Part-IS Ask me anything – Written Answers

Part-IS Ask me anything – Written Answers

As promised in the previous community post you may find below the answers to your questions on LinkedIn which have not been recorded in the video

Q: How can service providers prove to customers that their advisors are Part-IS trained or certified?

A: The term "advisor" is not used in the regulation making it difficult to understand the question. If the term advisors is understood as consultants, there is no requirement to prove the above, as the approved organisation takes responsibility for its suppliers. If the advisors are providing IS services, OR.235 applies in full.

Q: In my view, one of the key challenges in establishing a cyber-aware safety culture lies in human factors and operational reality: safety-trained personnel may not inherently possess cyber security awareness, while cyber security teams may underestimate operational aviation risks; therefore, it is important to clarify how these two risk perspectives can be effectively embedded into organisational mindset and day-to-day safety management practices.

A: Indeed there are two different cases. Security personnel involved in the implementation of Part-IS should have an understanding that apart from the impact on business continuity, financial or reputational impact, also safety impact exists. Safety-trained personnel such as pilots, should be able to recognise and mitigate an impact of safety regardless if this is originating from information security causes or not. However, and where possible, an awareness that certain threats exists is needed such as in the cases of GNSS interference, as this would allow a better (safety) reaction from the pilot. In general, while in both cases awareness has to be established, collaboration is the key for successful Part-IS implementation. Through it, different perspectives can come together and understanding of the different objectives of safety vs. security can be achieved.

Q: In Part 145.A.35 and its AMC/GM it gives a nice matrix and examples of non-exhaustive competency requirements for all involved in maintenance. I tried the WI.CAO.00115-007 para 3.1 flag note IS1 regarding the European cybersecurity skills framework link. It was of no use to getting the information, in fact, I only stumbled across what I assume to be the correct competency for a CISO, after many hours of searching on Google. Part IS for Part 145 organisations is not within their areas of expertise so there should be easier ways to hopefully see the outputs of what the intent of the regulation is for. 

A: It has to be underlined that the intent of the adaptation to the ECSF is to provide an example for the roles related to Part-IS personnel requirements (IS.OR.240). The adaptation of the ECSF to aviation which is now also part of the updated GM of Part-IS can provide further info with regards to the information security competencies that can be expected in aviation organisations including those involved in maintenance. 

Q: How can the huge number of MOA and POA organisation decently perform safety analysis on their tools and data, understanding potential impact on Aircraft safety, while the corresponding DOA are generally not dimensionned to provide such support and to openly keep provided information up to date?

A: Information security aspects of aeronautical products are covered by product certification requirements. These products are delivered with Instructions for Continuing Airworthiness (ICA). The objective for the user organisations receiving the ICA is not to perform another Product Information Security Risk Assessment (PISRA) but to make sure that the assumptions, instructions and recommendations provided in the ICA are maintained and considered in the information security risk assessment under Part-IS in order to assess the information security risk of their specific implementation within the individual security perimeter. Please also note that certified aeronautical products are elements to be included in the security perimeter of the information security risk assessment under Part-IS.

More information can be found in the EASA Part-IS Implementation Workshop 2025 presentation (p105-130):

https://www.easa.europa.eu/en/downloads/142156/en

Q: Why can't Part IS and cybersecurity be combined, knowing that this will create more bureaucracy and expenses for operators?

A: Part-IS is about information security which as a concept encompasses cybersecurity. When Part-IS is implemented following a proper gap analysis with existing systems and other applicable regulations, the implementation burden is significantly reduced, and existing systems and controls can be effectively adjusted to demonstrate compliance with Part-IS requirements.

Q: We are having a few issues regarding the scope for Part-IS for our aerodrome. Is it possible for you to help a bit regarding regulation 139/2004? Is it all systems in ADR fx the system to register RWY condition code?

A: The scope of Part-IS concerns all the elements that are under the scope of the existing approval for the domain and could be exposed to information security risks. According to IS.I/D.OR.205, this includes the organisation's activities, facilities and resources as well as the services the organisation operates, provides receives and maintains as well as the equipment, systems, data and information that contribute to the functioning of these elements.

_{These images have been generated by utilising OpenAI’s tools following relevant prompts.}