Skip to Content


WinTech ISAS

Information Security for Aviation Safety



Part-IS is in force. Your ISMS is now part of your approval.

EASA Part-IS makes information security a regulatory obligation for most organizations operating under EASA approvals, and National Aviation Authorities are now auditing against it. 

WinTech ISAS helps airlines, airports, ANSPs, MROs, and ground handlers build, operate, and defend an ISMS that's integrated with their Safety Management System.




Book a Part-IS Consultation > See How We Help >

A legal requirement

Part-IS applies to organizations under EASA approvals, and deadlines on October 2025/February 2026 have now passed. Compliance is an oversight matter, not a future project.

A safety matter, not an IT matter

The regulation exists because information security risks can affect aviation safety. Your NAA expects you to treat them that way.

Evidence, not policies

Authorities expect documented processes, records, and traceability. "We have a policy" is not a passing answer.

Integration, not duplication

Regulators expect your ISMS to work with your SMS/QMS, sharing governance, risk, and audit processes, not run as a separate silo beside them.

What Part-IS changed

Four ways to engage, separately or end to end.

Wherever you are, starting from zero, stuck mid-implementation, or facing an audit, there's a matching entry point. 
Each module stands alone; together they cover the full journey.

01 · Assessment & Roadmap


security program desgn

A regulation-first review of your current posture against Part-IS, built on interviews, documentation review, and stakeholder engagement. Gaps are rated and prioritized before they become findings. 

Ideal for: organizations wanting a clear starting point, or a second opinion.

You receive: 

  • Gap Analysis Report 
  • Compliance Roadmap with priorities and timelines 
  • Executive briefing.

02 · ISMM Development & Integration


security training

Your Information Security Management Manual, mapped article by article to the regulation, with every required annex: RACI matrix, risk register, incident procedures, retention plan, competence and training matrix, supplier oversight. Integrated with your existing Safety and Quality systems, no duplicate structures.

Ideal for: operators with a compliance gap to close, new markets to enter, or organizational change underway. 

You receive: 

  • Tailored ISMM and annexes 
  • Regulatory mapping documentation 
  • Approval and handover package.

03 · Implementation Support


security team discussing

Turning the manual into daily practice: staff and management training built on aviation scenarios, governance committees stood up, risk and incident workflows activated, and integration with your technical capabilities (SOC/SIEM, vulnerability management, reporting tools) validated through tabletop exercises. 

Ideal for: organizations moving from policy on paper to operating reality. 

You receive: 

  • Training materials and records 
  • Committee charters 
  • Operational process documentation and live evidence.

04 · Audit Preparation & Continuous Improvement

security team visiting hangar

Internal audit and mock inspection before the real one, an evidence pack traced to every regulatory article, support during the authority's audit, and CAPA management after it, plus the KPI and review cycle that keeps compliance alive year after year. 

Ideal for: organizations facing an audit, closing findings, or sustaining compliance long-term. 

You receive: 

  • Audit evidence binder and traceability matrix 
  • Internal audit and CAPA reports
  • Performance dashboard and improvement register.

✽  Why WinTech Security

Most firms have read Part-IS.

We've delivered it.


We worked alongside a Tier-1 European carrier's team to build and embed their Part-IS ISMM, under real regulatory scrutiny.


Real and in production

We co-built a Tier-1 European carrier's ISMM alongside their team, and it now operates in production under real NAA oversight.

ismm
Aligned with your SMS

We integrate your ISMS with your existing safety and quality processes, sharing risk and audit workflows, so it satisfies the regulator without becoming a separate silo.

Regulation as the anchor

Every output maps to Regulations EU 2023/203 and 2022/1645, backed by EASA AMC/GM, EUROCAE specifications, ISO 27001 and NIST CSF frameworks.

Ahead of the rulemaking

We track EASA NPAs and AMC/GM updates continuously, so your framework doesn't drift out of date between audits.

One manual, everything your regulator expects to find

ismm

The Information Security Management Manual is the document your NAA opens first. 

Ours is mapped chapter by chapter to the Part-IS articles, and ships with every annex the regulation expects you to operate. Every chapter cross-references the regulation article it satisfies. When the inspector asks where something is written down, the answer is one lookup away.


RACI matrix

Clear ownership of every Part-IS process, from the Accountable Manager down to operational roles.

Risk register and scoring method

A methodology that rates risks by their aviation safety impact, not just IT severity.

Incident reporting and records

Internal escalation and authority notification workflows, ready to use on day one.

Competence matrix and training plan

Role-based requirements mapped to recognized competency frameworks.

Supplier oversight procedure

Security requirements and monitoring for the organizations connected to you.

KPI dashboard

The metrics that show your ISMS is improving, not just existing.

WinTech ISAS FAQ

Most organisations holding EASA approvals are in scope: air operators, maintenance and CAMO organisations, design and production organisations, approved training organisations, aerodromes, apron management, and ATM/ANS providers. 

Applicability comes from two regulations, with dates of October 2025 and February 2026 that have both now passed. If you're unsure which applies to you, that's the first thing we clarify in an initial conversation.

Most organizations holding EASA approvals are in scope: air operators, maintenance and CAMO organizations, design and production organizations, approved training organizations, aerodromes, apron management, and ATM/ANS providers. 

Applicability comes from two regulations, with dates of October 2025 and February 2026 that have both now passed. If you're unsure which applies to you, that's the first thing we clarify in an initial conversation.

Start now rather than waiting for the audit. Authorities assess ISMS implementation progressively, and an organization with a completed gap assessment and a roadmap in motion is in a fundamentally different position from one with nothing to show. 

Our Assessment & Roadmap module exists precisely for this situation.

It helps, but it doesn't cover it. Part-IS adds aviation-specific obligations that ISO 27001 doesn't address: assessing information security risks for their impact on aviation safety, integrating with your SMS, and reporting to your aviation authority. 

An existing ISO 27001 ISMS is a strong foundation, and we map what carries over and what's missing.

They stay distinct management systems with different scopes, but Part-IS expects them to work together: shared governance, aligned risk and incident processes, and common audit workflows. Authorities reject both extremes, a silo beside your SMS or a few paragraphs buried inside it.

A full end-to-end programme typically runs 6 to 12 months depending on the size and complexity of the organisation. Individual modules are shorter, and the Assessment & Roadmap can usually start within days.

security team

Be ready when your regulator calls.

Whether you need a first assessment or support through your next NAA audit, it starts with a conversation.

Book a Part-IS Consultation >

Partners and Clients