EASA Part‑IS Compliance Roadmap (From Zero to Audit‑Ready)

Executive Summary

Scope

Implement a practical, right-sized ISMS aligned with Part-IS.I.OR, covering governance, risk, policies, technical controls, incident response, and supplier assurance.

Outcome

Be audit-ready in 12 weeks with evidence packs, trained staff, and a maintained improvement backlog. No external certifications required to start.

Responsibilities

A Accountable Manager/CEO

R Information Security Manager (ISM)

C IT Lead, Safety/Quality, DPO

I All staff

12‑Week Plan (Phases 1–6)

Phase 1 Mobilise & Gap Assessment (W1-2)

Kick-off and baseline against Part-IS.I.OR

Appoint ISM; define scope, stakeholders, approval path
Inventory assets: product, infrastructure (Cloud FR / on-prem), data flows
Perform gap assessment vs Part-IS.I.OR requirements
Initial risk screening and priority map

Deliverables: PID, RACI v1, Asset Register, Gap Report, Risk Heatmap

RACI: A CEO, R ISM, C IT Lead/Quality, I All

Phase 2 Governance & Policy Foundation (W3-4)

Establish ISMS governance and policy pack

ISMS charter; management commitment and objectives
Policies: Information Security, Access Control, Risk, Change, Backup/Recovery, Vendor/Supplier, Incident, Acceptable Use
Integrate with SMS/Quality processes and management review cadence

Deliverables: ISMS Charter, Policy Pack v1, Governance Calendar, ISM role description

RACI: A CEO, R ISM, C Safety/Quality, I All

Phase 3 Risk Assessment & Control Design (W4-6)

Threats, risks, and a Statement of Applicability

Define risk methodology, criteria, and register
Assess risks across product, hosting (EU FR/on-prem), identity (in-app), and operations
Design control set aligned to Part-IS expectations; draft SoA

Deliverables: Risk Method, Risk Register, SoA v1, Control Implementation Plan

RACI: A ISM, R ISM/IT, C DPO/Quality, I All

Phase 4 Technical & Operational Controls (W6-8)

Implement high-impact controls

Identity/RBAC, MFA, least privilege; secure in-app accounts
Logging/monitoring, vulnerability mgmt, patching, EDR/AV
Encryption at rest/in transit, key mgmt; backups (daily, encrypted, tested)
Change/release control integrated in SDLC; secure configs, secrets handling
Supplier assurance: DPAs, security questionnaires, SLA/security clauses

Deliverables: Config baselines, Hardening guides, Backup/Restore tests, Supplier Assurance Pack v1

RACI: A ISM, R IT Lead, C Legal/Quality, I All

Phase 5 Training, IR & Exercises (W8-10)

People and readiness

Security awareness for all; role-based deep-dives for admins/dev
Incident Response plan/runbook; reporting workflows and authorities
Table-top exercise (security incident affecting aviation safety)

Deliverables: Training records, IR Plan/Runbook, Exercise report, Communications templates

RACI: A CEO, R ISM, C Safety/Quality/IT, I All

Phase 6 Internal Audit & Evidence Pack (W10-12)

Prove it and plan improvements

Internal audit against Part-IS.I.OR; corrective actions (CAPA)
Management review; metrics and decisions logged
Compile authority/customer evidence pack; prepare readiness letter

Deliverables: Audit report, CAPA log, Management review minutes, Evidence Pack v1

RACI: A CEO, R ISM, C Quality, I All

RACI Matrix

Roles: AM/CEO (Accountable Manager), ISM (Information Security Manager), IT (IT Lead), QMS (Quality/Safety), DPO (Data Protection Officer)

Workstream	AM/CEO	ISM	IT	QMS	DPO
Governance & Charter	A	R	I	C	I
Risk Management	I	R	C	C	C
Policies & Procedures	A	R	C	C	C
Identity & Access (in-app)	I	C	R	I	I
Hosting (Cloud FR / on-prem)	I	C	R	I	I
Logging/Monitoring	I	C	R	I	I
Incident Response	A	R	C	C	C
Supplier Assurance	A	R	C	C	C
Awareness & Training	A	R	C	C	I
Internal Audit & CAPA	A	R	I	R	I

Supplier Assurance Pack

Company & Product

Security overview (scope, hosting options, identity model)
Data residency: EU/France by default
Architecture & data flow diagrams
SDLC & change management summary

Controls & Evidence

Policies pack + SoA extract
Access control model (RBAC, MFA)
Backup, DR and restore test evidence
Logging/monitoring overview; vulnerability management

Legal & SLA

DPA, data retention, breach notification
Security SLAs (availability, RTO/RPO)
Shared responsibility model: Cloud FR vs on-prem
Contact details for ISM and incident reporting

Hosting & Identity (EU cloud, on‑prem, in‑app accounts)

We align hosting and identity with Part‑IS expectations for access control, data protection, logging/traceability, and business continuity. We use ISO 27001–certified cloud providers; we don’t claim our own certifications yet (we provide readiness and evidence).

1 / 6

EU/France Cloud Hosting

Regions: EU data residency by default (France). Provider: OVHcloud.
Security: Encryption at rest (AES‑256) and in transit (TLS 1.3). Hardened configurations and secret management.
Resilience: Daily encrypted backups; optional geo‑redundancy and point‑in‑time restore.
Evidence: Hosting attestation (provider ISO 27001), backup/restore test report, architecture and data‑flow diagrams.

On‑Premise Option

Packaging: Docker or Kubernetes with reference manifests and hardening guidance.
Control boundary: You keep all data within your infrastructure; we provide updates and support.
Customer responsibilities: Physical, network, and platform security; backup storage and DR facilities.
Evidence: Hardening checklist, config baselines, update/patching procedure.

Identity & Access (In‑App Accounts)

Model: In‑app user accounts with role‑based access control (RBAC) and least privilege.
Authentication: Strong passwords and MFA support; session management with configurable timeouts.
Traceability: Full user/action logging for operational and compliance events.
SSO: Optional (e.g., Google Workspace) when enabled; initial deployments typically use in‑app accounts.
Evidence: Access control model (roles/permissions), MFA policy, sample audit logs.

Data Residency & Sovereignty

Default: All primary and backup data stored in the EU (France by default).
On‑prem: Data never leaves your infrastructure unless you choose an external backup target.
Contractuals: DPA and data‑processing clauses aligned with EU requirements.

Shared Responsibility (Summary)

FA Solutions: Application security, RBAC model, encryption features, logging; backup/restore tooling and tests (cloud) or guidance (on‑prem).
Customer: User provisioning and approval, role assignment, incident escalation paths; infrastructure security on‑prem (and selected cloud options like VPC and firewall rules).

How this supports Part‑IS

Access control and authentication (RBAC, MFA) → meets access governance expectations.
Encryption, backup, and DR → safeguards confidentiality, integrity, and availability.
Logging and audit trails → enables monitoring, traceability, and investigations.
EU/FR data residency and on‑prem pathway → supports sovereign hosting and data control.

Regulatory References (link to AMC/GM PDF)

Implementing Regulation (EU) 2023/203 Part-IS (Information Security)
Annex II Organisation requirements (Part-IS.I.OR)
AMC & GM to Part-IS.I.OR Issue 1 (EASA). Direct link: EASA PDF