top of page
Search

Part-IS: Building a Safety-Focused Information Security Management System.

  • Writer: Luka Pace Bonello
    Luka Pace Bonello
  • Dec 14, 2025
  • 5 min read

Updated: 2 days ago

Part-IS is, at its core, a safety regulation - one that complements existing aviation regulation, rather than standing apart.


It applies to organisations already approved under Part-ORO, Part-CAMO, Part-145, or Approved Training Organisations (ATOs). In this way, Part-IS acts as an extension of these domains, enhancing rather than replacing them.


It doesn’t introduce new activities or redefine your operations. Instead, it secures what you already do by embedding information security into your existing safety and compliance systems.


While the introduction of an Information Security Management System (ISMS) might seem like another layer of complexity, its purpose is quite the opposite. A well-integrated ISMS works within your existing structure (not alongside it), ensuring that information security becomes an everyday part of safeguarding aviation safety.


That integration is where the true value of Part-IS lies: aligning safety, compliance, and information security into one cohesive system that strengthens your organisation’s resilience from the inside out.



A Breakdown of a Safety-Focused ISMS


An ISMS under Part-IS is composed of several defined elements, each with a specific purpose in achieving compliance. However, before getting lost in documentation or procedural details, it’s worth focusing on the core foundations; the pillars that determine whether your ISMS will simply exist on paper or genuinely enhance your organisation’s resilience and safety.


Let’s explore these key components and why they matter.


Leadership Support - The Foundation for Success


No ISMS succeeds without leadership backing. Top management - especially the accountable manager - must visibly support and prioritise information security. Their commitment provides direction, resources, and legitimacy. Without it, even the best-designed ISMS will struggle to gain traction.


Scope - Defining What You Protect


Your ISMS scope is the backbone of your entire framework. It defines what your organisation intends to protect - and by extension, what falls outside that protection.


Scope should never be based on personal opinion or convenience. It must align with your organisation’s activities, commitments, and the goals of Part-IS: to secure the information, systems, and processes that directly or indirectly impact aviation safety.


Ask the right questions early:


  • Which operational systems are essential to safe performance?

  • How does safety-relevant information flow through the organisation?

  • What dependencies exist with third parties, partners, or shared infrastructure?


A well-defined scope focuses effort where it matters most and avoids the trap of spreading limited resources too thin.


Information Security Policy - Setting the Tone


The Information Security Policy defines your organisation’s philosophy toward information security. Much like your safety policy, it sets expectations, direction, and accountability. It should clearly describe:


  • How your organisation manages information security risks that could affect aviation safety,

  • The commitment to comply with Part-IS requirements, and

  • The measurable objectives for continual improvement.


The policy should also touch on how your organisation approaches securing its systems, infrastructure, and data.


Ultimately, this document communicates your approach toward protecting safety-critical information - not just to regulators, but to your own people. It turns information security from an abstract concept into a shared responsibility linked to the organisation’s safety mission.


The Information Security Management Manual (ISMM) - Your ISMS Blueprint


If there is one document that defines your ISMS, it is the Information Security Management Manual (ISMM).


This manual outlines how your organisation, its people, and its processes work together to meet the requirements of Part-IS. It explains your ISMS’s structure, governance, and procedures - from risk management and incident handling to documentation control and improvement cycles.


You’ll notice strong similarities between the ISMM and manuals required under other domains like Part-145, Part-CAMO, or Part-ORO. This is intentional. Identifying these commonalities enables you to integrate the ISMS seamlessly with your existing management systems.


A well-written ISMM becomes a living reference that guides how your organisation maintains its information security every day.


Risk Management - The Core of Part-IS


At the heart of Part-IS lies risk management. The regulation demands a risk-based approach because information security, like safety, is about understanding and managing threats before they turn into incidents.


Your task is to identify information security risks with a potential impact on aviation safety and assess whether they require treatment.


This is where the disciplines of information security and safety management meet. Combining both perspectives produces a richer understanding of risk and ensures your mitigation strategies are grounded in both technical and operational reality.


Getting this part right is not only key to compliance - it’s what makes your ISMS meaningful, effective, and most importantly, relevant to your organisation.


Incident & Vulnerability Management - Building Resilience


No system is ever completely secure. The question is not if an incident will happen, but when.


A strong ISMS prepares your organisation to detect, respond to, and recover from incidents with minimal disruption to safety and operations.

This involves:


  • Monitoring systems and data for signs of abnormal activity;

  • Reporting and escalating incidents through predefined channels;

  • Investigating vulnerabilities before they are exploited; and

  • Coordinating with your Safety Management System when incidents have safety implications.


The faster your organisation can detect and recover from an information security incident, the less impact it will have on safety and business continuity.


Continuous Improvement - Keeping the ISMS Relevant & Effective


A static ISMS quickly becomes obsolete. Aviation is constantly evolving; new technologies, changing threats, and regulatory updates mean that what worked yesterday might not be sufficient tomorrow.


Your ISMS must evolve in step with your organisation. Continuous improvement ensures it remains effective, relevant, and adaptive.


Regular reviews, internal audits, and management evaluations are essential. They allow you to identify gaps, analyse trends, and take corrective action before issues grow.


The objective here is progress. It’s about maintaining an ISMS that grows stronger with every lesson learned, every audit finding, and every near miss.


A Shift in Mindset: Follow the Information


Understanding the structure of an ISMS is one thing. Making it work effectively under Part-IS requires a different mindset altogether.


An ISMS is not unique to aviation; many industries use it to manage their information security risks in a structured, repeatable way. What makes its implementation under Part-IS distinct is why it exists.


Part-IS is about strengthening aviation operations by ensuring that the information supporting them remains reliable, secure, and available. In aviation, even small data inconsistencies can have operational or safety implications. That’s why the ISMS under Part-IS must focus on maintaining trust in the information your organisation depends on every day.


This requires shifting perspective - from seeing information security as a purely technical function to understanding it as a critical enabler of safe and continuous operations.


To do this effectively, start by asking:


  • Where does vital operational information exist within our organisation?

  • How is it created, shared, and protected?

  • Which systems and people influence its accuracy (integrity) and availability?


When you follow the information, your ISMS becomes a practical, safety-aligned system that strengthens resilience and builds confidence across your entire organisation.


Final Thoughts


Integrating your ISMS within your existing safety and compliance systems ensures efficiency, consistency, and a shared focus on safety.


The goals of Part-IS are straightforward:


  1. Manage information security risks that could affect aviation safety.

  2. Detect and respond to incidents early to limit their impact.

  3. Recover quickly to maintain safe and reliable operations.


Success depends on collaboration. IT, information security, safety, and compliance teams must work together - using a shared understanding of risk and a common goal: protecting safe operations.


Bridging these disciplines is the true purpose of Part-IS and the key to turning compliance into real safety value.


Want More Part-IS Guidance You Can Actually Use?


Every week, I share practical, actionable insights that help aviation professionals implement the core elements of an ISMS in a way that’s both effective and safety-focused.


Each article focuses on how to align information security with existing safety and compliance systems, including practical implementation tips and real world lessons learned.


If you haven’t already, subscribe to receive my Aviation Cybersecurity Brief - and get your Free Part-IS Starter Checklist, designed to help you assess your readiness and lay the right foundations for compliance.


👉 Subscribe here to join the community and implement Part-IS with clarity.

Comments

bottom of page