Across Europe, operators and Part-145 organisations are already working hard to keep their SMS effective under EASA’s performance-based oversight.
Now EASA Part-IS adds another layer: information security risks that can affect aviation safety have to be managed with the same discipline as “traditional” hazards – and that has direct implications for how your aviation safety management software (SMS) runs in practice.
On paper, SMS and Part-IS look like separate programmes. In reality, they overlap heavily in one place: your safety data and the tools you use to manage it. That’s where most EASA Part-IS SMS requirements will show up day to day.
This article explores that link and looks at why the choice between spreadsheets and an EASA Part-IS compliant SMS platform is no longer just about convenience. It’s increasingly about protecting against risk and maintaining compliance.
A quick refresher: What Part-IS actually changes
EASA Part-IS introduces an Information Security Management System (ISMS) framework for aviation organisations and competent authorities. Its goal is simple to state and hard to implement: protect the confidentiality, integrity and availability of information that could impact aviation safety.
At a high level, Part-IS expects organisations to:
Identify information assets that are relevant to aviation safety.
Assess information security risks that could affect those assets.
Put in place appropriate organisational and technical controls.
Monitor and improve those controls as part of a management system.
Be able to demonstrate all of the above to the competent authority.
In other words, Part-IS treats cyber and information risks in a similar way to operational safety risks – structured, documented and continuously managed.
For the full regulatory text, EASA’s Easy Access Rules for Information Security (Part-IS) consolidate Regulations (EU) 2023/203 and 2022/1645, together with the related AMC/GM, in one place. Easy Access Rules for Information Security (Part-IS)
Why SMS sits right in the middle of Part-IS
If you read the Part-IS material with an SMS lens, one thing jumps out quickly: safety data is front and centre.
Most organisations already treat safety reports, hazard logs, risk assessments and safety meeting minutes as sensitive information. Part-IS effectively formalises this, by asking:
What happens if someone changes a risk assessment without detection?
What if a safety action is removed or closed early in the system?
What if an attacker gains access to safety reports and uses them to target weaknesses?
What if critical safety information simply isn’t available when you need it?
Those questions map almost perfectly to the confidentiality, integrity and availability triad that sits at the heart of information security.
That’s why your SMS implementation is now a core Part-IS concern. The way you collect, store, protect, share and trace safety data is no longer just a performance or usability issue – it’s an information security risk that could have a direct impact on aviation safety.
Spreadsheet SMS in a Part-IS world
In many organisations, the “SMS system” is still a mix of:
Email inboxes for safety reports.
Shared folders with spreadsheets and Word/PowerPoint files.
Local copies of risk matrices or registers on laptops.
A patchwork of access permissions and informal workarounds.
Under “classic” SMS thinking, these tools were already causing friction: slow reporting, fragmented data, weak traceability, heavy admin.
In our earlier article on the operational cost of inadequate SMS tools we looked at how many operators and Part-145s still rely on this kind of setup and the impact it has on reporting culture, trend analysis and day-to-day safety decision making.
We’ve also shown in our article on why legacy SMS and spreadsheet-based tools are so inefficient that these frictions quietly add operational cost long before you even consider information security.
Part-IS adds another dimension:
How do you prove who had access to a given safety report or risk assessment, and when?
How do you show that only authorised changes were made – and by whom?
Can you demonstrate that critical safety data would still be available after an information security incident?
Can you show that safety data shared with third parties is protected according to its sensitivity?
Spreadsheet-and-email SMS setups struggle with these questions because they were never designed as controlled, auditable information systems. They were a pragmatic, low-cost way to get started – not a long-term answer for a world where safety and information security are explicitly linked.
What auditors and authorities will look for in practice
Different authorities will emphasise different aspects of Part-IS, but there are some common themes you can expect when your SMS is in the spotlight.
1. Clear ownership and scope for safety information
You’ll need to be able to show:
What you consider to be “safety-relevant information”.
Who owns the risk for that information.
How it flows across your organisation and to external parties.
If your SMS is spread across multiple spreadsheets, shared drives and personal inboxes, even producing this basic map becomes a challenge.
2. Evidence of controls, not just written procedures
Policies and procedures are important, but Part-IS is ultimately about what happens in reality.
Auditors are likely to ask:
Can you demonstrate role-based access to safety data in practice?
Can you show how changes to risk assessments, actions or controls are authorised and recorded?
Can you produce logs or histories of who did what, and when?
If the answer to any of these relies on “we think so” or manual checks, that’s a warning sign.
3. Resilience and continuity for safety information
Part-IS also cares about what happens when things go wrong:
If there’s a cyber incident, how will you ensure access to critical safety data?
How will you know whether safety records have been tampered with?
What’s your plan if a key file or folder goes missing or becomes corrupted?
Again, it’s not enough to say “we take backups”. Authorities will expect you to show how safety information, specifically, will remain available, accurate and trustworthy.
Why legacy tools struggle with Part-IS expectations
None of this means spreadsheets, shared folders or email are “bad” in themselves. They’re just not designed to meet formal information security requirements in a way that’s:
Consistent,
Traceable, and
Proportionate to the risks involved.
A few of the typical issues we see:
Weak or inconsistent access control
Shared passwords for “team” emails.
Folders granted wide access “for convenience”.
Copies of safety files stored locally on individual devices.
Even if your IT team has strong central controls, the behaviour around safety information at the working level often undercuts them.
Limited or no change traceability
Spreadsheets edited directly with no version history.
Risk ratings overwritten as situations change.
Actions closed without a clear record of who approved the closure.
When you’re asked to show who changed what, when and why, you can easily end up with assumptions and email trails instead of hard evidence.
Fragmented and duplicated data
Multiple versions of the same risk register in different folders.
Local “working copies” that are never fully reconciled.
Attachments forwarded and re-saved repeatedly.
In a Part-IS context, this fragmentation makes it harder to:
Identify your true information security risk exposure.
Demonstrate that your controls cover all critical safety data.
Respond quickly to an incident affecting particular systems or files.
Where REDiFly SMS makes Part-IS compliance and security easier
Part-IS doesn’t tell you to buy a particular tool. It tells you to manage information security risks that can affect aviation safety in a structured way.
The challenge is doing that efficiently, without overwhelming your teams with extra admin.
This is the environment we designed aviation SMS software like REDiFly SMS for — not just to manage safety data, but to make it easier to meet both SMS and Part-IS expectations without adding complexity.
At a practical level, that means:
1. One controlled location for all safety data
Safety reports, investigations, risk assessments, actions and meeting records live in a single, structured system.
Access is governed by roles and permissions, not by ad-hoc folder structures.
You can see, at a glance, who can access what.
For operators looking to extend the same approach to technical records, our REDiFly eTechlog brings aircraft technical log data into the same controlled, digital environment.
2. Built-in traceability and history
Every key record has an audit trail.
You can see who created, edited, reviewed and closed items.
Changes are logged instead of overwritten.
This makes it much easier to show, during an audit, how you protect the integrity of safety information over time.
3. Availability and resilience by design
Safety data is stored centrally with appropriate backup and recovery processes.
Critical information is not tied to individual laptops, personal inboxes or local files.
If one device or location is compromised, your safety data is still accessible.
That directly supports the availability side of Part-IS, without your team needing to become infrastructure experts.
4. Proportionate controls, not blanket lockdowns
Because the system is built around real SMS workflows, controls are applied in a way that:
Fits how safety teams actually work.
Encourages reporting instead of discouraging it.
Balances security with usability.
That’s essential if you want your aviation SMS software to support both safety performance and Part-IS expectations, instead of becoming a bottleneck.
Where to go from here
EASA Part-IS is not “just an IT project”. For most operators and Part-145 organisations, it’s a safety project with a strong information security component.
If your SMS currently runs on spreadsheets, shared folders and email, now is the time to:
Map where your safety data lives, how it flows and who has access.
Identify the main information security risks that could affect aviation safety.
Decide whether your current tools can realistically support Part-IS expectations.
Evaluate whether moving to an EASA Part-IS compliant SMS platform reduce both operational and information security risk.
The sooner you join up your safety and information security thinking, the easier it will be to demonstrate to authorities that you’ve understood – and addressed – what Part-IS really means for your SMS.
Ready to see what a Part-IS ready SMS looks like in practice?
If you’d like to see how REDiFly SMS could work in your operation, hit the button below to book a call with our team. We’ll walk through your current setup, identify the main SMS and Part-IS pain points, and show you how a digital safety management platform can help.
We’re currently running an early adopters programme for operators who come on board in this initial phase, including:
Preferential pricing and favourable long-term rates
Direct input into our roadmap based on your workflows
Priority onboarding and support during implementation
Click the button below, pick a time that suits you, and let’s explore whether REDiFly SMS is a good fit for your operation.g