Part-IS Record-Keeping Under IS.I/D.OR.245
In a regulated industry where the stakes are as high as aviation, demonstrating compliance is as important as achieving it. Under Commission Implementing Regulation (EU) 2023/203, EASA Part-IS establishes a structured framework requiring aviation organisations to manage information security risks through a formal Information Security Management System. At the core of that framework sits a requirement that is often underestimated in its scope and significance: IS.I/D.OR.245, the record-keeping obligation.
Whether you hold an Air Operator Certificate, operate as a CAMO, or fall under Part-145 or Part-ORA, this requirement is not a background administrative task. With competent authority audits now underway following the February 2026 applicability deadline, the question is no longer whether your organisation has an ISMS in place. It is whether you can prove it.
If you are reviewing your organisation’s readiness following the applicability date, our article EASA Part-IS Compliance Due by 22 February 2026 explains which organisations are affected and how competent authority audits are expected to proceed. Furthermore, the full legal text of Commission Implementing Regulation (EU) 2023/203, which introduces the Part-IS framework, is available on the official EUR-Lex legislation portal.
What IS.I/D.OR.245 Requires
IS.I/D.OR.245 mandates that organisations establish and maintain records that demonstrate compliance with the Part-IS framework. Those records must be accurate, complete, and protected from unauthorised access or alteration. They must be retained for defined periods and be readily retrievable whenever a competent authority requests them.
The scope is broad. It covers information security policies, risk assessments, risk treatment plans, incident reports, training records, internal audit findings, corrective actions, governance decisions, and any changes made to the ISMS itself. The principle that regulators apply during oversight is unambiguous: if it is not documented, it did not happen
The official regulatory text and supporting guidance for these requirements can be reviewed in the EASA Easy Access Rules for Information Security, which compile the regulation together with the associated Acceptable Means of Compliance and Guidance Material.
Why It Matters More Than Most Organisations Realise
Many organisations treat documentation as a back-office function, something to tidy up before an audit rather than maintain as an operational discipline. Under Part-IS, that approach carries real risk. Authorities do not assess intent during inspections; they assess evidence. A well-maintained record system allows your organisation to respond quickly and confidently to any oversight request. A disorganised or incomplete one creates the impression of a compliance programme that exists on paper but not in practice.
There is also a practical dimension that goes beyond regulatory optics. When a security incident occurs, documented historical records are essential to producing a credible root cause analysis. Without traceability, corrective actions become guesswork, and the same vulnerabilities tend to reappear. Similarly, documented risk assessments and audit findings, reviewed consistently over time, reveal patterns that no single-event review can identify. This is how organisations shift from reactive compliance to genuine risk management.
From a governance perspective, the consequences of poor documentation extend to legal and liability exposure. An organisation that can demonstrate it followed a defined process, maintained appropriate records, and acted on identified risks is in a fundamentally stronger position if a serious incident ever occurs.
Building a System That Holds Up
Understanding the requirement is the starting point. Building a system that meets it consistently under real operational conditions is where most organisations face the practical challenge.
The foundation is a formal record-keeping policy that defines which records are required, who is responsible for maintaining them, what format they must take, and where they are stored. Without that policy, record-keeping tends to depend on individual habits rather than process, and that inconsistency is exactly what auditors are trained to identify.
Storage needs to be controlled. Physical records are difficult to protect and harder to retrieve at speed. A digital system with appropriate access permissions and audit trail functionality gives your organisation the ability to demonstrate record integrity alongside record content, both of which IS.I/D.OR.245 requires. Retention rules need to be documented as well, with different schedules applied to different record types and a clear disposal process that is itself auditable.
Traceability matters at the individual record level too. Every document should carry identifiers showing who created it, when, what version it is, and who approved it. This is particularly important for risk registers and corrective action plans, where version control directly affects whether your organisation can demonstrate that it identified a risk and responded to it. Personnel with ISMS responsibilities also need to understand what records they are required to produce and to what standard, and your internal audit programme should be checking documentation quality, not just operational activity.
Record-Keeping and ISMS Maturity
EASA’s oversight framework assesses ISMS implementation across three maturity levels: Present and Suitable, Operating, and Effective. An organisation cannot be considered Operating unless its ISMS is actively generating records that demonstrate it is functioning in practice. The Effective level, which represents the goal of continuous improvement, requires those records to be used to drive meaningful change.
IS.I/D.OR.245 is not simply a supporting obligation within the framework. It is one of the clearest indicators of whether an ISMS is real or theoretical. Organisations with strong, consistent record-keeping are, almost by definition, operating a more mature compliance programme, and that maturity is exactly what competent authorities are looking for.
How Aero Compliance Solutions Can Help
At Aero Compliance Solutions, we work with aviation organisations across Europe to build ISMS frameworks that are genuinely functional, not just compliant on paper. Our packages cover gap analysis, documentation development, and the practical implementation of record-keeping systems aligned with IS.I/D.OR.245. Our AeroScan tool complements this by scanning your IT infrastructure and producing detailed, traceable reports of findings, vulnerability distribution, and security action items, giving your organisation documented evidence of its security posture that feeds directly into your ISMS records.
Whether you are an AOC holder preparing for your first cyber audit, a CAMO working through implementation, or a Part-145 organisation looking to tighten your documentation standards, contact Aero Compliance Solutions today to find out how we can help you build a record-keeping system that stands up to scrutiny.
An Information Security Management System (ISMS) is a structured framework that helps aviation organisations protect their information, systems, digital assets, and operational data from security threats. It ensures confidentiality, integrity, and availability of critical information through policies, risk management, processes, monitoring, and continuous improvement.
Traditional safety procedures or checklists are often reactive and task-based (e.g., “did we complete the checklist?”). An SMS is proactive and systemic: it embeds hazard identification, risk management, safety assurance and continuous improvement in organisational culture and processes. It moves beyond procedural compliance to performance-based monitoring and improvement. In other words, it provides “control & oversight”, “stability & security” and constant attention to emerging threats.
Aviation operations are inherently complex and high-risk. An SMS ensures that safety is integral, not an add-on. By having formal processes to capture hazards, perform risk assessments, trigger corrective and preventive actions, and monitor performance, organisations can reduce incidents, improve operational resilience, and maintain regulatory compliance. ACS emphasises that newer regulations such as EASA Part‑IS require integration of information security frameworks with SMS frameworks – showing that safety and security are now tightly interconnected.
A Safety Management System (SMS) is a structured, organisation-wide approach to managing safety risks. In aviation organisations it provides the framework to identify hazards, assess and mitigate risks, monitor performance, and continually improve safety outcomes. An SMS brings together policies, procedures, roles & responsibilities, reporting systems, risk management and assurance activities.
Aero Compliance Solutions specialises in helping aviation organisations meet EASA Part-IS requirements.
Their services typically include:
- Gap analysis
- Information-security risk assessments
- Policy and procedure development
- Integration of ISMS with existing SMS
- Supplier chain and interface control mapping
- Incident-response planning
- Compliance monitoring
Their structured aviation-specific approach ensures organisations achieve compliance and real-world resilience.
Yes, for many organisations.
Under EASA Part-IS, the following entities must implement an ISMS aligned to aviation requirements:
- Air operators (AOC holders)
- CAMOs
- Ground handling service providers
- Aerodromes
- ANSPs
- Continuing airworthiness entities
Even outside EASA states, many regulators follow ICAO guidance to strengthen cyber resilience.
Aviation is highly dependent on digital systems – flight operations, maintenance, navigation, crew management, dispatch, and communication platforms. A cyberattack or data breach can disrupt flight safety, ground operations, or regulatory compliance.
EASA Part-IS now mandates that operators, airlines, CAMOs, ground handlers, and ANSPs have a formal ISMS in place to manage information-security risks in an integrated, systematic way.
EASA stands for the European Union Aviation Safety Agency. It is the regulatory authority responsible for civil aviation safety across Europe, setting rules, standards, and guidelines for airlines, maintenance organizations, and aviation service providers. EASA oversees compliance with regulations such as Part-IS, ensures Safety Management Systems (SMS) are in place, and provides certification for aviation organizations to maintain safe and secure operations.
Part-IS refers to the EASA (European Union Aviation Safety Agency) regulation for Information Systems and Safety Management in aviation organizations. It is part of EASA’s compliance framework, ensuring aviation companies have proper Information Security Management Systems (ISMS) and Safety Management Systems (SMS) in place to protect operations, data, and safety-critical processes.
Read the complete guide on Part-IS for aviation organizations
Aviation cybersecurity is the practice of protecting aviation systems, data, and communications from cyber threats. It ensures compliance with EASA Part-IS and secures safety management systems (SMS).
A cyber attack is any attempt to gain unauthorized access, steal data, or disrupt digital systems. In aviation, these can compromise ISMS, SMS, and operational safety.
A supply chain attack targets vulnerabilities in third-party vendors or partners to access an organization’s systems. Aviation operators must secure their suppliers to maintain safety and compliance.
Ransomware is malware that encrypts files or systems and demands a ransom for access. In aviation, ransomware can disrupt operations and compromise safety-critical data.
The European Union Aviation Safety Agency (EASA) is the regulatory authority responsible for civil aviation safety in Europe. EASA develops regulations, monitors compliance, and issues certifications, including standards for cybersecurity and Part-IS.
MFA stands for Multi-Factor Authentication. It requires users to provide two or more verification factors to access a system, such as a password and a code sent to a mobile device. MFA is crucial for aviation cybersecurity.
Contact Aero Compliance Solutions to discuss your business requirements.
Table Of Contents
- Part-IS Record-Keeping Under IS.I/D.OR.245
- What IS.I/D.OR.245 Requires
- Why It Matters More Than Most Organisations Realise
- Building a System That Holds Up
- Record-Keeping and ISMS Maturity
- How Aero Compliance Solutions Can Help
- What Is ISMS
- How does SMS differ from usual safety procedures or checklist culture?
- Why is an SMS important for aviation organisations?
- What is a Safety Management System (SMS)
- How can Aero Compliance Solutions help with ISMS implementation?
- Is an ISMS required by aviation regulators?
- Why is an ISMS important in the aviation industry?
- What is EASA?
- What is Part-IS?
- What is aviation cybersecurity?
- What is a cyber attack?
- What is a supply chain attack?
- What is ransomware?
- Who is / what is the European Union Aviation Safety Agency (EASA)?
- What is MFA?
