![\"Andrea](\"https:\/\/www.usd.de\/wp-content\/uploads\/\/Andrea-Rupprich-usd-AG-1024x1024.jpg\")
![\"Wienke](\"https:\/\/www.usd.de\/wp-content\/uploads\/Wienke-Schumacher-usd.jpg\")
<\/p>\n\n\n\n
- \n
- What is Part-IS?<\/a><\/li>\n\n\n\n
- What are the objectives of Part-IS?<\/a><\/li>\n\n\n\n
- Who is affected by Part-IS?<\/a><\/li>\n\n\n\n
- What are the main requirements of Part-IS?<\/a><\/li>\n\n\n\n
- What impact does Part-IS have on the processes in the company?<\/a><\/li>\n\n\n\n
- How does an ISMS according to Part-IS differ from an ISMS according to ISO 27001?<\/a><\/li>\n\n\n\n
- How do you best start implementing Part-IS?<\/a><\/li>\n<\/ol>\n\n\n\n
<\/p>\n\n\n\n
1. What is Part-IS?<\/h2>\n\n\n\n
Part-IS<\/a> (Part Information Security) refers to two EU regulations with very similar content.<\/p>\n\n\n\n
One is the European Commission's \u201cImplementing Regulation 2023\/203\u201d and the other is the European Commission's \u201cDelegated Regulation 2022\/1645\u201d. The \u201cDelegated Regulation 2022\/1645\u201d applies to manufacturing and design organizations, as well as aerodrome operators and providers of apron control services.<\/p>\n\n\n\n
Both have the objective of managing information security risks that could potentially impact aviation safety. In short, Part-IS requires that companies falling within the scope of the regulation must establish an ISMS. Transposition into national law is not necessary.<\/p>\n\n\n\n
<\/p>\n\n\n\n
2. What are the objectives of Part-IS?<\/h2>\n\n\n\n
Safety risks in the airline industry have always been rigorously managed. Every incident in the aviation industry results in extensive investigations with the aim of improving processes to avoid similar incidents. Despite such efforts, the attacks of September 11 were able to happen. In the final report on the terrorist attacks, the most serious mistake was noted as \u201ca lack of imagination\u201d \u2013 people simply did not have enough imagination to come up with such a drastic scenario (exact quote: \u201cThe most important failure was one of imagination.\u201d<\/p>\n\n\n\n
See 9\/11 Report here: National Commission on Terrorist Attacks Upon the United States (911commission.gov)<\/a>.<\/p>\n\n\n\n
With the increasing digitalization, the scenario of a \u201ccyber 9\/11\u201d is conceivable, in which an attacker no longer even has to board the aircraft, but can cause catastrophic damage by digitally manipulating and remotely controlling it. Part-IS is a measure to counter and guard against precisely this worst-case scenario.<\/p>\n\n\n\n
<\/p>\n\n\n\n
3. Who is affected by Part-IS? <\/h2>\n\n\n\n
A number of organizations that are already regulated by other aviation regulations are affected. The \u201cImplementing Regulation 2023\/203\u201d applies, for one, to:<\/p>\n\n\n\n
a) maintenance organizations (\"Part-145 organization\", technical maintenance of aircraft) <\/p>\n\n\n\n
b) continuing airworthiness management organizations (\"CAMO organization\", monitoring aircraft maintenance activities) <\/p>\n\n\n\n
c) air operators subject to Annex III (Part-ORO) to Regulation (EU) No 965\/2012 (\u201cAOCs\u201d, i.e. companies that hold an Air Operators Certificate and are able to carry out flight operations on the basis of this)<\/p>\n\n\n\n
d) approved training organizations (ATOs) <\/p>\n\n\n\n
e) aircrew aero-medical centers <\/p>\n\n\n\n
f) flight simulation training device (FSTD) operators (exception for exclusively theoretical training)<\/p>\n\n\n\n
g) air traffic controller training organizations (ATCO TOs) and ATCO aero-medical centres<\/p>\n\n\n\n
h) organizations subject to Annex III (Part-ATM\/ANS.OR) to Implementing Regulation (EU) 2017\/373 (these are providers of \u201cAir Traffic Management\u201d and \u201cAir Navigation Systems\u201d, with restrictions, for example, on air traffic in connection with drones)<\/p>\n\n\n\n
In addition to these organizations, the relevant authorities, such as the EASA or the LBA in Germany, must also implement Part-IS.<\/p>\n\n\n\n
The \u201cCommission Delegated Regulation (EU) 2022\/1645\u201d applies to manufacturing and design organizations, as well as aerodrome operators and providers of apron control services.<\/p>\n\n\n\n
The audit activities that the relevant authorities already carry out with regard to applicable aviation requirements are extended to include Part-IS.<\/p>\n\n\n\n
<\/p>\n\n\n\n
4. What are the main requirements of Part-IS?<\/h2>\n\n\n\n
Requirement IS.I.OR.240 Requirements for personnel<\/h3>\n\n\n\n
Part-IS requires the establishment of a new role, the so-called \u201cAppointed Person Information Security\u201d, which is responsible for compliance with the requirements in the organization. There is also the option of designating a group as APIS. This person is responsible for everything required in Part-IS with regard to InfoSec and represents Part-IS compliance to the authorities. Alternatively, for more complex organizational structures, there is the option of designating a \u201cCommon Responsible Person\u201d who can take on this role across organizations.<\/p>\n\n\n\n
In addition to the \u201cAPIS\u201d, Part-IS requires other already known roles such as those of the Accountable Manager or the Compliance Monitoring Manager.<\/p>\n\n\n\n
Requirements IS.I.OR.205 Assessment of the information security risk and IS.I.OR.210 Dealing with the information security risk<\/h3>\n\n\n\n
The most elaborate requirement is probably the one for risk management. As is usual in an ISMS, information security risks should be identified, evaluated and treated. A specialty of Part-IS is that this must be based on a comprehensive asset inventory. Specifically, the organizations should \u201cidentify all elements [\u2026] that could be exposed to information security risks.\u201d This includes:<\/p>\n\n\n\n
1. the organization's activities<\/strong>, facilities<\/strong> and resources<\/strong>, as well as the services<\/strong> the organization operates, provides, maintains or upholds;<\/p>\n\n\n\n
2. the equipment,<\/strong> systems,<\/strong> data<\/strong> and information<\/strong> needed for the elements listed in item 1 to function.<\/p>\n\n\n\n
3. the interfaces<\/strong> between organizations that could lead to them being exposed to each other's information security risks.<\/p>\n\n\n\n
Finally, for Part-IS, this requires a special consideration of information security risks that could have a negative impact on the safety of flight operations.<\/p>\n\n\n\n
Requirement IS.I.OR.250 Information Security Management Manual (ISMM)<\/h3>\n\n\n\n
Another requirement that is indispensable for Part-IS compliance is the \u201cInformation Security Management Manual\u201d (ISMM). This is where all roles, responsibilities and core processes of the implemented Part-IS ISMS are documented. Part-IS strictly defines which aspects must be included in the ISMM. The ISMM ultimately serves as proof of compliance, which must be presented to the relevant authorities as proof that Part-IS has been implemented. <\/p>\n\n\n\n
It is possible to incorporate the contents of the ISMM into existing manuals required under aviation law, such as an approved safety management manual for an approved aviation company.<\/p>\n\n\n\n
<\/p>\n\n\n\n
5. What impact does Part-IS have on the processes in the company? <\/h2>\n\n\n\n
In principle, the existing processes of organizations regulated under aviation law must be expanded to include the management of information security risks. The legal text fits into the existing requirements and ties in with many familiar aspects, for example in the requirements for internal and external reporting or in the specifications for compliance monitoring management (internal audit system).<\/p>\n\n\n\n
The difficulty is that Part-IS forces organizations to consider not only safety in the sense of operational safety, but also information security issues. In this context, Part-IS is primarily concerned with intentional or illegal acts that deliberately endanger the life and limb of people. The exclusive assumption of intentional and malicious acts represents a certain change in mindset when considering risks in aviation safety.<\/p>\n\n\n\n
<\/p>\n\n\n\n
6. How does an ISMS according to Part-IS differ from an ISMS according to ISO 27001?<\/h2>\n\n\n\n
- \n
- The requirements for an ISMS according to ISO 27001 are very general in order to be applicable to a wide range of companies. The ISMS according to Part-IS, on the other hand, is very specific \u2013 it is designed for a specific application and is aimed at specific companies that are already subject to strict aviation requirements. The use case is formulated somewhat indirectly: \u201cinformation security risks with a potential impact on aviation safety\u201d.<\/li>\n\n\n\n
- The ISMS according to ISO 27001 focuses on a company's information security. Part-IS also deals with information security, but its specific aim is to ensure aviation safety.<\/li>\n\n\n\n
- An established ISMS according to ISO 27001 offers companies a head start in terms of expertise, especially when it comes to managing information security risks. However, Part-IS ultimately remains an aviation regulation with very specific requirements that an ISO 27001 ISMS cannot fulfill without additional work, if only because of the specific organization of safety management in the aviation industry, which is characterized by the strict requirements of the authorities. This means that a Part-IS ISMS must be integrated into the existing aviation management systems.<\/li>\n\n\n\n
- If a company already has an ISMS, there is an opportunity to implement Part-IS at least in part by harmonizing the two management systems. In this case, it makes sense to look at which measures exist on both sides and how bridges can be built. The ISMS according to ISO 27001 could be designed to optimally support the requirements of Part-IS. <\/li>\n\n\n\n
- In particular, the ISMS organization can provide valuable impetus in the areas of asset management, risk management and incident management.<\/li>\n<\/ul>\n\n\n\n
7. How do you best start implementing Part-IS?<\/h2>\n\n\n\n
<\/p>\n\n\n\n
In any case, not too late \u2013 February 2026 is not that far away and, depending on the size and complexity of your company, a lot of internal coordination may be necessary. Besides, the ISMM content is quite extensive.<\/p>\n\n\n\n
There are two key factors to your approach::<\/p>\n\n\n\n
- \n
- Size\/complexity of the company (number of regulated organizations within the company, number of supervisory authorities involved, complexity of the internal organization)<\/li>\n\n\n\n
- Is there already an ISMS, and if so, what is the level of maturity and how well is the existing ISMS anchored in the Part-IS regulated organization?<\/li>\n<\/ol>\n\n\n\n
We recommend the following next steps:<\/p>\n\n\n\n
- \n
- Conduct a gap analysis as the first important step<\/li>\n\n\n\n
- Clarify the (target) organization for establishing and maintaining Part-IS compliance<\/li>\n\n\n\n
- To get clarity about the scope, collect the relevant assets under Part-IS in a timely manner, for example, to be able to make estimates of the effort required for risk assessments<\/li>\n\n\n\n
- It can also be beneficial to start sounding out the relevant authorities at an early stage and to contact the known auditors from the authorities if you have any uncertainties or ideas for implementation<\/li>\n<\/ul>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
Stay up to date: We will be publishing more articles with detailed information about Part-IS in our news blog. (For example: Part-IS in the context of other standards and regulations, such as ISO 27001 and NIS-2).<\/p>\n\n\n\n
Do you have any questions about Part-IS<\/a> in the meantime or need support? Contact us<\/a>, we are happy to help.<\/p>\n","protected":false},"excerpt":{"rendered":"
Civil aviation consists of a complex network of numerous interrelated systems that are increasingly becoming the target of cyber attacks. Part-IS is intended to oblige the organizations involved to take effective measures to protect themselves against information security risks that could affect flight safety. Our experts Andrea Rupprich and Wienke Schumacher answer the 7 most […]<\/p>\n","protected":false},"author":91,"featured_media":53420,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"off","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"categories":[373,1969],"tags":[11205,11207,11147,548,542,543,11149,11150],"class_list":["post-53378","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-en","category-isms-en","tag-aviation","tag-aviation-safety","tag-flugsicherheit","tag-information-security","tag-informationssicherheit-en","tag-isms-en","tag-luftfahrt-en","tag-part-is-en"],"_links":{"self":[{"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/posts\/53378","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/users\/91"}],"replies":[{"embeddable":true,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/comments?post=53378"}],"version-history":[{"count":5,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/posts\/53378\/revisions"}],"predecessor-version":[{"id":54762,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/posts\/53378\/revisions\/54762"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/media\/53420"}],"wp:attachment":[{"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/media?parent=53378"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/categories?post=53378"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/tags?post=53378"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- What are the objectives of Part-IS?<\/a><\/li>\n\n\n\n