EASA Part-IS Compliance Checklist for Aviation Operators

ISMS Foundation: Essential Documentation

The following documentation forms the foundation of a Part-IS compliant ISMS:

• Information Security Policy: Approved by the Accountable Manager, stating the organisation's commitment to information security and alignment to aviation safety objectives
• ISMS Scope Document: Written definition of the systems, processes, locations, and third parties within ISMS scope
• Risk Assessment Methodology: Documented approach to identifying, assessing, and prioritising information security risks
• Risk Register: Current risk register identifying information security risks, their likelihood and impact, and treatment decisions
• Statement of Applicability: Record of which security controls are implemented, which are excluded, and justification for exclusions
• Asset Register: Inventory of information assets within ISMS scope — systems, data, physical assets

Technical Controls: Implementation Evidence

Part-IS requires implementation of appropriate security controls. Key evidence items include:

• Access management records: User provisioning and de-provisioning processes, access review records, privileged access management documentation
• MFA implementation: Evidence of MFA deployment on remote access, email, and administrative systems
• Network security: Network architecture documentation showing segmentation between IT and OT, and between operational and public networks
• Patch management: Patch management policy and records demonstrating systematic vulnerability remediation
• Endpoint protection: Deployment records for endpoint protection across managed devices
• Encryption: Documentation of encryption at rest and in transit for sensitive information assets
• Vendor security: Third-party risk assessment records for significant suppliers — with security requirements incorporated in contracts

Incident Response and Reporting Evidence

Part-IS incident response requirements demand documented and tested capabilities:

• Incident Response Plan: Documented procedures for detecting, responding to, and recovering from information security incidents — covering scenarios relevant to aviation operations
• Exercise records: Evidence of incident response plan testing — tabletop exercises, simulation exercises, or live test events — within the last 12 months
• Incident register: Log of all security incidents and events, including how they were handled and any lessons learned
• NAA reporting procedure: Documented procedure for notifying the National Aviation Authority of incidents that may affect aviation safety — with designated responsible person and contact details
• Recovery testing: Evidence that backup and recovery procedures have been tested and recovery time objectives validated

Governance and Training Evidence

Part-IS requires management governance and trained personnel:

• Management review records: Minutes or records of management review of ISMS effectiveness — at defined intervals, at minimum annually
• Training records: Evidence that personnel with information security responsibilities have received appropriate training
• Awareness records: Evidence of general staff security awareness activities — training completion records, phishing simulation reports
• Role and responsibility assignments: Documented assignment of information security responsibilities — who is responsible for what within the ISMS
• Internal audit records: Evidence of internal audit of ISMS effectiveness and compliance

Frequently Asked Questions