Defining Your ISMS Scope Under EASA Part-IS

A Practical Guide to Getting It Right Without Overcomplicating It

Defining the scope of your Information Security Management System is one of the most important decisions you will make when implementing EASA Part-IS.

It is also one of the most misunderstood.

Many organisations approach ISMS scoping as a technical exercise, or worse, as a documentation formality. Under Part-IS, scoping is neither. It is a safety driven activity that determines which parts of your organisation must be protected against information security risks because of their potential impact on aviation safety.

If the scope is unclear, everything that follows becomes difficult. Risk assessments lose focus. Incident response boundaries blur. Oversight discussions turn into debates about inclusion rather than safety.

This article explains how to define your ISMS scope under Part-IS by focusing on aviation safety elements, exactly as the regulation intends, while keeping the process practical, defensible, and proportionate.

What Is an ISMS Scope Under Part-IS?

An ISMS scope defines the boundaries of your Information Security Management System.

Under Part-IS, those boundaries are not defined by technology alone. They are defined by aviation safety relevance.

In simple terms, your ISMS scope identifies which aviation safety elements within your organisation must be protected against information security risks because those risks could impact aviation safety.

Once an element is in scope, it becomes subject to the full set of ISMS activities required by Part-IS. This includes risk management, incident detection and response, monitoring, and continuous improvement.

This is why scoping is foundational. It sets the stage for nearly every other Part-IS requirement.

Since Part-IS demands a risk-based approach, defining your ISMS scope is the first critical step to complying with IS.I.OR.205 – the Part-IS requirement related to information security risk assessment.

It is also important to remember one key principle throughout this process: Part-IS is an aviation safety regulation. The scope of your ISMS is not about protecting everything. It is about protecting organisational elements that have an impact on aviation safety.

Understanding Aviation Safety Elements Under Part-IS

Part-IS requires organisations to identify all of their aviation safety elements that could be exposed to information security risks.

These elements include, firstly, the organisation’s activities, facilities, and resources, as well as the services the organisation operates, provides, receives, or maintains. Secondly, the equipment, systems, data, and information that contribute to the functioning of those activities, facilities, resources, and services.

Together, these elements form the operational and informational backbone of aviation safety within your organisation.

Focusing on aviation safety elements rather than isolated information assets ensures that scoping reflects how safety is actually achieved in practice. Safety does not exist in data alone. It exists in how activities, systems, people, and information work together.

Why ISMS Scoping Matters More Than You Think

Many organisations treat ISMS scoping solely as a documentation task. In reality, it is more than that – it is a strategic decision that directly influences the effectiveness and credibility of your ISMS.

If your scope is too broad, you may end up trying to manage information security risks that have no relevance to aviation safety. This often leads to unnecessary complexity, wasted resources, and difficulty demonstrating proportionality to the competent authority.

If your scope is too narrow, you risk excluding elements that genuinely impact safety. This can lead to regulatory findings, safety exposure, and loss of confidence in your ISMS.

A well-defined scope strikes the balance. It is focused, safety driven, and clearly justified.

The Starting Point: Identifying Your Organisational Elements

The first step in defining your ISMS scope is identifying the elements that contribute to your organisation’s operations.

This exercise goes beyond listing systems or databases. It requires understanding how your organisation operates and which elements support aviation safety.

Start by identifying your activities, facilities, resources, and services. This includes what you operate directly, what you provide to others, what you receive, and what you maintain.

Once these elements are identified, consider the equipment, systems, data, and information that support their functioning.

How these elements are identified and analysed in practice will vary significantly between organisations, depending on their size, complexity, operational context, and regulatory environment.

At this stage, the objective is visibility. You are identifying what exists and how it contributes to operations, not yet deciding what is in or out of scope.

This structured visibility forms the foundation for everything that follows.

Determining Whether an Element Impacts Aviation Safety

After identifying organisational elements, the next step is determining whether exposure to information security risks could impact aviation safety.

This assessment is central to Part-IS scoping.

Performing a Safety Impact Assessment

If an element could be exposed to information security risks that impact aviation safety, it must be included in the ISMS scope. If it cannot, it may be excluded.

The guiding question is straightforward. If an information security threat affected this element, could aviation safety be compromised?

If the answer is yes, the element belongs in scope.

If the answer is no, it may be excluded, provided the reasoning is documented and justifiable.

This assessment helps you document and justify why certain elements are included in scope and why others are excluded.

There is no mandatory method prescribed for how to perform this assessment - approach this in a way that suits your organisational context best.

What matters is that the assessment is consistent, reasoned, and focused on aviation safety impact.

Key Questions to Support Safety Impact Assessment

The following considerations are intended to support structured thinking and discussion, rather than represent a fixed set of assessment criteria or a prescriptive methodology.

While there is no mandatory approach, defining a set of assessment questions helps ensure consistent decision making.

For example, organisations may consider:

What is this element used for in the context of the organisation’s operations?

Particular attention should be given to elements that support existing approvals or domain specific regulations within the scope of Part-IS.

Another useful question is:

To what extent does this element support safety relevant operations?

Examples include activities related to flight planning, weight and balance calculations, aircraft maintenance, continuing airworthiness, or navigation support.

If an element supports any safety relevant operation, whether directly or indirectly, it should be considered in scope.

At this stage, organisations should avoid focusing too heavily on criticality. Determining how critical an element is comes later during risk assessment. Scoping is about determining relevance to aviation safety, not ranking importance.

Considering Internal and External Issues to Inform Scope

Beyond aviation safety element identification, it is vital to also consider your organisation’s internal and external context when defining the ISMS scope.

Internal issues are factors within your organisation that influence how information security is managed. These may include organisational structure, operational complexity, or reliance on certain systems.

External issues are factors outside the organisation that influence ISMS effectiveness. These may include regulatory obligations, contractual commitments, or dependencies on third-party service providers.

By considering these issues, organisations gain a clearer picture of which aviation safety elements must be included in scope to meet both regulatory and operational expectations.

The Role of Interested Parties in ISMS Scoping

Another important consideration when defining your ISMS scope is understanding your interested parties.

Interested parties are stakeholders whose needs or requirements may influence the effectiveness of your ISMS.

These may include customers, partners, suppliers, or regulators.

Through this analysis, organisations may identify obligations that require certain aviation safety elements to be included in scope. For example, contractual requirements may mandate protection of specific services or systems against information security risks.

At the same time, this analysis may identify elements that fall under the responsibility of third-party providers. In some cases, this may justify exclusion from scope, provided that the responsibilities and interfaces are clearly understood, documented, and supported with evidence.

Why These Considerations Are Essential

Internal issues, external issues, and interested parties are not abstract concepts. They help you identify obligations and responsibilities that directly affect your ISMS scope.

Without considering them, you risk overlooking aviation safety elements that must be included, or including elements that do not belong.

More importantly, this analysis demonstrates to your competent authority that your scope definition is based on structured reasoning rather than convenience.

Documenting Your ISMS Scope

Once you have identified your in-scope assets, you must document the ISMS scope.

An ISMS scope statement does not need to be complex. Its purpose is to clearly define which aviation safety elements are in scope and will be protected against information security risks.

Equally important is specifying which elements are out of scope.

The real value lies in the justification. You must be able to explain why elements were included and why others were excluded.

This is where your safety impact assessments become essential. They provide the evidence behind your decisions.

This documented work allows your competent authority to understand the logic behind your ISMS scope definition, as well as assess its appropriateness and alignment with Part-IS objectives.

All scoping work should be reviewed by the IT manager, information security manager, safety manager, and approved by the accountable manager, reinforcing accountability, oversight, and demonstrating clear links between aviation safety, IT, and information security.

Keeping Your ISMS Scope Current

There is no fixed frequency for reviewing your ISMS scope.

What matters is that it remains current and relevant to your organisation’s present state.

If new activities, services, systems, or resources are introduced, they must be assessed and included in scope if they impact aviation safety.

If elements are no longer used or no longer have a safety impact, they should be removed from scope.

Scope should also be reviewed following organisational changes, regulatory changes, or changes to internal or external issues and interested parties.

A static scope is a common indicator of an ineffective ISMS.

Using ISMS Scoping to Pave the Way Forward

One of the most overlooked benefits of ISMS scoping is how essential the supporting analysis becomes for other ISMS activities.

For example, information security risk assessments require understanding how aviation safety elements function, what they support, and how their compromise could affect safety.

By performing structured analysis during the scoping stage, organisations gather much of the information needed for risk assessment later, as mandated by Part-IS requirement IS.I.OR.205. This, in turn, supports the effective execution of subsequent ISMS activities, including risk treatment, incident detection, response, and recovery, amongst others.

This makes scoping one of the most valuable ISMS activities when done properly. The effort invested early supports multiple downstream processes.

Final Thoughts

Defining your ISMS scope under Part-IS is not about creating the biggest possible boundary. It is about creating the right one.

A well-defined scope is focused on aviation safety, supported by evidence, and aligned with how your organisation actually operates.

It simplifies compliance, strengthens safety assurance, and builds credibility with your competent authority.

Most importantly, it ensures that your ISMS is protecting what truly matters: aviation safety.

Want More Part-IS Guidance You Can Actually Use?

Every week, I share practical, actionable insights that help aviation professionals implement the core elements of an ISMS in a way that’s both effective and safety-focused.

Each article focuses on how to align information security with existing safety and compliance systems, including practical implementation tips and real world lessons learned.

If you haven’t already, subscribe to receive my Aviation Cybersecurity Brief - and get your Free Part-IS Starter Checklist, designed to help you assess your readiness and lay the right foundations for compliance.

👉 Subscribe here to join the community and implement Part-IS with clarity.