EASA Part 145 and Cyber Security Auditing Requirements

Sofema Aviation Services (SAS) Considers the Elements to be considered related to Information & Cyber Security Auditing within an EASA Part 145 Organisation

As cybersecurity becomes a regulatory focus, EASA Part 145 audits will incorporate cyber resilience checks within maintenance organizations. National Aviation Authorities (NAAs) and internal compliance managers will be responsible for assessing the security of maintenance data, IT systems, and supply chain processes. To establish competence, auditors and personnel require training in ISO 27001, NIST frameworks, penetration testing, risk management, and cyber incident response.

1. Who Will Perform the Audit?

Auditing information and cyber security requirements within a Part 145 organization will involve a combination of:

• Competent Authority Inspectors (EASA / National Aviation Authorities – NAA)
  • Conduct audits during initial, renewal, and surveillance inspections.
  • Assess how organizations manage cyber threats affecting maintenance systems, digital records, and software-controlled processes.
  • Verify compliance with ICAO Annex 17 (Security) and EASA NPA cybersecurity guidelines.
• Internal Auditors (Part 145 Quality/Compliance Managers)
  • Evaluate compliance with organizational security policies.
  • Ensure secure handling of electronic maintenance records, AMOS, OASES, TRAX, and other MRO software.
  • Check adherence to IT security best practices (ISO 27001, NIST, EASA Cybersecurity Roadmap).
• External Auditors (Cybersecurity Consultants/Regulatory Specialists)
  • For organizations implementing advanced cybersecurity measures.
  • Assess digital attack resilience, penetration testing, and vulnerability scanning.
  • Conduct independent risk assessments in line with EASA’s Cybersecurity Guidelines (Opinion No. 03/2021, NPA 2023-06).

2. Key Areas of Focus in the Audit

Auditors will evaluate the following areas:

• Cyber Risk Management & Governance
  • Presence of cybersecurity policies and risk assessments.
  • Defined roles and responsibilities for IT security personnel.
• Protection of Digital Maintenance Data
  • Secure storage and access control for electronic maintenance records (EMRs).
  • Data integrity verification to prevent unauthorized alterations.
• Supply Chain Security
  • Cybersecurity compliance of third-party vendors & software providers.
  • Protection against malicious software injection in maintenance systems.
• Incident Response & Business Continuity
  • Procedures for responding to cybersecurity incidents (e.g., ransomware, data breaches).
  • Backup & recovery strategies for operational resilience.
• Awareness & Training Programs
  • Evidence that employees are trained to recognize and mitigate cyber threats.
  • Inclusion of cybersecurity awareness in SMS training.

3. Required Training to Establish Competence

To effectively perform cyber security audits under EASA Part 145, personnel must receive training in the following areas:

1. Competent Authority Inspectors

• Aviation Cybersecurity Fundamentals
  • Understanding cyber threats in aviation maintenance.
  • Regulations and EASA Cybersecurity Roadmap.
• Audit Techniques for Cybersecurity
  • Cyber risk assessment methodologies.
  • IT and operational technology (OT) security in MRO environments.
• Incident Response & Compliance Checks
  • How to assess cyber incident response plans.
  • Evaluating compliance with Part 145 IT security policies.

1. Internal Auditors & Compliance Managers

• ISO 27001 & NIST Cybersecurity Framework Training
  • Industry standards for IT security risk management.
• Penetration Testing & Vulnerability Assessment
  • How to detect weaknesses in digital maintenance systems.
• Cybersecurity Awareness Training for Staff
  • Phishing attack prevention, password security, and secure system access.

1. IT and Engineering Personnel

• Secure Software & Data Management Training
  • Protecting aircraft maintenance software (AMOS, OASES, TRAX).
• Threat Intelligence & Incident Management
  • How to respond to cyber incidents affecting Part 145 systems.

Next Steps 

• Follow this link to our Library to find & download related documents for Free.
• See the following 2-day course- Part 145 Cyber Security Implementation. For comments or questions, please email team@sassofia.com.

Tags:

EASA Part 145, MRO software, Risk Management, Cyber Security, SAS blogs, Compliance Managers, ISO 27001, ICAO Annex 17, cyber incident response, NIST frameworks, National Aviation Authorities - NAA, EASA’s Cybersecurity Guidelines, Cyber Risk Management, Supply Chain Security