Part-IS Compliance: Building the Human Firewall for Aviation Safety

The aviation industry is currently navigating its most significant regulatory shift in a decade. With the implementation of Regulation (EU) 2023/203, the European Union Aviation Safety Agency (EASA) has effectively mandated that cybersecurity be treated with the same rigor as airworthiness. This shift is essential for achieving Part-IS Compliance.

For Air Operators (AOC), Maintenance Organizations (Part-145), and CAMOs, the final compliance deadline is February 22, 2026. By this date, organizations must demonstrate that their Information Security Management System (ISMS) is not just written on paper, but fully operational within the workforce to ensure Part-IS Compliance.

The most challenging aspect for many operators is IS.OR.240, which requires that all personnel acquire and maintain “information security competence appropriate to their role”.

How do you certify an entire workforce before the deadline? The answer lies in mapping your training directly to the Acceptable Means of Compliance (AMC).

The “Competence” Gap

Many organizations have excellent IT security policies but lack the evidence to prove that a pilot, mechanic, or dispatcher understands them. This “Competence Gap” is a primary target for auditors during the transition phase.

Raven has developed a dedicated EASA Part-IS Awareness Training to bridge this specific gap. Unlike generic corporate cybersecurity courses, this syllabus acts as a direct extension of your compliance manual, mapping lesson-by-lesson to the regulatory requirements.

Mapping Training to Regulation (IS.OR)

To ensure audit readiness, our curriculum is structured to satisfy the following key regulatory domains:

1. Policy Awareness (IS.OR.200)

The regulation requires that all staff are aware of the organization’s information security policy.

• The Compliance Solution: Our Cyber Hygiene module covers the mandatory “Acceptable Use Policy” elements, including Access Control (IS.OR.200(a)(3)) and the “Clear Desk / Clear Screen” policy. This provides evidenced training that your staff understands the boundaries of your network.

2. Risk Identification (IS.OR.205)

Operators must identify “elements exposed to information security risks” (Critical Assets) and specific “Threat Scenarios”.

• The Compliance Solution: We move beyond theory by training staff to recognize threats specific to their role.
  • Pilots are trained to detect GPS Spoofing and EFB anomalies.
  • Engineers learn to identify “Bridging Attacks” where maintenance laptops can transfer malware to aircraft avionics.
  • This directly satisfies the requirement to understand “Threat Scenarios” under AMC1 IS.OR.205(b).

3. The Reporting Scheme (IS.OR.215)

An ISMS is useless if staff do not report events. IS.OR.215 mandates an internal reporting scheme that promotes a “Just Culture”.

• The Compliance Solution: The course dedicates a full module to The Internal Alert, training staff to distinguish between a “Technical Glitch” and a “Security Event.” Crucially, it reinforces that reporting a mistake (like clicking a phishing link) is a safety duty, not a punishable offense.

4. Supply Chain Integrity (IS.OR.225)

Organizations are responsible for the risks introduced by their suppliers.

• The Compliance Solution: We teach the “Chain of Trust” principle. Staff learn to apply a “Reality Check” to data received from third-party vendors (such as NavData providers) before using it operationally, ensuring the organization maintains control over supplier risks.

5. Detection and Response (IS.OR.220)

Finally, the organization must have measures to “detect, respond to, and recover from” incidents.

• The Compliance Solution: The training provides immediate operational protocols for Containment. Staff are taught the “Golden Rule” of detection (recognizing illogical system behavior) and the specific steps to Disconnect and Isolate compromised systems to prevent the spread of an attack