The introduction of EASA Regulation (EU) 2023/203 marks a major shift in how aviation organisations must manage and protect information security across all operational domains.
As the industry moves toward full compliance by 2026, organisations are facing practical challenges – from developing a comprehensive Information Security Management System (ISMS) and integrating it with existing SMS and compliance structures to defining roles, updating manuals, and conducting detailed risk assessments. This article brings together key questions, challenges, and expert insights to help organisations understand what Part-IS requires and how to navigate the transition effectively.
Question: What major points should be taken into account for developing an Informational Security Management Manual ?
The ISMS should ensure compliance with the objectives of EASA’s Regulation (EU) 2023/203 – See example contents.
Question: What is the better option – a new chapter in MOE or a separate Part-IS ISMM?
Sofema Template ISMS is 100 Pages – So a sizeable document – considerations probably lean in the direction of a standalone manual – which can be managed separately – some update will be required to the MOE, but this is typically not significant.
Question: What is the right way to merge ISMS, a cybersecurity system (if available)?
The Merge that takes place is related primarily to the integration of existing Compliance & Safety Systems, maintaining as far as possible, together with “New” admin procedures to address IT-related obligations & issues.
Question: Interested in specific requirements for IT systems in airlines.
See the Sofema Free to Access Library Download Area, where over 50 related support documents are available.
Question: Should the initial starting Risk-related analyses – esp. the written down threat-based scenarios specific to the MRO, and the resp. counter-measures – regarding IS.I.OR.205-210 – IS RISK ASSESSMENT & TREATMENT be submitted to and shared with the national regulative body alongside the required documentation? If yes – to what extent?
European CAs should communicate their expectations to industry – many CAs have requested a draft copy of the ISMS to be submitted before the end of November. Each authority is different.
Question: How will the new rules change our daily tasks?
Enhanced procedures to manage Staff onboarding, offboarding, & Access – new Procedures to manage software updates and logging of threats – Risk Assessments to be carried out one-off and ongoing – ISMS – Compliance Audits to be introduced – Equipment Registers and Risk Registers to be created.
Question: The EASA Guidance for foreign organisations defines new positions: Compliance Monitoring Manager Part-IS, IS Manager, and IT Manager. What professional background or qualifications are expected for these roles, and are they subject to formal approval by the DG CAA as postholders?
Part IS Manager can in reality also be the SM CM or combined role – independence of audit required – Note – IT Manager is unlikely to satisfy the regulatory requirements related to the management of ISMS.
Question: How will Part IS affect all the operational areas and manuals, and how to effectively document and implement Part IS?
Assuming a Standalone ISMS, all associated Manuals will need to be updated. Think OPS Man Part A – SMSM CMM SEP / Cabin Manual CAME and MOE as applicable. However, with a standalone ISMS, the changes are not massive but nevertheless important to support the integrated environment.
Question: How to audit the changes caused by the implementation of Part IS, and what benefits the implementation of Part IS could bring to the AOCs?
The Audit of ISMS follows the SOP of auditing compliance with both the Regulatory Requirements and Organisational Process & Procedures. In terms of benefits, it can be claimed that the ISMS requirements are regulatory overreach by EASA (EASA will claim it is required to demonstrate compliance with ICAO SARP Annexe 17 part 9) – from the company’s perspective, to take whatever steps are reasonably necessary to protect the organisation.
Question: How is part IS aligned with aviation security?
An interesting question, because when you take a deep dive, you will appreciate that ISMS, although part of the overall business Security health, there is a significant distance between ISMS and existing Aviation Security Roles and Responsibilities.
Question: Part IS from the risk assessment perspective.
To audit the entire Information security environment from all angles – Feel Sorry for BA who had a cyber attack in 2020 related to a software which should have been patched in 2012 – so an 8 year exposure for what was essentially a Zero-Day threat.
Question: How to implement Part IS on the Company group level (AOC, Part-145, Flight Training Organisation)?
As with all projects, establish unique ownership with required resources to ensure achievement in the time available (remember when everyone owns a problem – no one owns a problem !).
Question: What actions have to be taken from the IT side to effectively implement and handle part of the IS principles?
Approx 80% of the ISMS exposures will occur from the IT ecosystem – Therefore, IT involvement, engagement and buy-in are essential.
Question: We are interested in covering the overall practical scope of the new Part-IS, roles and responsibilities of the appointed personnel, interaction between the cybersecurity service provider and the air operator, as well as the integration of the requirements in the company manuals, preparation of the related Hazard register and the associated SPIs.
Great Comment – this is the fundament of building an integrated system – different options are presented for every organisation.
Question: Which cost-effective ISMS software solutions are suitable and recommended for smaller EASA Part-145 organisations?
Can comfortably be managed with a few Excel registers, together with the current Compliance and SMS processes.
Challenges:
Ensuring sufficient time, budget, and personnel are dedicated to risk assessments, documentation, and ongoing monitoring.
Yes, this is a significant challenge especially in smaller companies – I recently spent time with a company that allocated six persons full-time to the project.
The biggest challenge at this moment is related to developing a company’s Information Security Management Manual in order to begin implementing the required procedures.
Yes, fully agree – Sofema Created a Template Manual and Forms Pack which took around 20 Man Days – So yes it does take time – an man hour assessment for the entire project came in at 800 Hours to 1500 Hours of work to implement.
Upgrading legacy systems, training personnel, or investing in new technologies, to make all main players in the company work together and to realise that Part-IS is not and can’t be a standalone process.
Agreed, in some ways, this is a repeat of the challenge of introducing Aviation SMS, starting back in 2012 with the OPS regulation 965.
We find that currently the proper scoping the I- SMS – mainly determining which assets, processes, and departments to include would be one of the main challenges.
Agreed, also the potential exposure of third parties – suppliers and vendors, which also needs to be included in the process scope.
Another aspect is the documentation and control implementation – balancing the compliance requirements with operational practicality in relation to the business objectives as a whole.
Agreed – The simpler the process that can be developed, the better, assuming a baseline of being able to demonstrate fully compliance with EASA Regs.
The biggest challenge will be changing our work habits to meet all Part-IS requirements.
Yes, it will be necessary to introduce and ensure new processes and procedures.
Ensuring effective integration of the ISMS framework within the existing compliance and safety management systems by February 2026, while maintaining operational efficiency and avoiding overlap in responsibilities.
Focus on ensuring Compliance at the beginning of January and building the project around this objective.
“Figuring out the demarcation line between Information/Cyber Security and – pure Aviation Safety – considerations involved, processes, etc”
ISMS becomes a daughter of Aviation SMS – in this way, all necessary controls can be implemented and managed.
In my opinion, the main risk is the lack of training of IT personnel in newly emerging cyber-attack methods.
Agreed, it is important – and can be either addressed in-house or outsourced.
Also, as employee age and familiarity with modern technologies can vary, continuous security training and testing for all staff is essential, along with actively reducing the “security is not my job” mindset across the organisation.
Agreed, it is important to manage and educate on a continuous basis – creating a rules-based Information environment is an important start to this process.
As organisations across Europe work to meet the mandatory Part-IS compliance deadline, Sofema Aviation Services (SAS) and Sofema Online (SOL) stand ready to support every step of your ISMS development and integration journey.
Whether you need a complete end-to-end implementation framework or simply the right tools to get started, Sofema delivers the experience, structure, and guidance required to ensure alignment with EASA Regulation (EU) 2023/203. Now is the moment to take action – secure your ISMS Compliance Package and begin your Part-IS readiness journey today.
With our tailored ISMS Compliance Solutions – ranging from the fully guided:
1. Full ISMS Consultancy Service – €3,000
Receive end-to-end expert guidance for ISMS implementation.
This package includes continuous expert support, Full ISMS Template & Forms Pack, PLUS 15 FREE Enrollments for ANY Sofema Online ISMS Course (Value up to €2,000).
2. Template & Training Special Access – €1,500
Gain full access to the complete documentation suite plus a major training investment.
This package includes the full ISMS Template & Forms Pack, PLUS 15 FREE Enrollments for ANY Sofema Online ISMS Course (Value up to €2,000).
3. Template & Forms Pack Only – €699
Receive immediate access to the complete, editable documentation suite.
This includes the 100-page ISMS Manual Template and 30+ editable ISMS forms.
Exclusive PTP Client Benefit: Existing Privileged Training Partner (PTP) clients receive 10% off all three options.
4. Corporate Freedom Pass (CFP) partners can choose between two exclusive discounted options:
- Template & Forms Pack for €524.25 (25% off), or
- Full Consultancy + ISMS Document Pack for €1,750 (over 40% off).
The consultancy package includes continuous expert support and the full 100-page ISMS Manual plus 30+ forms ( Does NOT include the 15 Free Enrollments (Training enrollments can be added separately at CFP rates).
Tags:
EASA, MOE, Sofema Online (SOL), Information Security, ISMS, Cybersecurity, IT systems, Sofema Aviation Serices (SAS), FREE enrollments, Informational Security Management Manual, EASA Guidance, Regulatory Requirements and Organisational Process & Procedures, Flight Training Organisation, IT ecosystem, Template Manual
