EASA Part-IS Aviation Information Security Management Training - Regulation EU 2023/203 Compliance

Aviation Information Security Management per EASA Part-IS Regulations

Regulation (EU) 2023/203 & (EU) 2022/1645 Compliance Training

Course Code: AT-0023-00

16 Hours MS Teams Certificate Included

Course Overview

Master the comprehensive requirements of EASA Part-IS regulations and equip your organisation to implement a robust Information Security Management System (ISMS) that protects aviation safety from cyber threats.

This in-depth course covers the full scope of Regulation (EU) 2023/203 (Implementing) and Regulation (EU) 2022/1645 (Delegated), providing aviation professionals with the practical knowledge to establish, maintain, and continuously improve an ISMS under Part-IS.I.OR. From risk assessment methodology and incident management to personnel competence, contracted activities oversight, and authority audit preparation — this training bridges regulation with real-world implementation across all 14 mandatory organisational requirements.

Learning Outcomes

Understand the EASA Part-IS Regulatory Framework: Interpret Regulation (EU) 2023/203 and (EU) 2022/1645, including their relationship with NIS2 Directive, AVSEC Regulation 2015/1998, and Regulation 376/2014
Distinguish Safety, Security & Information Security: Differentiate between safety, security, and information security concepts and understand how cyber threats cascade into aviation safety risks
Establish & Document an ISMS: Structure and implement an Information Security Management System covering all 14 IS.I.OR requirements (OR.100 through OR.260)
Apply Risk Assessment Methodology: Conduct structured risk assessments using the IS.I.OR.205 five-step process — identify elements, interfaces, risks, assign risk levels, and define treatment measures
Analyse Threat Scenarios & Safety Impact: Evaluate real-world cyber threat scenarios including EFB attacks, GPS spoofing, ATC system compromise, and fuel control system intrusion
Manage Interfaces & Shared Risks: Identify horizontal and vertical organisational interfaces, assess shared risk exposure, and implement controls for supplier, contractor, and cloud/IT provider relationships
Implement Incident Response & Reporting: Establish detection methods, event-vs-incident triage, four-stage incident response (Prepare, Contain, Eradicate, Recover), and meet the 72-hour external reporting obligation
Oversee Contracted Activities: Apply IS.I.OR.235 obligations including supplier pre-assessment, contractual cyber clauses, structured oversight processes, and compliance monitoring for third-party providers
Define Personnel Competence & Trustworthiness: Establish accountable manager duties, appointed person roles, competency profiles, and identity verification requirements under IS.I.OR.240
Develop the ISMM & Prepare for Oversight: Create a compliant Information Security Management Manual (IS.I.OR.250/255) and prepare documentation, evidence, and readiness actions for competent authority audits and PSOE oversight

Course Content & Topics Covered

The course consists of the following 14 comprehensive chapters delivered across two parts:

Part 1 — Chapters 1–7
  1. Introduction & Context
    • Why Information Security in Aviation
    • Safety vs Security vs Information Security
    • Industry Trends & Risk Drivers
  2. EASA Regulatory Framework
    • Regulation (EU) 2023/203 — Implementing (Part-IS.I.OR)
    • Regulation (EU) 2022/1645 — Delegated
    • EASA Opinion 03/2021
    • Relationship with AVSEC Regulation 2015/1998
    • Relationship with NIS2 Directive
    • Relationship with Regulation 376/2014
    • Legal Equivalence & Exemptions
  3. Information Security Principles
  4. Information Security Management System (ISMS)
  5. Organisation Requirements (IS.I.OR)
    • IS.I.OR.100 — Scope
    • IS.I.OR.200 — ISMS Requirements
    • IS.I.OR.205 — Risk Assessment
    • IS.I.OR.210 — Risk Treatment
    • IS.I.OR.215 — Internal Reporting
    • IS.I.OR.220 — Incident Response
    • IS.I.OR.225 — Corrective Actions
    • IS.I.OR.230 — External Reporting
    • IS.I.OR.235 — Contracting
    • IS.I.OR.240 — Personnel Requirements
    • IS.I.OR.245 — Recordkeeping
    • IS.I.OR.250 — ISMM
    • IS.I.OR.255 — Changes to ISMS
    • IS.I.OR.260 — Continuous Improvement
  6. Interfaces & Shared Risks
    • Horizontal & Vertical Interfaces
    • Shared Risk Exposure & Communication
    • Supplier, Contractor & Cloud/IT Provider Interfaces
  7. Threat Scenarios & Safety Impact
    • EFB Attack, GPS/Navigation Spoofing, ATC Systems
    • Fuel Control System Intrusion
    • Real-World Incidents & Functional Chain Impact
Part 2 — Chapters 8–14
  1. Risk Assessment Methodology
    • IS.I.OR.205 Five-Step Process
    • Identifying Elements & Interfaces
    • Likelihood & Severity Assessment
    • Risk Acceptance Matrix & Risk Register
  2. Incident Management
    • IS.I.OR.220 — Detection Methods & Event vs Incident Triage
    • Four-Stage Response: Prepare, Contain, Eradicate, Recover
    • Emergency Measures & External Reporting
  3. Reporting Obligations
    • IS.I.OR.215 — Internal Reporting Scheme
    • IS.I.OR.230 — External Reporting & the 72-Hour Rule
    • Relationship with Regulation (EU) 376/2014
    • Multi-Approval Scenarios & Report Requirements
  4. Contracted Activities Management
    • IS.I.OR.235 — Three Core Obligations
    • Supplier Pre-Assessment & Contractual Cyber Clauses
    • Structured Oversight Process & CA Access Rights
  5. Personnel Competence & Trustworthiness
    • IS.I.OR.240 — Accountable Manager Duties
    • Appointed Person & Compliance Monitoring Role
    • Competency Profiles, Sufficiency Factors & Identity Verification
  6. Information Security Management Manual (ISMM)
    • IS.I.OR.250 & IS.I.OR.255
    • ISMM Structure & Integration with Other Manuals
    • Approval Requirements & Maintaining Currency
  7. Oversight & Auditing
    • PSOE Implementation Levels
    • Common Findings & Findings Classification
    • Preparing for Competent Authority Oversight
    • Documentation Expectations

Learning Format

Live Virtual Classroom on MS Teams

Session Structure:

  • 4 sessions × 4 hours each (16 hours total)

Course Information

  • Target Audience:
    Safety Managers, Compliance Monitoring Managers, IT/IS Personnel, Accountable Managers
  • Duration:
    16 hours (4 sessions × 4 hours)
  • Delivery:
    Live virtual (MS Teams)
  • Certificate:
    Upon completion
No upcoming sessions scheduled.
Contact us to arrange a private session or request to be notified when new dates are available.

Prerequisites

  • Fluency in English language
  • Basic understanding of aviation regulatory frameworks (recommended)

Who Should Attend

  • Safety Managers
  • Compliance Monitoring Managers
  • Accountable Managers
  • IT / Information Security Personnel
  • Quality Assurance Managers
  • Continuing Airworthiness Managers (CAMOs)
  • Part-145 Maintenance Organisation Managers
  • Air Operator Personnel (Part-ORO)
  • ATO Training Managers
  • ATM/ANS Service Providers
  • Aerodrome Operators
  • ISMS Appointed Persons

Applicable Organisations

Regulation (EU) 2023/203, Article 2 applies to:

  • Part-145 Maintenance Organisations
  • CAMOs (Continuing Airworthiness)
  • Air Operators (Part-ORO)
  • Approved Training Organisations (ATOs)
  • Aircrew Aero-Medical Centres
  • FSTD Operators
  • ATCO Training Organisations
  • ATM/ANS Organisations (Reg. 2017/373)
  • U-space Service Providers

Have Questions?

Our team is here to help you achieve Part-IS compliance.

Request Information Contact Us

Frequently Asked Questions

EASA Part-IS is the regulatory framework established through Regulation (EU) 2023/203 (Implementing) and Regulation (EU) 2022/1645 (Delegated) that sets information security requirements for aviation organisations. It mandates that covered organisations identify and manage information security risks with potential impact on aviation safety, detect and respond to security events and incidents, and establish a documented Information Security Management System (ISMS). This training covers the full scope of Part-IS.I.OR organisational requirements.

An Information Security Management System (ISMS) in aviation is a structured framework of policies, procedures, risk assessments, and controls designed to protect the confidentiality, integrity, and availability of information and systems that support aviation safety. Under EASA Part-IS, every covered organisation must establish, document, and maintain an ISMS that addresses all 14 requirements from IS.I.OR.100 through IS.I.OR.260, including risk assessment, incident management, reporting obligations, and continuous improvement.

Regulation (EU) 2023/203, Article 2 defines the covered organisations. These include Part-145 maintenance organisations, Continuing Airworthiness Management Organisations (CAMOs), air operators under Part-ORO, Approved Training Organisations (ATOs), aircrew aero-medical centres, FSTD operators, ATCO training organisations and aero-medical centres, organisations subject to Part-ATM/ANS.OR, U-space service providers, and approved design or production organisations for ATM/ANS systems. This course is designed to support all covered organisation types in achieving compliance.

Under IS.I.OR.230, organisations must report significant information security incidents to the competent authority within 72 hours of becoming aware of the incident. The initial report must include the nature and scope of the incident, affected systems, immediate measures taken, and potential aviation safety impact. Follow-up reports with additional details are required as the investigation progresses. This course covers both internal (IS.I.OR.215) and external (IS.I.OR.230) reporting requirements in depth.

Part-IS exists alongside other EU security frameworks. The NIS2 Directive addresses network and information systems security across critical sectors including transport, while AVSEC Regulation 2015/1998 governs aviation security against unlawful interference. Part-IS specifically addresses information security risks with potential aviation safety impact, complementing these frameworks without duplicating them. This course covers the relationships, overlaps, and legal equivalence provisions between these regulatory instruments.

This training is essential for safety managers, compliance monitoring managers, accountable managers, IT and information security personnel, quality assurance managers, continuing airworthiness managers at CAMOs, Part-145 maintenance organisation managers, air operator personnel, ATO training managers, ATM/ANS service providers, aerodrome operators, and anyone appointed as the responsible person for information security within a covered organisation. The course provides both regulatory understanding and practical implementation guidance.

The Information Security Management Manual (ISMM) is the cornerstone compliance document required under IS.I.OR.250. It formally documents the organisation's ISMS including policies, procedures, risk assessment methodology, roles and responsibilities, and control measures. The ISMM must be made available to the competent authority and kept continuously up to date. IS.I.OR.255 governs changes to the ISMS. This course covers ISMM structure, integration with other organisational manuals, approval requirements, and how to maintain currency.

Competent authority oversight under Part-IS follows a structured approach built around the PSOE (Present, Suitable, Operational, Effective) implementation framework. Preparing for oversight involves ensuring your ISMM is complete and current, risk assessments are documented, incident management procedures are established, reporting channels are operational, personnel competence records are maintained, and contracted activities are properly overseen. This training covers PSOE implementation levels, common audit findings, findings classification, and practical steps to demonstrate compliance during authority audits.

Ready to Achieve EASA Part-IS Compliance?

Join our comprehensive training and master aviation information security management requirements.

Request Private Training

Our Services

Auditing Safety and Compliance Monitoring
Training Services Training Services
Aircraft Maintenance Consulting Part-145 Consultancy Services
Airworthiness Consulting CAMO Consultancy Services
Chat on WhatsApp Chat on Messenger Chat on Teams