Part-IS Risk Assessment Example: The Step-by-Step Guide

You have your security policy written. You have trained your staff. But when the auditor asks for your Part-IS risk assessment, will your manual hold up?

For many Compliance Monitoring Managers (CMMs), IS.OR.205 is the most difficult part of the new Regulation (EU) 2023/203. Unlike a standard Safety Management System (SMS) hazard log, a cybersecurity risk assessment requires you to link invisible digital threats to physical aircraft safety.

In this guide, we provide a concrete Part-IS risk assessment example to help you move from theory to compliance before the February 22, 2026 deadline.

Why Most Risk Assessments Fail the Audit

Many operators make the mistake of copy-pasting a generic IT risk matrix (like ISO 27001) into their manuals. This often leads to a Level 2 finding.

EASA Part-IS is not about data privacy; it is about airworthiness. If your Part-IS risk assessment focuses only on “server downtime” or “financial loss” without mentioning flight safety, you are missing the regulatory objective of IS.OR.205.

Step 1: Identify the Critical Asset

You cannot protect everything. The first step in any valid Part-IS risk assessment is identifying “elements exposed to risks” (Critical Assets).

• Too Vague: “Company Laptop.”
• Compliant: “Panasonic Toughbook used for A320 Data Loading.”

Step 2: Define the Threat Scenario

EASA requires you to map a specific “Threat Scenario” to the asset.

• Threat: Malware infection via a personal USB drive.
• Attack Vector: The “Bridging Attack” (connecting the infected laptop to the aircraft avionics).
• Consequence: Corruption of the FMS NavData, potentially causing a “Map Shift” during an RNP approach.

Step 3: Calculate the Safety Risk

This is the core of a Part-IS risk assessment. You must measure the risk in terms of flight outcomes, not IT headaches.

• Likelihood: 3 (Occasional – USBs are used daily on the line).
• Severity: A (Catastrophic – Loss of navigation integrity in poor weather).
• Risk Level: UNACCEPTABLE.

Risk Assessment Matrix Drag & Drop Refresher:

Step 4: Apply Mitigations (IS.OR.210)

Since the risk is unacceptable, you must apply controls.

1. Technical: Physically block USB ports on maintenance laptops.
2. Procedural: Implement a “Clean Bridge” kiosk for scanning essential files.
3. Competence: Ensure all personnel complete Part-IS Awareness Training to recognize rogue devices.

Critical Asset ID	Critical Asset Description (IS.OR.205)	Threat Scenario & Attack Vector	Safety Consequence (Operational Impact)	Initial Risk Score (L x S)*	Mitigating Actions (IS.OR.210)
IS-AST-001	Portable Data Loader (PDL) (Type: Panasonic Toughbook used for A320 NavData updates)	Threat: Malware infection via untrusted media. Vector: Engineer connects a personal USB drive containing malware to the PDL. The PDL then connects to the aircraft (“Bridging Attack”).	Corruption of FMS Navigation Data base. Potential for undetected navigation errors (“Map Shift”) during critical phases of flight (e.g., RNP approach in IMC), leading to reduced safety margins or CFIT risk.	3A (Occasional x Catastrophic) [UNACCEPTABLE]	1. Technical: USB ports physically blocked on PDL; autorun disabled via GPO. 2. Procedural: Implementation of “Clean Bridge” kiosk for mandatory scanning of all external media. 3. Competence: All maintenance staff required to complete EASA Part-IS Awareness Training to recognize bridging risks.

Step 5: Review and Update

A static document is a non-compliant document. You must review your assessment whenever there is a “significant change” in your operation or the threat landscape (e.g., new GPS Spoofing tactics).