EASA Part-IS Awareness Training for CAMO, Part-145 and CAO Personnel — Regulation EU 2023/203 information security awareness course delivered live online

EASA Part-IS Awareness Training • Regulation (EU) 2023/203

EASA Part-IS Information Security Awareness for CAMO, Part-145 & CAO Personnel

Discharge the IS.I.OR.240 awareness obligation in a single day — audit-ready, behaviour-changing, loyal to Regulation (EU) 2023/203 and (EU) 2022/1645.

Course Code: AT-0024-00  •  Delivered by Aviathrust from Malta, worldwide online

8 Hours (1 Day) Live on MS Teams 75% Pass — Certificate Issued IS.I.OR.240 Compliant Record
Request Private / In-House Session

Course Overview

A one-day, audit-ready awareness course that discharges the training obligation of IS.I.OR.240 for the people who actually touch the data — engineers, planners, certifying staff, CAMO reviewers, store-keepers, dispatchers and support staff.

Built strictly to the architecture of Regulation (EU) 2023/203 (Implementing) and Regulation (EU) 2022/1645 (Delegated), the course translates Part-IS from legal text into the practical behaviours your Competent Authority will sample first: recognise an information security event, apply daily hygiene, spot phishing in every channel, use mobile / removable media / AI tools without leaking data, and route a report through your internal scheme so that both the Part-IS and Reg (EU) 376/2014 flows trigger from a single click.

Twelve modules. Real, sanitised cases from Part-145 hangars and CAMO offices. A 75 % end-of-day knowledge check. A signed certificate and the competence-record evidence the Competent Authority expects to see under IS.AR oversight.

What You Will Be Able To Do

By the end of the day, every attendee can demonstrate the following — the same five verbs the Authority looks for when sampling personnel competence under IS.AR.

Recognise an information security event in your day-to-day work and report it within the required time threshold (working day / 1 hour / immediate).
Apply the eight daily hygiene habits at the workstation, in the hangar and on the road — passwords, screen lock, removable media, patching, email, documents, Wi-Fi, BYOD and social-media discipline.
Spot phishing, vishing, smishing, QR-code attacks, deepfake voice and in-person pretexting aimed at maintenance and CAMO functions — using the 5-second test.
Use mobile devices, removable media, VPN and generative-AI tools without compromising organisational data — including the 4-question AI checklist and the 1-hour lost-device rule.
Explain how the ISMS interfaces with the SMS, the Compliance Monitoring Function, HR and Continuing Airworthiness — and why one internal report routes both Part-IS and Reg (EU) 376/2014 streams.

Syllabus — Twelve Modules in Eight Hours

Origin in Reg (EU) 2018/1139 • applicability of Reg (EU) 2023/203 vs (EU) 2022/1645 • key articles • compliance dates • standards vs regulation • roles and responsibilities • documentation integration with MOE / CAME / CAO exposition • oversight by the Competent Authority • occurrence reporting interface with Reg (EU) 376/2014 • consequences of non-compliance.

Why aviation is a high-value target • threat actors and their economics • real, sanitised cases from the sector • the "safety bridge" — how cyber becomes aviation safety through integrity and availability pathways • 2025–2026 trends • implications for the individual employee • calibration of risk perception.

Asset → Threat → Vulnerability → Risk • the three control families (preventive, detective, corrective) • Event vs Incident vs Vulnerability — the #1 source of misrouted reports • CIA + Authenticity (CIAA) as Part-IS defines it • applied to aviation examples: airworthiness records, NavData, Form 1.

What an ISMS is (and what it is not) • scope and governance under the Common Responsible Person • the five core processes — risk, events, change, suppliers, training • where your day touches the ISMS • where to find the policy, the procedures and your IS focal point.

Passwords (length over complexity, password managers, MFA fatigue) • lock your screen, every time • removable media procedure • software updates and patching • email basics • documents on organisation file shares (not Desktop, never personal cloud) • Wi-Fi discipline (corporate / guest / public / hangar SSID) • BYOD and personal devices • social-media OSINT discipline • off-hours, holiday and travel rules.

The four attacks (phishing / vishing / smishing / pretexting) • anatomy of a modern AI-written phishing email • spear-phishing and Business Email Compromise (BEC) • vishing and deepfake voice • smishing and QR-code attacks • pretexting and in-person engineering • the 5-second test • the call-back-on-a-known-number rule • what to do when you spot one — and when you think you clicked.

Mobile devices in detail — the highest-data-density device you carry • working from home (router hygiene, family on the work laptop, IoT segregation) • VPN — when, why and always • travel: before you go / while you are there / return-from-travel discipline • lost or stolen: the 1-hour rule.

Why this module exists in an aviation course • the data-exposure risk of public GenAI tools • the hallucination risk in regulatory and procedural contexts • approved vs unapproved tools • what you may and may not do • the 4-question checklist that fits between thinking the prompt and pressing send.

Loadable Software Parts (LSPs) and the dual-verification procedure • MRO data exchange • airworthiness record integrity — the highest-impact IS asset in CAMO • Form 1 / Certificate of Release to Service chain integrity • GSE with network interfaces • connected diagnostic tools • maintenance planning systems • sub-contractor data flows • the supply-chain view.

The principle — reporting is a duty under IS.I.OR.215 • what counts • the internal scheme • the Reg (EU) 376/2014 interface (one internal report, dual routing) • Just Culture in practice • anonymous vs identified reporting • what happens after the report • timeline thresholds: working day, 1 hour, immediate.

The ISMS is not an island • ISMS ↔ SMS • ISMS ↔ Compliance Monitoring Function • ISMS ↔ HR (joiners / movers / leavers — and the leaver-access-not-revoked finding) • where the interfaces live in the MOE / CAME / CAO exposition • who you tell when something happens.

What we covered today — the six-theme summary • refresher cadence (24-month default, plus event-driven under IS.I.OR.260) • resources and references (EASA Easy Access Rules for Information Security, internal IS policy, internal reporting procedure, IS focal-point contact list) • your actions this week • multiple-choice end-of-day knowledge check — 75 % pass mark.

Format, Assessment & Records

Live Virtual Classroom on MS Teams

  • Duration: 1 working day — 8 hours, including a consolidated knowledge check
  • Delivery: Live, instructor-led on MS Teams (in-person option for in-house groups)
  • Class size: Capped to preserve real Q&A — not a webinar
  • Assessment: Multiple-choice end-of-day check — pass mark 75 %
  • Certificate: Issued on successful completion, course code AT-0024-00, traceable to the version of the material
  • Records retained: Attendance, content version, trainer competence, knowledge-check score and refresher due date — the evidence package the Competent Authority may sample under IS.AR
  • Refresher cadence: 24-month default per IS.I.OR.240, plus event-driven re-training under IS.I.OR.260

Who this course is NOT for: SOC analysts, the Incident Response team, and ISMS administrators — they need our technical implementation course (AT-0023-00) instead.

Why Aviathrust for Part-IS Awareness

Aviation engineers, not generic IT trainers

The trainer is a working aviation engineering and compliance consultant — cases come from Part-145 hangars and CAMO offices, not stock decks.

Loyal to the regulation

Every module cites the IS.I.OR article it discharges — so your competence record traces back to the legal text.

Audit-ready records

Attendance, score, content version and refresher due date — packaged the way the Competent Authority asks for them.

Delivered from Malta, worldwide

Live MS Teams sessions in CET/CEST — with in-house delivery available across Europe, the Middle East and Africa.

Frequently Asked Questions

Yes. AT-0024-00 discharges the awareness training obligation in IS.I.OR.240(b) for Part-145, CAMO and CAO personnel who do not perform a technical role in the ISMS team. Attendance, the multiple-choice end-of-day knowledge check, the content version and the refresher due date are recorded and retained to satisfy IS.I.OR.240(c) so the Competent Authority can sample the evidence under IS.AR oversight.

Attend if you are Part-145 certifying staff or mechanic, CAMO airworthiness reviewer, CAO personnel, planner, technical-records staff, stores, operational compliance monitoring, HR handling joiners and leavers, or a sub-contractor with data access. Do not attend this awareness course if you are a SOC analyst, an incident response team member or an ISMS administrator — those personnel need the technical implementation course (AT-0023-00).

One working day — 8 hours including the multiple-choice knowledge check. Live instructor-led delivery on Microsoft Teams as standard, with on-site in-house delivery available for groups.

The pass mark is 75 % on the consolidated end-of-day multiple-choice check. A delegate who does not reach the threshold is offered one re-sit at no extra cost; if the re-sit is still unsuccessful, a targeted re-attendance is recommended so the record reflects actual competence.

Every 24 months as a minimum under IS.I.OR.240, plus an event-driven refresher under IS.I.OR.260 whenever the threat landscape changes materially or the ISMS itself changes (new scope, new systems, new processes). After a significant information security event, lessons-learned training is delivered separately from the calendar cycle for personnel involved.

Both regulations form Part-IS and share the same IS.OR architecture. Regulation (EU) 2023/203 is the Implementing Regulation that applies to approved organisations regulated under Reg (EU) 2018/1139 — Part-145, CAMO, CAO, Part-ORO operators, ATOs, FSTD operators, ATM/ANS organisations and aero-medical centres. Regulation (EU) 2022/1645 is the Delegated Regulation that applies to design and production organisations, aerodromes, apron and ground-handling.

One internal report routes to both streams. The employee files a single information security report through the internal scheme; the Common Responsible Person and the Safety Manager then decide which external flows are triggered — Part-IS to the Competent Authority and Reg (EU) 376/2014 where there is potential aviation-safety impact. The employee does not have to pick the scheme. Just Culture protection extends to information security occurrences with safety impact.

The certificate is issued by Aviathrust, an aviation training provider based in Malta, and is acceptable wherever Part-IS applies through EASA Member States and through bilateral equivalence (UK CAA, Switzerland, EEA). Outside EASA jurisdiction the certificate documents competence against an EU regulatory benchmark commonly accepted for foreign-approved organisations operating in EASA airspace. In case of doubts we encourage to consult your competent airworthiness authority for further advise.

Yes. In-house delivery includes light tailoring of the aviation scenarios in Module 9 and the interface examples in Module 11 to match your MOE / CAME / CAO exposition, ISMM and IS focal-point structure — without diluting the regulatory core.

Ready to Discharge Your Part-IS Awareness Obligation?

One day. Twelve modules. The audit-ready competence record your Competent Authority expects to see.

Request a Private Session Ask a Question First

Our Services

Auditing Safety and Compliance Monitoring
Training Services Training Services
Aircraft Maintenance Consulting Part-145 Consultancy Services
Airworthiness Consulting CAMO Consultancy Services
Chat on WhatsApp Chat on Messenger Chat on Teams