Part-IS
You strengthen aviation security. We are at your side.
Part-IS – Information Security in Aviation
Civil aviation consists of a complex network of numerous interconnected systems that are increasingly becoming the target of cyber attacks. Part-IS (Part Information Security) requires affected organizations to take effective measures to protect against information security risks that could compromise aviation security.
What Is Part-IS?
Part-IS (Part Information Security) refers to two EU regulations with very similar content:
- the European Commission's “Implementing Regulation 2023/203”
- the European Commission's “Delegated Regulation 2022/1645”
Part-IS requires companies that fall within the scope of one of the two regulations to establish a specialized information security management system (ISMS) by February 2026.
Which Companies Fall Within the Scope of Part-IS?
Part-IS affects a number of organizations that are already regulated by other aviation legislation:
- maintenance organizations ("Part-145 organization")
- continuing airworthiness management organizations ("CAMO organization")
- air operators subject to Annex III (Part-ORO) to Regulation (EU) No 965/2012 (“AOCs”)
- approved training organizations (“ATOs”)
- aircrew aero-medical centers
- flight simulation training device (FSTD) operators
- air traffic controller training organizations (ATCO TOs) and ATCO aero-medical centres
- organizations subject to Annex III (Part-ATM/ANS.OR) to Implementing Regulation (EU) 2017/373
In addition to these organizations, competent authorities must also implement Part-IS, in Germany for example the LBA.
Do Companies That Already Operate an ISMS Have an Advantage?
Not necessarily – the ISMS required by Part-IS is not equivalent to an ISMS in accordance with ISO 27001. However, the security requirements of Part-IS are based in part on well-known standards such as ISO 27001 or the NIST Cyber Security Framework. So if your company already operates an ISMS, you should definitely check whether existing measures can be taken up and utilized with regard to Part-IS compliance. We will be happy to support you in this.
Are You Affected? These Are Your Next Steps.
If your organization has to implement Part-IS, we recommend that you react quickly:
1.) The first step is to carry out a gap analysis. This will give you an initial overview of the status quo in your organization.
2.) Clarify the (target) organization for establishing and maintaining Part-IS compliance. Important questions are, for example: Who takes on the role of the “Appointed Person Information Security” and how exactly does your company define their tasks and powers? Or does it make more sense to establish a “Common Responsible Person”? How can IT processes, e.g. for incident management, be integrated to achieve Part-IS?
3.) In order to gain clarity about the scope, collect the assets relevant under Part-IS in a timely manner, for example in order to be able to make estimates about the cost of risk assessments.
Of course, we are always here to help and advise you with each of these steps.
Why us
Experience
Over 20 years of experience in international information security development and consulting projects, complemented by comprehensive industry know-how in European aviation.
Full Service Provider
We cover the entire IT security value chain – from pentests to consulting and assessments.
Independence
Independent and comprehensive consulting – from security strategy to guidelines.
Practicability
The best recommendation is useless if it cannot be implemented in practice. That's why our customers value our best practices and our view of reality.
More Information on Part-IS
