On 22 February 2026, the EU Regulation Part-IS for aviation organizations will come into force. They must manage information security risks in a way that best protects civil aviation safety. Many already rely on an ISMS according to ISO 27001 – but is that enough for Part-IS compliance? Our experts Andrea Rupprich and Wienke Schumacher show in a practical way how ISO 27001 serves as a solid basis and how you can efficiently harmonize both requirements.
Part-IS requirements: What does the regulation mean for your company?
Part‑IS requires regulated organizations to implement an information security management system (ISMS). The aim is to systematically identify, assess and treat risks in order to better protect civil aviation against cyberattacks. Supervision is carried out by the European Aviation Safety Agency (EASA) and national aviation authorities such as the German Federal Aviation Authority (Luftfahrt-Bundesamt, LBA). The regulation is based on ISO 27001, but supplements the standard with additional requirements. If you already operate an ISMS, you can integrate Part-IS requirements in a targeted way and thus save time and resources.
You can find out more about the basics in our article: Part-IS: The 7 Most Important Questions
Part-IS vs. ISO 27001: What you need to know for your compliance
Part-IS and ISO 27001 both pursue the goal of implementing information security in a structured way. The comparison highlights overlaps, differences, and additional requirements introduced by Part-IS.
Similarities
- ISMS as a core requirement: Both sets of rules require the introduction of an information security management system with clearly defined roles, processes and responsibilities.
- Asset management: Managing and protecting critical assets is a key element in both approaches.
- Incident management: Structured processes for detecting, reporting and dealing with security incidents are mandatory.
- Management commitment: Both ISO 27001 and Part-IS rely on the involvement of company management and the establishment of a safety culture.
- Documentation and verification: Both require comprehensible, documented processes and regular reviews (audits or official controls).
- Continuous improvement: Both systems are based on a management system approach (PDCA cycle) that provides for continuous optimization.
Differences
- Scope: For Part-IS, the ISMS scope must cover at least the regulated parts of the organization. An ISO 27001 certificate with a smaller scope is not enough.
- ISMS: Standalone vs. integrated: An ISMS according to ISO 27001 can be established independently in the company. An ISMS in accordance with Part-IS must be integrated into the existing safety management system in accordance with aviation law requirements (e.g., EU Regulation 965/2012) and must not be operated in isolation.
- Security vs. Safety: ISO 27001 focuses on information security (confidentiality, integrity, availability), while Part-IS has a broader goal: aviation safety.
- Business risks vs. safety risks: ISO 27001 primarily assesses business risks. Part-IS requires a focus on information security risks with an impact on flight safety. The risk analyses must be adapted.
- Regulatory Controls vs. Certification: ISO 27001 is audited by accredited certification bodies, whereas Part-IS is subject to official oversight by EASA and national aviation authorities (e.g., LBA), which also monitor other aviation law requirements. The consequences are more serious: While ISO deviations mean the loss of a certificate, non-compliance with Part-IS can jeopardize approval.
Part-IS implementation: Typical pitfalls and how to avoid them
These differences directly affect implementation. To help you be prepared, we have compiled the most common stumbling blocks for you:
- Insufficient scope: An ISMS according to ISO 27001 only covers Part-IS if the scope is identical or larger. Partial certifications are not sufficient and are not accepted by authorities.
- Lack of safety integration: Part-IS requires the active embedding of safety areas in the ISMS. A purely IT-driven ISMS does not meet the requirements.
- Inappropriate risk analysis: For Part-IS, risk analyses of safety-critical processes and their impact on flight safety must be taken into account.
- Underestimated regulatory oversight: Violations of Part-IS can lead to loss of regulatory approval and severe operational consequences.
Harmonizing Part-IS and ISO 27001: How to succeed in integration
The pitfalls mentioned above show how quickly implementation can become complex. Our experts Andrea Rupprich and Wienke Schumacher therefore recommend a structured approach that uses synergies in a targeted manner and reduces effort:
- Perform gap analysis: Identify differences between your existing ISMS and the Part IS requirements. In particular, check scope, safety integration and official requirements.
- Adapt governance structures: Establish clear responsibilities. Position the (C)ISO as the central interface between information security and safety management.
- Expand processes: Use established ISMS processes for asset, risk and incident management and add safety-relevant criteria and reporting channels.
- Involve authorities at an early stage: Coordinate with EASA or national aviation authorities in good time to avoid compliance risks and create planning security.
Part-IS compliance: Your roadmap
The countdown is on: As of 22 February 2026, Part-IS becomes mandatory. Use ISO 27001 as a springboard: Expand the scope, add safety aspects to risk analyses and create clear governance interfaces. In this way, you turn existing strengths into a real competitive advantage, secure your certification and increase your resilience in the aviation sector.
Would you like to check whether your ISMS complies with Part-IS? Our experts will accompany you in the gap analysis and implementation. Please feel free to contact us.
