I think the scope of Part-IS is not about covering every digital asset but those IT systems, processes, and records that, if compromised, could affect aviation safety — mainly maintenance IT platforms, airworthiness data, and connected tooling/software. The boundary is set by whether a breach could cause or contribute to a safety outcome, not by every office system. What is specific to Part-145 versus other organizations is its heavy dependency on design and CAMO data, the criticality of maintenance records, subcontracted workshops and IT vendors, and in some cases direct interaction with aircraft systems — all of which must be explicitly considered. In practice, I should define the ISMS scope at the level of approved maintenance activities and their safety-critical interfaces, otherwise the administrative burden becomes unmanageable.