top of page
Search

Having the Right People Is the Key to Successful Part-IS Compliance

  • Writer: Luka Pace Bonello
    Luka Pace Bonello
  • 3 days ago
  • 7 min read

Updated: 2 days ago

When organisations struggle with EASA Part-IS compliance, the root cause is rarely technology. More often than not, it is people.


An Information Security Management System (ISMS) is not a document set and it is not a tool. It is a management system that relies on people to support it, implement it, operate it, monitor it, and continuously improve it. Without the right people in the right roles, even the most well written ISMS will fail in practice.


If you read my previous article where I break down the core elements of a safety-focused ISMS, you already know that people play a core role in an effective management system. Under Part-IS, this principle is formalised through explicit regulatory requirements related to personnel, roles, responsibilities, and governance, specifically under IS.I.OR.240


This article provides a clear and practical breakdown of the key personnel required under Part-IS, what each role is responsible for, and how to implement these requirements in a way that actually works in the real world.



Why People Are Central to Part-IS Compliance


Part-IS is a safety regulation. Its purpose is to ensure that information security risks which could impact aviation safety are effectively managed. That cannot be achieved through policies alone.


People are responsible for leadership, decision making, oversight, implementation, monitoring, and corrective action. Without defined accountability, authority, and competence, an ISMS becomes theoretical rather than operational.


Part-IS recognises this reality by mandating specific key roles that must be appointed within an organisation. These roles form the governance backbone of your ISMS and are essential for both compliance and effectiveness.


Key Personnel Required Under Part-IS


According to IS.I.OR.240, organisations subject to Part-IS must appoint four key roles. These roles are not optional and they are not interchangeable.

They are:


  • The Accountable Manager;

  • The Nominated Person, or Part-IS Responsible Person;

  • The Compliance Monitoring Function; and

  • The Common Responsible Person, where applicable.


Each role serves a distinct purpose within the ISMS governance structure. Understanding the differences between them is critical.


The Accountable Manager


If your organisation already operates under other EASA regulations, the role of the Accountable Manager will be familiar.


Under Part-IS, the Accountable Manager holds ultimate accountability for compliance. This accountability cannot be delegated, even if certain responsibilities are assigned to other roles.


The Accountable Manager is responsible for ensuring that the organisation has the necessary leadership, commitment, and resources to implement and operate a compliant ISMS.


Key Responsibilities of the Accountable Manager


The Accountable Manager must demonstrate a basic understanding of Part-IS. This includes understanding its purpose, its objectives, and its core requirements. They do not need to be technical experts, but they must understand what the regulation expects from the organisation.


They are responsible for providing leadership and support commitment. This means ensuring that adequate financial, staffing, and organisational resources are available to support the ISMS. Without this commitment, compliance is not achievable.


The Accountable Manager must also promote the organisation’s information security policy. The policy must be known, accessible, and relevant to personnel in line with their duties and responsibilities.


They must be made aware of non conformities identified through audits or compliance monitoring. This ensures timely corrective action and reinforces accountability at the highest level.


Finally, the Accountable Manager must drive continuous improvement. This is achieved by receiving regular reporting on ISMS performance, including Safety Performance Indicators (SPIs), Key Performance Indicators (KPIs), audit findings, and overall effectiveness.


In practice, this reporting can be integrated into existing governance forums such as safety review boards, allowing information security to be treated as a core safety topic rather than a standalone issue.


The Nominated Person (Part-IS Responsible Person)


The Nominated Person is a management level role responsible for ensuring day to day compliance with Part-IS. This person is in the driving seat when it comes to establishing, implementing, and maintaining the ISMS.


They act as the central coordination point between leadership, safety, and information technology functions.


Key Responsibilities of the Nominated Person


One of the primary responsibilities of the Nominated Person is to obtain leadership and support commitment from the Accountable Manager. There must be a direct and effective communication channel between these two roles.


The Nominated Person is responsible for reviewing resource requirements related to ISMS establishment, implementation, and operation, and advising the Accountable Manager accordingly.


They are responsible for ensuring compliance with Part-IS requirements across the organisation.


This includes leading the establishment and implementation of the ISMS, including defining core documentation, such as the Information Security Management Manual (ISMM). The ISMM itself formalises key policies, procedures, and processes in accordance with organisational context and Part-IS requirements, as mandated under IS.I.OR.200.


The Nominated Person is also responsible for identifying or acknowledging ISMS non-conformities and developing corrective action plans to address them.


They must measure and assess ISMS performance against defined SPIs and KPIs, identifying areas for improvement and supporting continuous improvement activities.


Regular ISMS maturity assessments are also a core responsibility, ensuring that the system evolves over time rather than remaining static.


Where the Nominated Person is absent for an extended period, an appropriate deputy must be appointed to ensure continuity of ISMS operation.


The Compliance Monitoring Function


Establishing an ISMS is one thing. Ensuring it remains compliant with Part-IS is another.

The Compliance Monitoring Function provides independent oversight of the ISMS and ensures that implementation aligns with regulatory requirements. Depending on organisational size and complexity, this function may be performed by one or more individuals.


Purpose of the Compliance Monitoring Function


The primary role of compliance monitoring is to verify that the organisation’s ISMS activities are compliant with Part-IS requirements. This includes assessing whether policies, procedures, and processes are implemented as intended.


Independence is critical. The Compliance Monitoring Function must have a clear and unbiased view of where the organisation is compliant and where it is not.


Findings, including instances of non-compliance, must be reported to the Accountable Manager to ensure timely corrective action. This feedback loop is essential for maintaining regulatory compliance and improving ISMS effectiveness.


Without effective compliance monitoring, organisations often develop blind spots that only become visible during competent authority oversight.


The Common Responsible Person, Where Applicable


The Common Responsible Person role may be appointed where an organisation already has an existing information security function.


If someone within the organisation already holds responsibility for information security, they may be designated as the CRP under Part-IS.


Responsibilities and Limitations of the CRP


Where applicable, the Accountable Manager may delegate certain Part-IS responsibilities to the CRP. This may include corporate authority to establish and maintain organisational structures, policies, processes, and procedures necessary for ISMS implementation.


However, it is critical to understand that ultimate accountability for Part-IS compliance always remains with the Accountable Manager. This accountability cannot be delegated.


The CRP must clearly understand what Part-IS requires and how their information security responsibilities fit within the regulatory context.


While the CRP role may appear similar to that of the Accountable Manager, the distinction lies in accountability versus responsibility.


Are These the Only People You Need?


The four key roles mandated by Part-IS are essential, but they are rarely sufficient on their own.


An ISMS is an operational management system. It includes risk assessment, incident detection and response, change management, monitoring, and continuous improvement activities.


The aviation industry includes organisations of varying sizes, structures, and complexity, each facing different information security risks with potential impacts on safety.


Your organisation must ensure that an adequate number of personnel are available to perform all required ISMS activities effectively. This may include additional support roles involved in policy development, risk assessment, incident response, or technical implementation.


How to Comply With IS.I.OR.240 in Practice


Compliance with Part-IS personnel requirements requires more than assigning job titles. It requires structured implementation.


Secure Leadership Commitment


Start by engaging the Accountable Manager early. Hold an introductory meeting to explain Part-IS requirements, their responsibilities, and the resources required. Open communication at this stage is critical.


Once leadership commitment is secured, formal implementation can begin.


Obtain a Signed Statement of Commitment


The ISMM must include, or reference, a signed statement of commitment from the Accountable Manager.


This statement confirms their commitment to Part-IS compliance, adherence to the ISMM, and achievement of information security objectives.


Define the Organisational Structure


Update your organisational structure to formally assign Part-IS roles. Define competencies, responsibilities, and accountabilities for each role.


Update organisational charts and communicate roles clearly to assigned individuals. Appointed personnel must acknowledge their responsibilities in a traceable and verifiable manner.


Documentation alone is not enough. Competence and awareness must be demonstrable.


Establish a Trustworthiness Assessment Framework


People responsible for ISMS activities must be trusted. Trust is a foundational element of effective information security.


Establish a trustworthiness assessment framework to verify the identity and background of personnel involved in ISMS activities. A background check, including identification verification and criminal record review, is sufficient.


Establish a Competency Assessment Framework


An effective ISMS depends on competent people.


Define the knowledge and skills required for ISMS activities under IS.I.OR.200 and assess personnel accordingly.


Frameworks such as the European Cybersecurity Skills Framework developed by ENISA can support competency definition for relevant roles.


Get the Right People


Ultimately, compliance depends on having the right people in place.


Identify the resources required within your organisational context. Ensure personnel understand their responsibilities and have formally acknowledged them.


Integrating With Existing Management Systems


Most organisations subject to Part-IS already operate safety and compliance management systems.


Part-IS integration with existing systems is not only possible, but essential.


Accountable Manager and compliance monitoring roles often already exist. Extend their responsibilities to include Part-IS requirements rather than creating parallel structures.


Existing trustworthiness and competency frameworks can often be adapted. For example, aviation security background checks already required under EU regulations (e.g., Regulation (EU) 2015/1998) can support Part-IS trustworthiness requirements.


Similarly, competency assessment frameworks used for existing approvals, such as done for Part-CAMO, can be extended to include ISMS-related competencies.


This integration is where the bridge between aviation safety and information security is built. It demonstrates to competent authorities that information security is embedded within the organisation’s safety culture rather than treated as a standalone, siloed obligation.


Information security management is supposed to enhance existing safety management, not run in parallel to it.


Final Thoughts


Part-IS compliance is not achieved through documentation alone. It is achieved through people, leadership, accountability, and competence.


By appointing the right people, defining clear responsibilities, and integrating information security into existing governance structures, organisations can build an ISMS that is not only compliant, but effective in managing safety related information security risks.


Want More Part-IS Guidance You Can Actually Use?


Every week, I share practical, actionable insights that help aviation professionals implement the core elements of an ISMS in a way that’s both effective and safety-focused.


Each article focuses on how to align information security with existing safety and compliance systems, including practical implementation tips and real world lessons learned.


If you haven’t already, subscribe to receive my Aviation Cybersecurity Brief - and get your Free Part-IS Starter Checklist, designed to help you assess your readiness and lay the right foundations for compliance.


👉 Subscribe here to join the community and implement Part-IS with clarity.

Comments

bottom of page