Why planning determines implementation success
Part-IS touches nearly every part of an aviation organisation: safety, operations, ICT, engineering, suppliers, HR, and training. Given the breadth of impact, it’s no surprise that the problems we see most often are to do with planning:

- unclear ownership of responsibilities
- documentation reflecting legacy frameworks
- underestimated scope across systems and suppliers
- inconsistent terminology across teams
- lack of early risk visibility
- timelines misaligned with regulatory or operational cycles
Even organisations with advanced cybersecurity maturity often struggle with integration and traceability, key areas highlighted in Part-IS. Integration issues can result from difficulties in connecting different security tools and processes, while traceability challenges arise when maintaining clear audit trails or linking actions to users. Strong planning is essential to address these gaps and ensure effective implementation.
Effective planning ensures clarity, ownership, and alignment among all stakeholders before implementation begins. By establishing a phased timeline that aligns with EASA deadlines and operational cycles, you can prioritise the early submission of key documentation and ensure that each stage of delivery is well-coordinated and strategically sequenced.
1. Scope definition and objectives
Define the scope of your organisation’s ISMS, ensuring it aligns with aviation safety principles and Part-IS regulations. Establish clear objectives that address regulatory requirements, operational needs, and stakeholder priorities. Appoint key roles—such as the Accountable Manager and Compliance Monitoring Manager—to oversee implementation and ongoing compliance.
2. Gap analysis & initial risk assessment
Identify gaps in processes, documentation, and maturity compared with Part-IS requirements. At the same time, assess critical assets, systems, suppliers, operational dependencies, threat scenarios, and safety impacts.
3. Documentation, training, and continuous review
Develop or update key documentation, such as the Information Security Management Manual (ISMM), to incorporate ISMS policies and procedures. Provide targeted training to personnel on security awareness and ISMS responsibilities, and implement continuous monitoring, reporting, and regular audits to ensure ongoing compliance and improvement.
EASA pre-applicability submissions include:
- First version of the ISMM, which may be integrated with other manuals or expositions.
- The ISMS change procedure (Part-IS point IS.I/D.OR.255).
- An initial risk assessment covering: activities, facilities, systems, interfaces with other organisations, and major internal and external threat scenarios.
- Evidence of internal compliance monitoring, identifying any areas not at “Present” and “Suitable” level and including a corrective action plan.
These submissions demonstrate readiness for operational implementation and regulatory oversight.