← All clients

Great North Aviation · Business Aviation flavor

IT Maturity Map

Assessed 2026-06-24 · 18 domains × 5 levels

49/ 100

Target 86/100 (+37 to close the gap)

Domain heat strip (current level)

3
Strategy
3
Identity
3
Endpoint
3
Data
3
Security
2
Cloud/Fin
3
Collab
3
Network
3
ITSM
2
AI Gov
2
AI Ops
4
Flight Ops
4
Maint/MRO
3
Crew
4
SMS
3
Reg/Retention
2
FBO/OT
3
VIP Privacy
L1 Reactive / Ad-hocL2 Managed / FoundationalL3 Defined / StandardizedL4 Proactive / MeasuredL5 Optimized / Autonomous

Top 3 gaps — where to invest next

#1L3 → L5

Data Protection & Resilience

Reach L4: RPO/RTO measured against SLA, automated restore drills, immutability enforced, DLP tuned with metrics, DR runbook exercised.

#2L3 → L5

Security & Threat Management

Reach L4: Threat-informed detections measured (MTTD/MTTR), risk-based vuln remediation, purple-team exercises, SOAR playbooks.

#3L3 → L5

Aviation Regulatory & Data Retention

Reach L4: Compliance posture measured & reported; audit findings trended to closure; retention enforced & sampled for defensibility.

Domains × maturity levels — current state & next move

Strategy, Governance & KPIs

Core IT

IT strategy aligned to business objectives, an IT operating model, policies/standards, risk register, and KPIs/reporting to leadership. (Reconciled from the ForIT fractional-CTO framework — Strategy + Governance & KPIs.)

1234target5

Now — L3 Defined / Standardized

IT strategy is aligned to business goals and reviewed on a cadence; a policy set + IT operating model are defined; a KPI dashboard reports to leadership.

Next move

Strategy is outcome/metric-driven with a governed portfolio and risk register; KPIs/OKRs tie IT to business results; investments prioritised on measured value.

Identity & Access

Core IT

SSO, MFA, conditional access, joiner/mover/leaver lifecycle, PAM, least-privilege.

1234target5

Now — L3 Defined / Standardized

SSO across core apps, conditional access policies, automated JML from an HR source.

Next move

Risk-based/adaptive access, access reviews on cadence, PAM for admins, metrics on stale access.

Endpoint & Device Management (ITAM)

Core IT

MDM (Jamf/Intune), zero-touch enrollment, patch compliance, device trust, asset lifecycle (ITAM).

EFB iPads (ForeFlight/Jeppesen) enrolled in MDM; cockpit devices held to the same trust posture.

1234target5

Now — L3 Defined / Standardized

Zero-touch enrollment (Autopilot/ADE), standardized baselines, patch compliance reported, device trust required for access.

Next move

Patch/compliance SLAs measured, config drift auto-remediated, hardware/OS lifecycle tracked, risk-scored posture gates access.

Data Protection & Resilience

Core IT

Backup/DR, tested restores, retention, encryption, DLP, immutability.

Retention meets aviation hold periods for airworthiness, crew, flight & training records.

12345target

Now — L3 Defined / Standardized

3-2-1 backups with defined RPO/RTO, restores tested on schedule, immutable/air-gapped copies, DLP policies deployed.

Next move

RPO/RTO measured against SLA, automated restore drills, immutability enforced, DLP tuned with metrics, DR runbook exercised.

Security & Threat Management

Core IT

EDR/MDR, SIEM, vuln mgmt, phishing defense, tested incident response.

12345target

Now — L3 Defined / Standardized

EDR/MDR + SIEM with detection use-cases, vulnerability management with SLAs, phishing simulations, a documented and tested IR plan.

Next move

Threat-informed detections measured (MTTD/MTTR), risk-based vuln remediation, purple-team exercises, SOAR playbooks.

Cloud, Infrastructure & IT Finance

Core IT

IaC, cloud posture management, cost governance (FinOps) + license cost-effectiveness, resilience/HA. (IT Finance folded in from the ForIT framework.)

1234target5

Now — L2 Managed / Foundational

Some scripting, tagging started, cost reviewed monthly, licenses tracked in a sheet, basic redundancy.

Next move

IaC for core workloads, cloud posture management (CSPM), cost allocation/budgets, license optimisation, HA for critical services.

Collaboration & Productivity

Core IT

M365/Google governance, records/retention, external-sharing control, productivity & business apps.

Flight-doc distribution (ARINCDirect, Flightdocs) governed; ops manuals version-controlled & retained.

1234target5

Now — L3 Defined / Standardized

Standardized workspace governance, records/retention policies applied, external-sharing controls + guest lifecycle, sensitivity labels.

Next move

Adoption & governance measured, auto-expiring guest access, DLP + labels enforced with metrics, lifecycle automation for teams/sites.

Network & Connectivity

Core IT

Segmentation, ZTNA/SASE, redundancy, monitored performance.

FBO / hangar / line-station connectivity and OT segmentation are in scope.

1234target5

Now — L3 Defined / Standardized

Segmented zones, ZTNA/SASE rollout begun, redundant links, performance monitored with alerting.

Next move

Micro-segmentation, ZTNA/SASE enforced org-wide, SD-WAN with measured performance/SLA, automated failover.

IT Service Management & Operations

Core IT

Service desk, monitoring/observability, asset/CMDB, runbook automation.

1234target5

Now — L3 Defined / Standardized

ITIL-aligned processes (incident/problem/change), monitoring + alerting, a maintained CMDB, standardized runbooks.

Next move

SLAs measured & met, observability (metrics/logs/traces), change success rate tracked, runbook automation, proactive problem management.

AI Governance, Risk & Data Readiness

AI Era

Acceptable-use policy, data-boundary/DLP for AI, model-risk review, vendor/model inventory, shadow-AI discovery, and data readiness (quality, access control, RAG-ready knowledge base).

1234target5

Now — L2 Managed / Foundational

Draft acceptable-use guidance; some awareness; a sanctioned tool or two; data ownership emerging but no AI-specific controls.

Next move

Acceptable-use policy live & communicated; approved tool/model list; DLP/data-boundary for AI; basic model-risk review; data cataloged with access control.

AI-Augmented Operations & Workforce Enablement

AI Era

Copilots deployed + adopted, AIOps in the monitoring/triage loop, agentic automation of routine IT work under guardrails, and measured workforce uplift (training program, adoption %, toil reduction). (Training folded in from the ForIT framework.)

Bizav-relevant AI: AIOps for flight-ops uptime; AI safety-report triage (for-sms).

1234target5

Now — L2 Managed / Foundational

Pilot copilots for some staff; isolated automation experiments; early adopters only; ad-hoc training; no adoption metrics.

Next move

Approved copilots deployed to a broad workforce; AI in a few ops workflows; a training program; adoption tracked at a basic level.

Flight Operations & EFB

Industry

Scheduling/dispatch (FOS, Leon, Flightdocs, ARINCDirect), flight planning, weight & balance, Electronic Flight Bags on managed iPads (ForeFlight/Jeppesen).

12345target

Now — L4 Proactive / Measured

Ops KPIs measured (on-time, dispatch reliability); EFB compliance reported; integrations monitored with alerting; offline-capable EFB tested.

Next move

Self-optimising ops (AI-assisted scheduling/dispatch), predictive disruption management, EFB content pushed & verified autonomously.

Maintenance & Airworthiness IT

Industry

MRO / maintenance tracking (CAMP, Flightdocs, Traxxall), airworthiness records, parts & inventory, AD/SB compliance.

12345target

Now — L4 Proactive / Measured

Predictive/condition-based maintenance metrics; due-list SLAs measured; records audited; parts stock optimised on data.

Next move

AI-assisted predictive maintenance & parts forecasting; airworthiness compliance continuously verified; near-zero records toil.

Crew Records & Training / Currency

Industry

Certs, currency, duty/rest tracking (FAR Part 135 / 117), training records, qualifications. Overlaps for-CrewRecords / AVHR.

1234target5

Now — L3 Defined / Standardized

Currency & duty/rest integrated with scheduling so ineligible crew cannot be assigned; training compliance reported.

Next move

Currency/fatigue risk measured; automated expiry & training reminders; qualification coverage optimised against the schedule.

Safety Management System (SMS)

Industry

Hazard/safety reporting maturity, risk register, SPI tracking, IS-BAO / ARGUS / WYVERN readiness. Directly overlaps for-sms.

12345target

Now — L4 Proactive / Measured

Predictive safety metrics (SPIs trended), just-culture reporting rates measured, mitigations verified; IS-BAO Stage II+ / audit-ready.

Next move

AI-assisted safety-report triage & trend detection (for-sms); leading indicators drive proactive risk reduction; continuous audit readiness.

Aviation Regulatory & Data Retention

Industry

FAA Part 91/135, DOT, TSA, IS-BAO audit evidence, and aviation-specific record retention (airworthiness, crew, flight, training).

12345target

Now — L3 Defined / Standardized

Compliance calendar with owners; audit evidence maintained continuously; retention policies applied to aviation records with legal-hold.

Next move

Compliance posture measured & reported; audit findings trended to closure; retention enforced & sampled for defensibility.

FBO / Hangar Site IT & OT

Industry

Remote-site & hangar connectivity, fuel/OT systems, physical security and access control at FBOs and line stations.

1234target5

Now — L2 Managed / Foundational

Sites have managed connectivity; an inventory of site IT/OT exists; physical access controlled at key doors.

Next move

Site networks segmented from OT; fuel/access/camera systems inventoried & patched; standardised remote-site build.

Charter / VIP Data Confidentiality & Flight-Tracking Privacy

Industry

Passenger PII, VIP confidentiality, tail-number / flight-tracking privacy (ADS-B blocking, LADD/PIA), need-to-know handling.

12345target

Now — L3 Defined / Standardized

Need-to-know controls on passenger/VIP data with labels & DLP; flight-tracking privacy (LADD/PIA) managed; confidentiality in contracts.

Next move

Confidentiality posture measured & audited; privacy program for VIP data; tracking-privacy verified per tail; incident drills run.