EASA Part-IS Management & Compliance

Course Overview

While Awareness training protects the front lines, legal accountability sits with Management & Compliance personnel. This course is specifically designed for leadership teams and Nominated Persons who must implement, manage, and defend an Information Security Management System (ISMS) under EASA Part-IS.

From the Accountable Manager’s financial liability to the technical interface between the CISO and Safety Manager, this course provides the “Management Engine” required to maintain regulatory compliance and operational safety.

Target Audience

This course is essential for personnel identified in IS.OR.200 and IS.OR.260, including:

• Accountable Managers (AM)
• Nominated Persons / Postholders (Flight Ops, Maintenance, etc.)
• Chief Information Security Officers (CISO)
• Safety & Quality Managers
• Compliance Monitoring Managers (CMM)

Pre Requisites

EASA Part-IS Awareness Training or similar

Learning Experience

1 – 1.5hrs Asynchronous (Interactive Recorded Content)

EASA Part-IS: Management & Compliance course consists of a set of Lessons and Waypoints each with dedicated video content. Subtitles are also available when needed, in addition to the full transcript available on each Waypoint.

Learning Outcomes

Knowledge

• Regulatory Framework: Comprehend the specific requirements of IS.OR.200 and IS.OR.260 regarding the establishment and maintenance of an Information Security Management System (ISMS).
• Governance Roles: Define the distinct legal liabilities of the Accountable Manager and the technical responsibilities of the CISO and Safety Manager.
• Risk Methodology: Understand the EASA-mandated 4-step risk sequence: Identification, Analysis, Evaluation, and Treatment based on the Safety-Security interface.
• Reporting Requirements: Knowledge of the mandatory 72-hour notification window for information security incidents that impact aviation safety.
• Supply Chain Oversight: Understand the “Extended Enterprise” concept and how to classify the security risk of external service providers.

Skills

• Risk Evaluation: Perform a Part-IS compliant risk assessment by weighing threat likelihood against safety severity levels.
• ISMS Documentation: Draft and maintain key sections of an ISMS Manual (the “Constitution” of your security system).
• KPI Development: Create and monitor iSPIs (Information Security Performance Indicators) to measure the health of your security environment.
• Incident Classification: Distinguish between a standard IT security event and a reportable aviation security incident under IS.OR.230.
• Audit Management: Execute internal oversight checks to ensure password policies, access controls, and record-keeping meet retention standards (5 years).

Competence

• Strategic Leadership: Ability to lead the integration of Information Security into the existing Safety Management System (SMS) without creating operational silos.
• Accountability Management: Competence in defending the organization’s security posture during a Competent Authority (NAA) audit.
• Decision Making: Determine when to Accept, Mitigate, or Avoid a risk based on its potential impact on “Safe Operations” versus “Financial Cost.”
• Continuous Improvement: Manage the “Plan-Do-Check-Act” cycle to ensure the ISMS evolves alongside emerging cyber threats.