Part-IS Oversight Approach Guidelines

Vasileios Papageorgiou
Vasileios Papageorgiou • 10 March 2025
in community Cybersecurity
3 comments
4 likes

Part-IS Oversight Approach Guidelines

 

What type of compliance is expected by the applicability date of Part-IS? Documentation or operational?  

If you were one of the people who asked this question at our Part-IS Implementation Workshop 2024, we have good news for you! 😃

We are pleased to announce the publication of the Part-IS Oversight Approach Guidelines, developed by the Part-IS Implementation Task Force. This document provides structured guidance for Competent Authorities to oversee the implementation of Information Security Management Systems (ISMS) in aviation organisations to ensure compliance with EU Regulations 2022/1645 and 2023/203. 🚁

Steps

 

This guidance, first announced at the Part-IS workshop in November 2024, aims to harmonise oversight activities across Member States and support the effective and proportionate implementation of Part-IS requirements. 📚

 

Key highlights:

  • Standardised ISMS oversight framework 📋
  • Guidance on assessment steps for ISMS implementation maturity 📈
  • Proportionality considerations based on organisational complexity 📊

--

Do you find this document useful? (If you write "no" we will ban you from the community 📛😬 -kidding-) 

Let us know in the comments below!

Files

Comments (3)

Christoph Schnyder
Christoph Schnyder

Many thanks to EASA for publishing these guidelines within a reasonable timeframe. I firmly believe that they will not only be useful to the competent authorities and their inspectors, but will also allay some concerns among the applicable organisations. After you study this document you will come to the following conclusion, "it's all not rocket science". 🤩

Elena Ioannoni
Elena Ioannoni

Dear Christoph, I completely agree with you. In fact, I have just published this guideline on LinkedIn, sharing my thoughts on how it can also serve as a valuable guide for us as organizations.

Marion Choudet
Marion Choudet

Many thanks for this document which brings clarification for both competent authorities and organizations on the deliverables needed to be compliant on the applicability date. Still I have a question of consistency regarding a particular point. The expectation is for organizations to demonstrate we are at the "present & suitable" level. On page 7, expectation #4 is "The organisation has performed an initial risk assessment (e.g. major risks and related threat
scenarios both internal and at the interfaces).". To perform the initial risk assessment as described, organisations must have an Information Security Risk Assessment process not only present and suitable but fully operating and effective. Could you please provide your view on this point?


Please log in or sign up to comment.