The IS.OR.240 Competence Checklist: Is Your Aviation Staff Audit-Ready?

Of all the new requirements in Regulation (EU) 2023/203 (Part-IS), one clause is causing the most headaches for Compliance Monitoring Managers: IS.OR.240.

While writing a policy is straightforward, proving that every pilot, engineer, and ground staff member possesses “competence appropriate to their role” is a logistical challenge.

To help you prepare for the February 22, 2026 deadline, Raven has compiled this IS.OR.240 Audit Practical Checklist. Use it to verify if your current training program meets the Acceptable Means of Compliance (AMC).

1. The “Cyber Hygiene” Check (IS.OR.200)

Does your staff understand the basic rules of digital engagement? The regulation requires strict adherence to information security policies.

• [ ] Access Control: Can staff explain why they must not share passwords or allow “tailgating” at secure doors?
• [ ] Clear Desk Policy: Do they understand that leaving a passenger manifest or tech log on a desk is a regulatory breach?
• [ ] Phishing Awareness: Can they identify the “Three Red Flags” (Sender, Urgency, Payload) of a social engineering attack?

2. The “Threat Scenario” Check (IS.OR.205)

Does your training cover aviation-specific risks, or just generic IT topics? AMC1 IS.OR.205(b) requires staff to be aware of threats relevant to their operational environment.

• [ ] For Pilots: Can they recognize GPS Spoofing (e.g., map shifts, false terrain warnings) and differentiate it from a sensor failure?
• [ ] For CAMO/Maintenance: Are they aware of the “Bridging Attack” risk when connecting a laptop or USB loader to aircraft avionics?
• [ ] For Dispatch: Do they understand the risk of data corruption in Load Sheets or Performance Data?

3. The “Reporting” Check (IS.OR.215)

Will your staff actually report an incident? An effective ISMS relies on the flow of information.

• [ ] Identification: Can staff distinguish between a “Technical Glitch” (functional failure) and a “Security Event” (illogical behavior)?
• [ ] Just Culture: Do they know that reporting a mistake (like clicking a bad link) will be treated fairly under the organization’s Just Culture policy?
• [ ] Mechanism: Do they know exactly which form or digital tool to use to submit a report?

4. The “Supply Chain” Check (IS.OR.225)

Do they trust untrusted sources?

• [ ] Chain of Trust: Do staff apply a “Reality Check” to data received from third-party suppliers (e.g., NavData updates) before using it?
• [ ] Media Handling: Is there a clear “Clean Bridge” procedure for scanning USB sticks before they touch a critical asset?

5. The “Response” Check (IS.OR.220)

Do they know what to do when the screen goes red?

• [ ] Containment: Does your staff know the immediate steps to Disconnect and Isolate a compromised device (e.g., putting an EFB into Airplane Mode)?
• [ ] Recovery: Are they trained to revert to manual backups (e.g., raw data navigation, paper charts) to maintain airworthiness?

How to Close the Gap

If you checked “No” on any of the boxes above, your organization may be at risk of a Level 2 finding during your next audit.

Raven’s EASA Part-IS Awareness Training covers every single point in this checklist.

• Mapped: Mapped directly to IS.OR.240 and AMC1.
• Role-Specific: Includes dedicated scenarios for Flight Ops and Maintenance.
• Instant Certification: Enroll your team today and get the “Competence” evidence you need.

FAQ