Kyanite Blue
Tools & Calculators

Third-Party Supplier Aviation Security Scorecard: Assessing Ground Handlers, MROs, and Technology Vendors

EASA Part-IS and CAA CAP 1753 both require aviation operators to assess and manage the cybersecurity risk of their supply chain. But what does a practical third-party assessment look like for an aviation operator managing dozens of ground handlers, MRO partners, and technology vendors? This scorecard provides a structured framework for evaluating supplier security across five domains, with scoring guidance that allows operators to tier their vendor risk and prioritise assessment effort. Use it as a questionnaire for vendor self-assessment, as a framework for on-site vendor audits, or as the basis for automated third-party risk monitoring.

EASA Part-IS and CAA CAP 1753 require aviation operators to manage supply chain cybersecurity risk — this scorecard provides a structured assessment framework aligned to both requirements.

Domain 1: Security Governance (20 points)

Security governance assessment evaluates whether the supplier has a foundational security programme:

  • Information security policy: Does the supplier have a documented, management-approved information security policy? (5 points)
  • Security responsibilities: Is there a named individual responsible for information security? (5 points)
  • Risk assessment: Has the supplier conducted a formal cybersecurity risk assessment in the last 12 months? (5 points)
  • Security certifications: Does the supplier hold Cyber Essentials, ISO 27001, or equivalent certification? (5 points)

Domain 2: Access Control and Authentication (20 points)

Access control assessment covers protection of system and data access:

  • MFA deployment: Is MFA enforced on all remote access to the supplier's systems and any aviation operator systems they access? (8 points)
  • Least privilege access: Does the supplier operate a least-privilege access model with regular access reviews? (6 points)
  • Privileged access management: Are privileged accounts managed with additional controls — PAM tooling, session recording, dual-person authorisation? (6 points)

Domain 3: Incident Response and Reporting (20 points)

Incident response assessment verifies the supplier can respond to and report incidents affecting aviation operator systems or data:

  • Incident response plan: Does the supplier have a documented incident response plan? (5 points)
  • Aviation operator notification: Is there a documented procedure for notifying aviation operator customers of incidents affecting their systems or data? (8 points)
  • Notification timeliness: Can the supplier commit to notifying aviation operator customers within 24 hours of discovering a relevant incident? (7 points)

Domain 4: Technical Security Controls (20 points)

Technical control assessment covers the baseline security measures protecting supplier systems:

  • Endpoint protection: Is endpoint protection deployed across all supplier systems used to access aviation operator systems or data? (5 points)
  • Patch management: Does the supplier have a systematic patch management process with defined timelines for critical vulnerabilities? (5 points)
  • Email security: Are email security controls (anti-phishing, DMARC/DKIM/SPF) implemented? (5 points)
  • Data encryption: Is data encrypted at rest and in transit, particularly for aviation operator data? (5 points)

Domain 5: Aviation-Specific Requirements (20 points)

Aviation-specific assessment covers requirements unique to the aviation supply chain context:

  • OT security (if applicable): If the supplier operates or accesses OT systems, do they have an OT-specific security programme? (8 points)
  • Aviation data handling: Is aviation operator data (passenger data, maintenance records, operational data) handled with appropriate controls and in line with data processing agreements? (7 points)
  • Staff vetting: Are supplier staff with access to aviation systems subject to appropriate background checking? (5 points)

Frequently Asked Questions

How should aviation operators score and tier suppliers using this scorecard?

Suppliers scoring 80–100 are well-managed from a security perspective and can be managed through standard contractual obligations and periodic reassessment. Suppliers scoring 60–79 have identifiable gaps that should be tracked and remediated within a defined timeframe — include specific improvement requirements in the vendor relationship. Suppliers scoring below 60, particularly in high-risk categories (those with OT access or mass data processing), should be subject to enhanced oversight, remediation plans with deadlines, or consideration of alternative suppliers. For critical suppliers scoring below 40, consider whether the relationship can continue given the risk.

How often should this scorecard be used for supplier assessment?

Assessment frequency should match supplier risk tier. Critical suppliers (OT system access, large-scale passenger data processing, MSSP relationships) should be reassessed annually with continuous monitoring between assessments. Standard suppliers with limited aviation system access can be assessed every 2–3 years. All suppliers should be reassessed immediately if they report a security incident, appear in threat intelligence, or if the nature of their access to aviation operator systems changes significantly.

Can this scorecard be used for automated third-party risk monitoring?

The scorecard domains can be partially automated using third-party risk management platforms like Panorays, which continuously monitors external indicators of supplier security posture — domain security, certificate health, exposed systems, and dark web monitoring. Automated monitoring provides continuous assessment between annual questionnaire cycles and can alert you to security degradation at a supplier between assessment windows. Combine automated external monitoring with periodic questionnaire-based assessment for comprehensive supply chain risk management.

Automate your aviation supplier risk assessment

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

Panorays

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides