Who we are and why we exist.

Egis is a leading global architecture, consulting, construction engineering and operating firm. We work side by side with clients to build a more balanced, sustainable and resilient world.

About egis

Our purpose, our values

Our leadership team

Our awards

Vision

Our strategic vision

Our brands and acquisitions

Innovation

Digital transformation

About our CSR

Corporate Social Responsibility

Ethics and Compliance

Diversity and gender equality

Policies and charters

Our stakeholders

Egis Foundation

Our activities

We work alongside our clients on every step of their journey. Across every aspect of transport, infrastructure and the built environment. All around the globe.

Transport

Maritime and waterway

Major structures

Geotechnical engineering

City

Buildings

Cities

Industrial & Process Engineering

Sports & Events

Sustainable resources

From idea to operation.

Combining deep technical expertise with close collaboration, we help design and operate smart, sustainable transport, cities and utilities — unlocking success for our clients.

Advisory & Delivery

Architecture

Consultancy and advisory

Design and engineering

Programme and project management

Training and certification

Managing & operating

Infrastructure management

Mobility and urban services

Road users services

On street parking management

Transformation

Global footprint. Local perspective.

With a network that spans over 70 countries in Europe, the Middle East, India, Latin America, Africa and Asia-Pacific, we can resource projects in every region.

Europe & Central Asia

Middle East

Africa

Asia

Australia & New Zealand

Latin America

North America

Discover what’s next.

Explore emerging trends and discover in-depth reports on issues affecting the built environment, future transport and sustainable infrastructure, along with breaking company news.

News

All news

Press & media

Events

Insights & White papers

Publications

All insights •From planning to practice: a roadmap for achieving...

From planning to practice: a roadmap for achieving Part-IS compliance

Published 20.02.26

4 mins read

Share •

In our first blog, we introduced the fundamentals of Part-IS, its scope across all digital and operational systems that affect aviation safety, common misconceptions about compliance, and the distinction between existing cybersecurity frameworks like ISO 27001 and full Part-IS readiness. We highlighted how Part-IS integrates cybersecurity into Safety Management Systems (SMS), ensuring that information security is treated with the same rigour as other operational risks.

Building on that foundation, this blog focuses on the next stage of the journey: how organisations can plan strategically and establish a fully operational Information Security Management System (ISMS) that meets EASA requirements, generates audit-ready evidence, and supports continuous improvement.

Information Security Management System (ISMS) planning

Why planning determines implementation success

Part-IS touches nearly every part of an aviation organisation: safety, operations, ICT, engineering, suppliers, HR, and training. Given the breadth of impact, it’s no surprise that the problems we see most often are to do with planning:

unclear ownership of responsibilities
documentation reflecting legacy frameworks
underestimated scope across systems and suppliers
inconsistent terminology across teams
lack of early risk visibility
timelines misaligned with regulatory or operational cycles

Even organisations with advanced cybersecurity maturity often struggle with integration and traceability, key areas highlighted in Part-IS. Integration issues can result from difficulties in connecting different security tools and processes, while traceability challenges arise when maintaining clear audit trails or linking actions to users. Strong planning is essential to address these gaps and ensure effective implementation.

Effective planning ensures clarity, ownership, and alignment among all stakeholders before implementation begins. By establishing a phased timeline that aligns with EASA deadlines and operational cycles, you can prioritise the early submission of key documentation and ensure that each stage of delivery is well-coordinated and strategically sequenced.

1. Scope definition and objectives
Define the scope of your organisation’s ISMS, ensuring it aligns with aviation safety principles and Part-IS regulations. Establish clear objectives that address regulatory requirements, operational needs, and stakeholder priorities. Appoint key roles—such as the Accountable Manager and Compliance Monitoring Manager—to oversee implementation and ongoing compliance.

2. Gap analysis & initial risk assessment
Identify gaps in processes, documentation, and maturity compared with Part-IS requirements. At the same time, assess critical assets, systems, suppliers, operational dependencies, threat scenarios, and safety impacts.

3. Documentation, training, and continuous review
Develop or update key documentation, such as the Information Security Management Manual (ISMM), to incorporate ISMS policies and procedures. Provide targeted training to personnel on security awareness and ISMS responsibilities, and implement continuous monitoring, reporting, and regular audits to ensure ongoing compliance and improvement.

EASA pre-applicability submissions include:

First version of the ISMM, which may be integrated with other manuals or expositions.
The ISMS change procedure (Part-IS point IS.I/D.OR.255).
An initial risk assessment covering: activities, facilities, systems, interfaces with other organisations, and major internal and external threat scenarios.
Evidence of internal compliance monitoring, identifying any areas not at “Present” and “Suitable” level and including a corrective action plan.

These submissions demonstrate readiness for operational implementation and regulatory oversight.

Implementing Part-IS: Turning plans into practice

Implementation activates the ISMS, embedding compliance into daily operations. Regulators emphasise that an ISMS is only compliant when operating, monitored, and producing evidence.

Implementation

Key areas include:

Process Activation – Communicate procedures, train teams, and run initial cycles of risk, change, and incident management.
Risk Management – Conduct repeatable assessments, update asset registers, assign owners, and track treatment actions.
Safety–Cyber Integration – Link cybersecurity risks with safety, update hazard logs, and conduct joint reviews.
Change Management – Apply impact assessments across all ICT affecting safety, with traceable approvals.
Incident Management – Log, classify, investigate, and escalate events, generating evidence.
Supplier Oversight – Apply cybersecurity requirements in contracts, assess supplier criticality, and monitor performance.
Monitoring & Detection – Implement logging, monitoring, and alert processes consistently.
Training & Awareness – Deliver organisation-wide awareness, role-specific technical training, scenario-based exercises, and maintain competency records.

Regulators require evidence across governance, risk assessments, incident logs, change management, training, monitoring, supplier reviews, KPIs, and management decisions. Compliance is demonstrated by repeatable, traceable processes in operation.

Maintaining momentum: continuous improvement

Maintaining compliance and security is not a one-time achievement, but an ongoing commitment. Once operational, you must establish regular cycles of review and improvement to ensure your ISMS remains effective and resilient. This involves a combination of quarterly or monthly activities and annual reviews, such as:

Continuous improvement

Quarterly/Monthly

KPI reviews
Log analysis
Incident trend analysis
Governance meetings
Change-management reviews

Annual

Risk assessment
Internal audit
Management review
Supplier review
Document updates
Training refresh

Continuous improvement is core to Part-IS maturity.

Preparing for oversight audits

Audit readiness

Before the first regulatory audit, you need to prepare your teams and run through five key steps:

1. Document review – Ensure all documents reflect security best practice.
2. Evidence sampling – Risks, changes, incidents, training, and supplier reviews.
3. Process walk-throughs – Demonstrate how each Part-IS requirement operates.
4. Management interviews – Accountable roles explain responsibilities, decisions, evidence, and improvements.
5. Internal compliance audit – Align with Part-IS requirements to validate readiness.

The experience and support of independent specialists can be extremely helpful with this. Egis has worked with a number of organisations, helping to “test-drive” audits and identify any weak points ahead of formal regulatory audit stages. This has the benefit of the audit outcome helping to confirm maturity rather than undermine confidence.

From regulation to resilient operations

While cybersecurity is a relatively new discipline, safety-related and safety-critical systems are becoming increasingly interconnected with other, less (or non-) safety-critical, systems. This is especially true of the aviation and air traffic management sectors. It means that, cybersecurity cannot be considered in isolation but needs to be considered in the wider context of safety-, hazard-, and risk-management.

Implementing Part-IS is essential for safeguarding aviation safety and meeting regulatory requirements. By setting clear objectives, addressing weaknesses, and ensuring everyone understands their security role, your organisation can proactively protect its critical systems and data, building its resilience.

Achieving EASA Part-IS compliance offers valuable benefits beyond avoiding penalties. It strengthens your defences against cyber threats, increases trust with customers and partners and helps you recover more quickly from incidents (minimising losses). However, the road to compliance is resource-intensive, and specialist support can be needed.

To contact Egis’ aviation cyber and safety team, email: communications.aviation[at]egis-group.com