Sofema Aviation (www.sofemaaviation.com) considers how we should audit internally and externally within the CAMO environment for Compliance against Part-IS?
Introduction
The practical impact of Regulation (EU) 2023/203 (Part-IS) on Part-CAMO organizations represents a fundamental shift from treating cybersecurity as a generic IT function to integrating it as a core component of aviation safety management.
By the February 22, 2026 (passed) deadline, CAMOs should have moved beyond simple firewalls to a proactive Information Security Management System (ISMS).
Practical Impact on CAMO Compliance
The regulation mandates that CAMOs protect the integrity, availability, and confidentiality of systems critical to continuing airworthiness.
- Integration with SMS: CAMOs must integrate information security into their existing Safety Management Systems (SMS). This ensures that a cyber event, such as a ransomware attack on maintenance tracking software, is treated with the same urgency as a physical safety hazard.
- Asset and Interface Mapping: Organizations must now identify all digital interfaces with Original Equipment Manufacturers (OEMs), Approved Maintenance Organizations (AMOs), and regulators. Any unmapped connection, such as a remote access tool for an auditor or a cloud-based digital logbook, is now a compliance gap.
- Reporting Mandates: CAMOs must establish both internal and external reporting schemes. Significant incidents must be reported to the Competent Authority (CA) within 72 hours.
Auditing Against Part-IS (Internal & External)
Auditing must transition from verifying “if” a security tool exists to “how” it protects safety-critical processes.
Internal Auditing Best Practices
- Scenario-Based Testing: Rather than checking a box for “Incident Plan,” auditors should verify readiness through ransomware simulations or tabletop exercises.
- Credential and Access Audits: Verify that user privileges follow the “least-privilege” principle, specifically for personnel accessing airworthiness data like AD/SB compliance and configuration records.
- Competency Reviews: Auditors should check that training is not just general “cyber-awareness” but role-specific
External Auditing (Competent Authorities & Partners)
- Documentation Traceability: External auditors will look for a complete Information Security Management Manual (ISMM) that is approved by the Accountable Manager and clearly cross-referenced with other management expositions.
- Supply Chain Oversight: CAMOs are responsible for the cybersecurity posture of their contractors. External audits will require proof of supplier security audits and cybersecurity clauses in service contracts.
Key Issues, Challenges, and Best Practices
- Cultural Resistance: Many maintenance teams still view cybersecurity as “the IT department’s problem” rather than a shared safety responsibility.
- Resource Constraints: Smaller CAMOs often lack specialized cybersecurity expertise and may struggle with the increased administrative workload.
- Legacy Systems: Older MRO software and hardware may lack the patching capabilities or encryption required by modern standards.
- Establish a “Just Culture”: Encourage employees to report anomalies (like suspicious emails or system slowdowns) without fear of reprisal, mirroring aviation’s traditional safety reporting.
- Leverage Automation: For organizations with limited headcount, deploying Security Information and Event Management (SIEM) tools and automated vulnerability scanners can reduce manual monitoring workloads.
- Continuous Risk Assessment: should not be a “once-a-year” event. Assessments must be updated immediately following any significant IT infrastructure change or a new industry threat alert
Next Steps
Join Sofema Aviation for a CAMO Compliance Challenges webinar on Tuesday, 24 March, from 10:30 – 13:00 Sofia time. Register for the webinar here – places are limited, so be sure to secure your spot early.
Explore our extensive course library featuring 500+ aviation training courses and take the opportunity to deepen your regulatory knowledge, or email [email protected] for support.
Sofema Aviation Services (SAS) and Sofema Online (SOL) provide classroom, webinar, and online training. Please see the websites or email [email protected].
Tags:
sasblogs, EASA CAMO, Sofema Online (SOL), SMS Integration, CAMO Compliance, Part-IS Regulation, ISMM (Information Security Management Manual), sofema aviations (SAS)
