ISO/IEC 27001 Certification: The Cornerstone for EASA Part-IS Compliance

In June 2024, we successfully completed a comprehensive process to align our documentation, procedures, and continuous risk management practices with the ISO/IEC 27001:2022 standard.
This achievement was formally verified and certified by DNV - Det Norske Veritas, a leading classification society.

Our motivation for this initiative was far beyond simply obtaining certification. We aimed to:

A) Integrate the comprehensive framework of the ISO/IEC 27001:2022 Information Security standard into our organization and software development, demonstrating our commitment to robust security protocols.

B) Proactively align with upcoming EASA Part-IS regulations (effective September 2025) by establishing a clear mapping to ISO7IEC 27001:2022 clauses and controls, facilitating compliance and integration upon implementation.

C) Enhance GALIOT SeMS to serve as a comprehensive solution for managing all aspects of security, from risk assessment to assurance, ensuring compliance with ISO/IEC 27001:2022 and EASA Part-IS regulations.

We are ISO/IEC 27001 certified. Do we still need to comply with EASA Part-IS?

EASA Part-IS requirements for Information Security Management Systems (ISMS) largely align with ISO/IEC 27001, sharing a common foundation for establishing comprehensive security controls and processes. However, Part-IS extends beyond this baseline by introducing provisions tailored specifically to the aviation safety context.

Organizations already operating an ISO/IEC 27001-compliant ISMS can leverage this framework as a starting point for achieving Part-IS compliance. A thorough analysis of the existing ISMS scope and identification of any gaps relative to Part-IS requirements will enable a targeted adaptation process.

Crucially, to fully align with Part-IS, aviation safety risks must be explicitly incorporated into the organization's risk management framework. This involves identifying and assessing these unique risks, determining appropriate acceptance levels based on relevant regulations, and implementing tailored mitigation measures.

A comprehensive mapping between the main tasks required under Part-IS and the corresponding clauses and controls in ISO/IEC 27001 is available in Appendix II of the published Acceptable Means of Compliance and Guidance Material (AMC & GM) to Part-IS. This mapping serves as a valuable resource for organizations seeking to navigate the transition towards full Part-IS compliance.