Part-IS Oversight Approach Guidelines

Vasileios Papageorgiou • 10 March 2025

in community Cybersecurity

5 likes

Part-IS Oversight Approach Guidelines

What type of compliance is expected by the applicability date of Part-IS? Documentation or operational?

If you were one of the people who asked this question at our Part-IS Implementation Workshop 2024, we have good news for you! 😃

We are pleased to announce the publication of the Part-IS Oversight Approach Guidelines, developed by the Part-IS Implementation Task Force. This document provides structured guidance for Competent Authorities to oversee the implementation of Information Security Management Systems (ISMS) in aviation organisations to ensure compliance with EU Regulations 2022/1645 and 2023/203. 🚁

This guidance, first announced at the Part-IS workshop in November 2024, aims to harmonise oversight activities across Member States and support the effective and proportionate implementation of Part-IS requirements. 📚

Key highlights:

Standardised ISMS oversight framework 📋
Guidance on assessment steps for ISMS implementation maturity 📈
Proportionality considerations based on organisational complexity 📊

Do you find this document useful? (If you write "no" we will ban you from the community 📛😬 -kidding-)

Let us know in the comments below!

Files

part-is-oversight-approach-guidelines 1.pdf616.41 KB

Comments (4)

Christoph Schnyder • 2 months ago

Many thanks to EASA for publishing these guidelines within a reasonable timeframe. I firmly believe that they will not only be useful to the competent authorities and their inspectors, but will also allay some concerns among the applicable organisations. After you study this document you will come to the following conclusion, "it's all not rocket science". 🤩

Elena Ioannoni • 2 months ago

Dear Christoph, I completely agree with you. In fact, I have just published this guideline on LinkedIn, sharing my thoughts on how it can also serve as a valuable guide for us as organizations.

Marion Choudet • 2 months ago

Many thanks for this document which brings clarification for both competent authorities and organizations on the deliverables needed to be compliant on the applicability date. Still I have a question of consistency regarding a particular point. The expectation is for organizations to demonstrate we are at the "present & suitable" level. On page 7, expectation #4 is "The organisation has performed an initial risk assessment (e.g. major risks and related threat
scenarios both internal and at the interfaces).". To perform the initial risk assessment as described, organisations must have an Information Security Risk Assessment process not only present and suitable but fully operating and effective. Could you please provide your view on this point?

Vasileios PAPAGEORGIOU • 2 weeks ago

Hi Marion, thank you for your message - apologies for the late response but we are reforming our community and I was also out of office for some time so I'm able to reply to you only now.

The initial risk assessment is an exercise that can be done on paper and should at least exist on paper by the applicability date which is aligned with the “present and suitable” levels as indicated in the guidelines that you are referring to. Any operational elements such as controls, the actual incident management, reporting process etc follow this initial, planning stage. The risk assessment can, and should, become of course more mature once operational elements come into play.

Please log in or sign up to comment.