Part-IS Oversight Approach Guidelines
What type of compliance is expected by the applicability date of Part-IS? Documentation or operational?
If you were one of the people who asked this question at our Part-IS Implementation Workshop 2024, we have good news for you! 😃
We are pleased to announce the publication of the Part-IS Oversight Approach Guidelines, developed by the Part-IS Implementation Task Force. This document provides structured guidance for Competent Authorities to oversee the implementation of Information Security Management Systems (ISMS) in aviation organisations to ensure compliance with EU Regulations 2022/1645 and 2023/203. 🚁

This guidance, first announced at the Part-IS workshop in November 2024, aims to harmonise oversight activities across Member States and support the effective and proportionate implementation of Part-IS requirements. 📚
Key highlights:
- Standardised ISMS oversight framework 📋
- Guidance on assessment steps for ISMS implementation maturity 📈
- Proportionality considerations based on organisational complexity 📊
--
Do you find this document useful? (If you write "no" we will ban you from the community 📛😬 -kidding-)
Let us know in the comments below!
Hi Marion, thank you for your message - apologies for the late response but we are reforming our community and I was also out of office for some time so I'm able to reply to you only now.
The initial risk assessment is an exercise that can be done on paper and should at least exist on paper by the applicability date which is aligned with the “present and suitable” levels as indicated in the guidelines that you are referring to. Any operational elements such as controls, the actual incident management, reporting process etc follow this initial, planning stage. The risk assessment can, and should, become of course more mature once operational elements come into play.