and processes.
  • Expertise in hazard identification, risk assessment methodologies (e.g., using ‘bow-tie’ analysis which links threats, hazards, and consequences), assigning risk levels (e.g., High, Moderate, Low severity/potential), and determining risk acceptability.
  • Ability to be able to evaluating the adequacy and effectiveness of documented processes (IS.AR.200(c)/IS.I.OR.200(c)), especially around incident response and recovery (IS.AR.215/IS.I.OR.220) and continuous improvement  (IS.AR.235/IS.I.OR.260).
  • Able to Understanding the management of interfaces and shared risks with other organisations along the functional chain (IS.AR.205(b)/IS.I.OR.205(b)), chain (IS.AR.205(b)/IS.I.OR.205(b)), including oversight of contracted activities (IS.AR.220/IS.I.OR.235).

Organisational & Interfacing Processes

  • The role requires the ability to audit non-technical processes, including the management of interfaces and shared risks with other organizations along the functional chain (e.g., suppliers or contracted service providers). They must also verify processes for incident response and recovery and continuous improvement.

Why the IT Specialist Alone is Insufficient

The IT Subject Matter Expert (SME) typically provides the crucial knowledge for the technical 10% of the task (e.g., penetration testing, vulnerability scanning, deep network architecture analysis, and specific technical control implementation).

The IT specialist, while possessing the deep technical knowledge for information security, typically lacks the core regulatory background necessary to fully engage with EASA’s compliance and audit obligations. The key reason the split approach works is:

  • “This would not work the other way around because the IT specialist do not have the necessary regulatory background knowledge required to full engage with EASA compliance Audit obligations including the required experience and training.”

The ultimate goal of Part-IS is aviation safety, not merely IT security. A dedicated aviation safety professional is required to:

  • Determine Safety Impact: An IT expert can identify a technical vulnerability, but the safety/risk expert determines if exploiting that vulnerability leads to an “unsafe condition” or a “significant risk to aviation safety”, classifying its severity according to accepted aviation standards (e.g., ICAO Annex 13 definitions).

The Link Between Compliance & EASA Domains Only personnel with the regulatory background can:

  • competently ensure that the Part-IS requirements are correctly mapped onto the existing regulations (e.g., Part-145, Part-ORA, etc.) and that findings are addressed according to the domain-specific compliance framework (IS.I.OR.225).
  • Manage Organisational-level Assurance by leading the audit of the ISMS governance, risk management structure, and integration with the overall management system, which goes beyond technical security testing and requires an understanding of aviation organisational accountability.

Next Steps

Sofema Aviation Services and Sofema Online provide EASA Part IS Training for EASA OPS – EASA AMO & EASA CAMO – please see the websites or email [email protected]

Share this with your network:

Tags:

Part 145, Risk Management, EASA OPS, Hazard Identification, Compliance Auditing, Aviation Professionals, Part-ORO, EASA CAMO, incident response, Safety System Risk Assessor, Part-IS Auditor, safety regulatory expertise, information security knowledge, EASA AMO