Gary Jones, Product Manager, Veryon
By Gary Jones, Product Manager, Veryon
EASA Part-IS (Information Security) is no longer a line item on a future roadmap. It is officially part of the compliance reality for approved aviation organizations across Europe.
With applicability dates now set at October 16, 2025, for certain organizations, such as design and production organizations and airports, and at February 22, 2026, for Part-145 maintenance organizations, CAMOs, AOC holders, ANSPs, and others, the industry has crossed an important threshold.
The conversation has shifted. This is no longer about planning for Part-IS. It is about proving it works, day in and day out.
At this stage, organizations subject to Part-IS are expected to have a functioning Information Security Management System in place, not just a binder on a shelf. That typically includes:
-
Clearly documented information security policies and governance structures
- Named and accountable roles responsible for information security oversight
- Formal information security risk assessments
- Defined mitigation strategies for risks that could impact safety
- Integration of ISMS processes with existing Safety Management Systems and Quality Management Systems
- Incident detection, response, and reporting procedures that actually get exercised
Regulators are increasingly focused on evidence of effectiveness, not just completeness of documentation. Authorities want to see that an ISMS is:
-
Embedded in everyday operations
- Reviewed and updated on a regular basis
- Subject to internal audit and management review
- Considered within supplier oversight and change management processes
In practical terms, Part-IS is now an ongoing management responsibility, not a one-time compliance exercise.
Information security is a shared ecosystem responsibility
Under Part IS, accountability rests squarely with the approved organization. But in reality, information security in aviation is shaped by a broader digital ecosystem.
Maintenance systems, technical records platforms, inventory tools, GSE systems, and analytics solutions all sit inside the operational environment that organizations must assess, monitor, and control as part of their ISMS.
That is where technology partners matter.
At Veryon, we recognize that our platforms are not just tools. They are part of our customers’ regulated operating environment. Supporting compliance and operational resilience is not an add-on. It is core to how we design, govern, and operate our solutions.
Secure-by-design capabilities that support ISMS maturity
Veryon’s aviation software portfolio spans maintenance tracking, digital logbooks, inventory management, GSE management, and advanced analytics. Across these platforms, we focus on building security and traceability directly into the system architecture.
Capabilities that support Part-IS objectives include:
- Role-based access controls that align with operational responsibilities
- Structured audit trails and system event logging
- Secure data handling and encryption practices
- Controlled integrations through documented APIs
- Defined change management processes
- High availability architectures and disaster recovery support
For approved organizations, these capabilities help demonstrate oversight of safety-relevant information systems and maintain traceability across the digital maintenance lifecycle.
ISO-aligned governance and supplier assurance
Supplier oversight is one of the areas where many organizations are feeling increased scrutiny under Part-IS. Regulators now expect approved entities to actively assess and monitor the security posture of critical ICT providers.
That includes:
-
Documenting supplier risks within the ISMS
- Understanding how digital suppliers manage security and resilience
- Periodically reviewing supplier controls and response capabilities
Veryon operates within internationally recognized ISO-aligned governance frameworks designed to support structured information security management and continuous improvement.
We support our customers’ supplier assurance activities through:
- Transparent documentation of security controls
- Clearly defined governance and accountability structures
- Support for customer security reviews and assessments
- Established incident response and communication processes
This approach is designed to make it easier for customers to confidently include Veryon systems within their Part-IS risk management scope.
The real work starts after the compliance date
While the initial applicability dates have passed, Part-IS introduces an ongoing supervisory cycle. Mature organizations are now focusing on:
- Updating risk assessments as digital environments evolve
- Conducting periodic ISMS internal audits
- Reviewing and refining mitigation measures
- Testing incident response and recovery procedures
- Strengthening supplier governance and third-party oversight
- Demonstrating active management review and accountability
As oversight activity increases, the ability to show consistency, maturity, and operational effectiveness will matter just as much as technical controls.
Part-IS in practice for CAMOs and Part-145 organizations
For CAMOs and Part-145 maintenance organizations, EASA Part-IS turns information security into an operational requirement, not an IT exercise. Regulators are looking for clear evidence that safety-critical maintenance data is protected, traceable, and available when it matters.
Veryon Tracking+ supports this by:
- Enforcing role-based access to maintenance records and logbook data
- Maintaining structured audit trails for maintenance actions, revisions, and approvals
- Supporting secure integrations with publications, inventory, and other operational systems
- Providing operational continuity and data availability across maintenance workflows
- Supporting internal audits, management reviews, and supplier oversight activities
Veryon Tracking+ helps CAMOs and Part-145 organizations demonstrate that information security controls are embedded in everyday maintenance operations, supporting ISMS maturity without adding unnecessary process or administrative overhead.
Veryon’s ongoing commitment
Part-IS represents a fundamental shift in how aviation treats information security. It elevates it to the same regulatory importance as safety and quality management.
Veryon fully supports that shift.
Our commitment includes:
- Maintaining strong internal governance aligned with international standards
- Continuously strengthening the security and resilience of our platforms
- Supporting customer-supplier assurance and audit activities
- Partnering with approved organizations as their ISMS programs mature
Compliance under Part-IS is not a finish line. It is a continuous journey. By working together across operators, maintenance organizations, regulators, and technology partners, the industry can ensure digital transformation continues to enhance aviation safety and operational resilience.
Veryon is proud to support that journey.