Airlines, airports, MROs and IT providers in Kazakhstan, Uzbekistan, Georgia and Kyrgyzstan are increasingly required to respond to two distinct logics at once: sectoral (aviation) and managerial (corporate). This is why EASA Part-IS in the CIS is becoming more than just a new requirement — it serves as a practical trigger to redesign security so that it genuinely supports uninterrupted flight operations and service delivery, rather than existing as a separate folder of policies.
Why aviation information security is about operations, not just IT
In aviation, a failure in digital services quickly turns into a process failure: delays, cancellations, data loss, inability to plan or maintain operations. Hence an important nuance: aviation information security is about managing risks that can directly affect operational resilience. It does not matter where the breakdown occurs — in the network, at a contractor, or in the cloud — the consequences will be reflected in schedules and service safety.
ISO/IEC 27001: a management engine well suited to embedding aviation requirements
ISO/IEC 27001 is an information security management system (ISMS): context, risks, controls, monitoring and continual improvement. In the region, demand for ISO 27001 in Kazakhstan and neighbouring countries often comes from businesses involved in international supply chains, the financial sector and large enterprise contracts: the standard is widely recognised, auditable and helps clearly allocate responsibility.
To quickly review what certification and training typically include, organisations can rely on a dedicated professional service ISO/IEC 27001:2022 — Certification and Training — the logic of building the system, from preparation through to verification, is clearly demonstrated there.
What distinguishes Part-IS — and why it should not be implemented alongside ISO as a separate system
EASA Part-IS strengthens the sector-specific dimension: expectations around threat and incident management, changes to critical systems, supplier interaction and demonstrable evidence of control effectiveness. The main mistake is to create a standalone Part-IS system running in parallel with ISO — two risk registers, two incident processes, different roles and separate reporting lines.
A practical approach is the integration of EASA Part-IS and ISO 27001 within a single governance framework. This results in one unified information security system, where ISO defines how security is managed, and Part-IS clarifies what is critical for aviation and how this must be evidenced.
A practical integration model: one process — two sets of expectations
First, identify which processes genuinely “keep the skies running”: operations, engineering maintenance, ground services, communications, change management, planning and contractor access. Then build a unified matrix of “process → risks → controls → evidence”.
Before the list, one key principle: it is better to have one strong process and one consistent set of records than two weak sets of documentation.
- Aviation-focused scoping: include not only the IT department, but all systems and contractors involved in critical aviation processes (including cloud services, SOC, service desk and communication channels).
- Single risk register: assess impact on operations (disruption to maintenance, planning or communications), not merely the technical severity of a vulnerability.
- Change management: any change to critical systems must undergo risk assessment, testing and formal acceptance by the process owner (not solely by an administrator).
- Incidents and exercises: one classification scheme, one management interface and regular exercises (including supplier-related scenarios and cloud outage situations).
- Suppliers and access control: defined requirements for contractors, control of privileged access, notification obligations and verification of implemented measures.
- Business continuity: recovery plans, RTO/RPO targets, redundancy arrangements and mandatory recovery testing — confirmed as “tested”, not merely “planned”.
With this alignment in place, you maintain a single, governed framework that meets both sector-specific expectations and corporate requirements without duplication.
Where Part-IS + ISO projects most often fail (and how to mitigate the risks in advance)
Issues usually arise not where a document needs to be written, but where it must be demonstrated that a process is genuinely operating: records, logs, minutes, exercise results, risk decisions and supplier oversight.
To avoid uncovering these gaps during an external audit, it is advisable to conduct an internal review in advance and prepare a robust evidence base. In this regard, the following resource may prove useful. “How to Prepare for an ISO Internal Audit: A Step-by-Step Guide”— its structure can be readily applied to the aviation framework as well.
What to choose: ISO 27001:2013 or ISO 27001:2022 (and why this affects integration)
If you are building a system from scratch or updating an existing one, it makes sense to align straight away with the current edition. To understand the fundamental principles, you may begin with an explanatory article: What Is ISO/IEC 27001 and How to Implement It, and then review the requirements of the new ISO/IEC 27001:2022 edition. This makes it easier to align aviation expectations with modern controls and avoids having to redesign the system a year later.
If you require assistance in designing such a model tailored to regional realities, System Management in the CIS typically begins with a brief diagnostic assessment and a compliance matrix to quickly identify critical processes, mandatory evidence and an implementation plan without unnecessary bureaucracy.