EASA Part-IS Readiness: Finding Cybersecurity Gaps Across Aviation Manuals, Suppliers, Risk Registers, and Training Records

EASA Part-IS work is not one cybersecurity policy. It is a cross-functional evidence problem: information-security manuals, safety-impact procedures, supplier files, cyber risk registers, incident response, EFB administration, OCC continuity, training records, and compliance monitoring all need to line up.

Aviation.Bot is useful here because it treats Part-IS readiness as a document workspace, not as a one-off question over one PDF.

This article walks through a fictional but realistic example: Asteria Regional Airways, a European commercial air operator preparing a Part-IS evidence-readiness review.

The demo uses public EASA source material, synthetic company files, and a real agent run. The workspace did not contain the final report upfront. Aviation.Bot inspected the sources and company files during the recorded run, then created the impact and evidence review.

This is preparation support, not regulatory advice. A qualified compliance, safety, cybersecurity, and accountable management review remains required before any real Part-IS submission, audit response, or operational change.

Why This Becomes A Workspace Problem

Part-IS asks aviation organisations to manage information-security risks with a potential impact on aviation safety. That quickly becomes bigger than an IT policy review.

A useful readiness review needs to connect:

• official EASA Part-IS source material and AMC/GM
• the organisation's information-security management manual
• procedures for aviation safety impact assessment
• cyber incident response and reporting
• OCC, dispatch, EFB, maintenance, CAMO, and technical-publications interfaces
• flight-planning, EFB, maintenance, and other safety-relevant suppliers
• access control, privileged accounts, patching, vulnerability handling, and continuity procedures
• training records and role-based awareness material
• compliance matrices, risk registers, supplier assurance registers, and evidence trackers

The hard part is not reading one document. The hard part is finding where cybersecurity language is generic, where aviation safety impact is missing, and where audit evidence does not yet exist.

What Goes Into The Workspace

For a real review, start from official sources and keep provenance outside the visible working folder: canonical URL, access date, file version, direct download URL when applicable, file size, and checksum.

Useful public EASA starting points include:

• Easy Access Rules for Information Security, which consolidate Regulations (EU) 2023/203 and 2022/1645 with related AMC/GM
• EASA Information Security regulations
• EASA Information Security Part-IS FAQs

The demo uses those public-source categories and then adds synthetic company files, including an information-security management manual, incident response SOP, EFB administration procedure, supplier security template, compliance matrix, cyber risk register, supplier assurance register, incident log, and training matrix.

The Prompt Pattern

The visible demo prompt is bounded. It asks Aviation.Bot to separate official Part-IS material from context, inspect the company workspace, and create a review artifact.

Review the Part-IS information-security source material and the company workspace. Identify affected manuals, SOPs, supplier documents, training records, and registers. Draft reviewable updates where company wording is incomplete or stale, and save an audit-oriented impact and evidence review in outputs as part-is-impact-and-evidence-review.md.

The important pattern is:

1. name the official source material and company files in scope
2. ask for affected documents and missing evidence
3. ask for reviewable updates, not approved manual text
4. keep the output bounded as evidence-readiness support

What The Agent Did In The Demo

The recorded run used a real model, not a scripted final answer. During the run, Aviation.Bot indexed the workspace, opened the EASA source material, inspected the company information-security manual, checked supplier and risk registers, reviewed training and incident evidence, and then wrote the final Part-IS impact and evidence review.

The final output is an evidence-readiness review. It is not a finding of compliance.

The report identified practical issues such as:

• an ISMS manual that looked ISO-style but did not clearly classify aviation safety impact
• incident response language without a strong safety-effect triage path
• supplier assurance records that needed better coverage for safety-relevant systems
• EFB and operational technology procedures that needed stronger data-integrity and escalation controls
• compliance monitoring records that needed clearer evidence, owners, due dates, and corrective-action status
• training material that needed to distinguish flight operations, OCC, maintenance, EFB, supplier, and compliance responsibilities

Why This Is Better Than A One-Off Chat Upload

Uploading a single PDF to a chat tool can help with reading. It does not solve the Part-IS evidence problem.

For Part-IS readiness, the useful workflow is:

1. keep official sources and company evidence in one working folder
2. index PDFs, Word files, spreadsheets, and notes together
3. let the agent inspect original source files and target documents
4. map each finding to a document, owner, evidence request, and review status
5. create a reviewable output in the same workspace
6. let accountable humans verify and approve each next step

Aviation.Bot is designed around that loop. The generated review is just another workspace file, and the user can continue from it instead of copy-pasting between a PDF viewer, spreadsheet, file browser, and chat session.

What To Ask The AI To Produce

For a serious readiness review, ask for a report with sections like:

• scope and assumptions
• source hierarchy and source status
• applicability caveats
• affected company documents
• direct terminology hits
• indirect safety-impact and supplier-interface gaps
• draft controlled-document update proposals
• evidence requests for audit readiness
• training and role impacts
• register updates
• open human-review questions
• recommended next actions

The most useful output is not a broad cybersecurity summary. It is a traceable worklist that a compliance manager, safety manager, cybersecurity owner, supplier manager, training owner, and accountable manager can review.

What To Avoid

Do not ask any AI tool to certify Part-IS compliance. Do not treat generic ISO 27001 language as automatically sufficient for aviation safety impact. Do not let supplier cyber evidence stop at "IT vendor" when flight planning, EFB, maintenance records, OCC communications, crew planning, and technical-publications systems may affect operations.

Also avoid flattening all sources into one pool. Current EASA material, AMC/GM, FAQs, company policies, supplier documents, and contextual cybersecurity material do not have the same authority or use.

The useful promise is narrower and more practical: reduce the search tax, make the evidence gap visible, and create reviewable updates for accountable humans.

How Aviation.Bot Can Help

For Part-IS work, Aviation.Bot helps turn a scattered evidence set into a reviewable folder: official EASA source PDFs, information-security manuals, incident procedures, supplier files, risk registers, training matrices, audit checklists, and generated evidence reviews can all stay together.

You can choose the AI model or provider that fits your data boundary. Use a capable cloud model when policy allows it, or use a local/offline model when cybersecurity records, supplier files, company policy, or EU GDPR concerns require tighter control. Aviation.Bot then adds the document workflow: indexing, source inspection, file-aware chat, generated reports, reviewable output files, and human approval before the result is used.

Learn more at aviation.bot.