Great North Aviation · Business Aviation flavor
IT Maturity Map
Assessed 2026-06-24 · 18 domains × 5 levels
Target 86/100 (+37 to close the gap)
Domain heat strip (current level)
Top 3 gaps — where to invest next
Data Protection & Resilience
Reach L4: RPO/RTO measured against SLA, automated restore drills, immutability enforced, DLP tuned with metrics, DR runbook exercised.
Security & Threat Management
Reach L4: Threat-informed detections measured (MTTD/MTTR), risk-based vuln remediation, purple-team exercises, SOAR playbooks.
Aviation Regulatory & Data Retention
Reach L4: Compliance posture measured & reported; audit findings trended to closure; retention enforced & sampled for defensibility.
Domains × maturity levels — current state & next move
Strategy, Governance & KPIs
Core ITIT strategy aligned to business objectives, an IT operating model, policies/standards, risk register, and KPIs/reporting to leadership. (Reconciled from the ForIT fractional-CTO framework — Strategy + Governance & KPIs.)
Now — L3 Defined / Standardized
IT strategy is aligned to business goals and reviewed on a cadence; a policy set + IT operating model are defined; a KPI dashboard reports to leadership.
Next move
Strategy is outcome/metric-driven with a governed portfolio and risk register; KPIs/OKRs tie IT to business results; investments prioritised on measured value.
Identity & Access
Core ITSSO, MFA, conditional access, joiner/mover/leaver lifecycle, PAM, least-privilege.
Now — L3 Defined / Standardized
SSO across core apps, conditional access policies, automated JML from an HR source.
Next move
Risk-based/adaptive access, access reviews on cadence, PAM for admins, metrics on stale access.
Endpoint & Device Management (ITAM)
Core ITMDM (Jamf/Intune), zero-touch enrollment, patch compliance, device trust, asset lifecycle (ITAM).
✈ EFB iPads (ForeFlight/Jeppesen) enrolled in MDM; cockpit devices held to the same trust posture.
Now — L3 Defined / Standardized
Zero-touch enrollment (Autopilot/ADE), standardized baselines, patch compliance reported, device trust required for access.
Next move
Patch/compliance SLAs measured, config drift auto-remediated, hardware/OS lifecycle tracked, risk-scored posture gates access.
Data Protection & Resilience
Core ITBackup/DR, tested restores, retention, encryption, DLP, immutability.
✈ Retention meets aviation hold periods for airworthiness, crew, flight & training records.
Now — L3 Defined / Standardized
3-2-1 backups with defined RPO/RTO, restores tested on schedule, immutable/air-gapped copies, DLP policies deployed.
Next move
RPO/RTO measured against SLA, automated restore drills, immutability enforced, DLP tuned with metrics, DR runbook exercised.
Security & Threat Management
Core ITEDR/MDR, SIEM, vuln mgmt, phishing defense, tested incident response.
Now — L3 Defined / Standardized
EDR/MDR + SIEM with detection use-cases, vulnerability management with SLAs, phishing simulations, a documented and tested IR plan.
Next move
Threat-informed detections measured (MTTD/MTTR), risk-based vuln remediation, purple-team exercises, SOAR playbooks.
Cloud, Infrastructure & IT Finance
Core ITIaC, cloud posture management, cost governance (FinOps) + license cost-effectiveness, resilience/HA. (IT Finance folded in from the ForIT framework.)
Now — L2 Managed / Foundational
Some scripting, tagging started, cost reviewed monthly, licenses tracked in a sheet, basic redundancy.
Next move
IaC for core workloads, cloud posture management (CSPM), cost allocation/budgets, license optimisation, HA for critical services.
Collaboration & Productivity
Core ITM365/Google governance, records/retention, external-sharing control, productivity & business apps.
✈ Flight-doc distribution (ARINCDirect, Flightdocs) governed; ops manuals version-controlled & retained.
Now — L3 Defined / Standardized
Standardized workspace governance, records/retention policies applied, external-sharing controls + guest lifecycle, sensitivity labels.
Next move
Adoption & governance measured, auto-expiring guest access, DLP + labels enforced with metrics, lifecycle automation for teams/sites.
Network & Connectivity
Core ITSegmentation, ZTNA/SASE, redundancy, monitored performance.
✈ FBO / hangar / line-station connectivity and OT segmentation are in scope.
Now — L3 Defined / Standardized
Segmented zones, ZTNA/SASE rollout begun, redundant links, performance monitored with alerting.
Next move
Micro-segmentation, ZTNA/SASE enforced org-wide, SD-WAN with measured performance/SLA, automated failover.
IT Service Management & Operations
Core ITService desk, monitoring/observability, asset/CMDB, runbook automation.
Now — L3 Defined / Standardized
ITIL-aligned processes (incident/problem/change), monitoring + alerting, a maintained CMDB, standardized runbooks.
Next move
SLAs measured & met, observability (metrics/logs/traces), change success rate tracked, runbook automation, proactive problem management.
AI Governance, Risk & Data Readiness
AI EraAcceptable-use policy, data-boundary/DLP for AI, model-risk review, vendor/model inventory, shadow-AI discovery, and data readiness (quality, access control, RAG-ready knowledge base).
Now — L2 Managed / Foundational
Draft acceptable-use guidance; some awareness; a sanctioned tool or two; data ownership emerging but no AI-specific controls.
Next move
Acceptable-use policy live & communicated; approved tool/model list; DLP/data-boundary for AI; basic model-risk review; data cataloged with access control.
AI-Augmented Operations & Workforce Enablement
AI EraCopilots deployed + adopted, AIOps in the monitoring/triage loop, agentic automation of routine IT work under guardrails, and measured workforce uplift (training program, adoption %, toil reduction). (Training folded in from the ForIT framework.)
✈ Bizav-relevant AI: AIOps for flight-ops uptime; AI safety-report triage (for-sms).
Now — L2 Managed / Foundational
Pilot copilots for some staff; isolated automation experiments; early adopters only; ad-hoc training; no adoption metrics.
Next move
Approved copilots deployed to a broad workforce; AI in a few ops workflows; a training program; adoption tracked at a basic level.
Flight Operations & EFB
IndustryScheduling/dispatch (FOS, Leon, Flightdocs, ARINCDirect), flight planning, weight & balance, Electronic Flight Bags on managed iPads (ForeFlight/Jeppesen).
Now — L4 Proactive / Measured
Ops KPIs measured (on-time, dispatch reliability); EFB compliance reported; integrations monitored with alerting; offline-capable EFB tested.
Next move
Self-optimising ops (AI-assisted scheduling/dispatch), predictive disruption management, EFB content pushed & verified autonomously.
Maintenance & Airworthiness IT
IndustryMRO / maintenance tracking (CAMP, Flightdocs, Traxxall), airworthiness records, parts & inventory, AD/SB compliance.
Now — L4 Proactive / Measured
Predictive/condition-based maintenance metrics; due-list SLAs measured; records audited; parts stock optimised on data.
Next move
AI-assisted predictive maintenance & parts forecasting; airworthiness compliance continuously verified; near-zero records toil.
Crew Records & Training / Currency
IndustryCerts, currency, duty/rest tracking (FAR Part 135 / 117), training records, qualifications. Overlaps for-CrewRecords / AVHR.
Now — L3 Defined / Standardized
Currency & duty/rest integrated with scheduling so ineligible crew cannot be assigned; training compliance reported.
Next move
Currency/fatigue risk measured; automated expiry & training reminders; qualification coverage optimised against the schedule.
Safety Management System (SMS)
IndustryHazard/safety reporting maturity, risk register, SPI tracking, IS-BAO / ARGUS / WYVERN readiness. Directly overlaps for-sms.
Now — L4 Proactive / Measured
Predictive safety metrics (SPIs trended), just-culture reporting rates measured, mitigations verified; IS-BAO Stage II+ / audit-ready.
Next move
AI-assisted safety-report triage & trend detection (for-sms); leading indicators drive proactive risk reduction; continuous audit readiness.
Aviation Regulatory & Data Retention
IndustryFAA Part 91/135, DOT, TSA, IS-BAO audit evidence, and aviation-specific record retention (airworthiness, crew, flight, training).
Now — L3 Defined / Standardized
Compliance calendar with owners; audit evidence maintained continuously; retention policies applied to aviation records with legal-hold.
Next move
Compliance posture measured & reported; audit findings trended to closure; retention enforced & sampled for defensibility.
FBO / Hangar Site IT & OT
IndustryRemote-site & hangar connectivity, fuel/OT systems, physical security and access control at FBOs and line stations.
Now — L2 Managed / Foundational
Sites have managed connectivity; an inventory of site IT/OT exists; physical access controlled at key doors.
Next move
Site networks segmented from OT; fuel/access/camera systems inventoried & patched; standardised remote-site build.
Charter / VIP Data Confidentiality & Flight-Tracking Privacy
IndustryPassenger PII, VIP confidentiality, tail-number / flight-tracking privacy (ADS-B blocking, LADD/PIA), need-to-know handling.
Now — L3 Defined / Standardized
Need-to-know controls on passenger/VIP data with labels & DLP; flight-tracking privacy (LADD/PIA) managed; confidentiality in contracts.
Next move
Confidentiality posture measured & audited; privacy program for VIP data; tracking-privacy verified per tail; incident drills run.