References to EU regulation or EU websites in our guidance will not be an accurate description of your obligations or rights under UK law.read more
Our approach to cyber security oversight, the Cyber Security Oversight Process for Aviation, is laid out in
CAP 1753 and it consists of six key steps:
The applicability of each step will be discussed and agreed with an aviation organisation during the initial engagement step and determined based on several factors including; the assessment of cyber security risk, aviation organisation complexity, and regulatory requirements.
We will contact regulated aviation organisations listing the applicable cyber security regulations and describing which of the six keys steps will need to be completed and by when. If you have not yet been contacted but would like to engage, please contact us at
Cyber security oversight will also be incorporated into our existing
Performance Based Oversight (PBO) processes.
We are aware that some information relating to cyber security oversight may be sensitive.
Before submitting sensitive cyber security information to the CAA please contact us at
firstname.lastname@example.org. You will receive secure Information Handling Instructions to ensure commensurate protections are established based on the sensitivity of the information in question.
It is important that systems (including networks, information technology - IT and operational technology - OT) which are critical to an aviation organisation are within scope of cyber security oversight. Guidance on identifying critical systems has been produced and is available in
The guidance given in
CAP 1849 provides a recommended method to identify critical systems through performing a functional decomposition from the aviation organisations' key aviation functions. Our
scoping template helps aviation organisations to document their identified critical systems and critical suppliers.
Once an aviation organisation has identified its' critical systems it can assess them against the
Cyber Assessment Framework (CAF) for Aviation to get an understanding of the cyber security posture of their organisation and critical systems.
The Cyber Assessment Framework (CAF) is an outcome-focused assessment against fourteen principles and four objectives, it was developed by the National Cyber Security Centre (NCSC) to meet the following requirements:
The NCSC’s core CAF v3.0 has been adapted to create the CAA’s CAF for Aviation which has been designed specifically for aviation.
Guidance on completion of the CAF for Aviation can be found in
CAP 1850. This also includes informative cyber security references (or relevant standards) against each of the fourteen principles as well as examples of the types of evidence that we would expect to support the self-assessment.
The CAA intends to use the CAF for Aviation to oversee aviation organisations' management of cyber security risks and the information received will be incorporated into our Performance Based Oversight (PBO) and Performance Based Regulation (PBR) processes.
We have created an accredited third-party cyber security audit model (ASSURE). 'Third parties' refers to ASSURE Cyber Suppliers that are subject to a rigorous and continuous accreditation process under the ASSURE Scheme.
Each in scope aviation organisation, when deemed applicable by the CAA, will need to procure an ASSURE Cyber Audit from an accredited ASSURE Cyber Supplier via the ASSURE platform. This audit will be performed by ASSURE Cyber Professionals who have been accredited to conduct audits on behalf of the ASSURE Cyber Supplier.
ASSURE Cyber Professionals are each accredited in one or more, of the following three specialisms (all specialisms must be present for an ASSURE Cyber Audit):
To find out more or apply please visit https://www.crest-approved.org/assure/index.html
ASSURE accredited Cyber Suppliers
Guidance on the ASSURE accreditation process and conducting ASSURE Cyber Audits can be found in the CAA ASSURE CREST Implementation Guide.
Read all @UK_CAA
Civil Aviation Authority Transport Act 2000 investigation – final decision
25 February, 2021
UK Civil Aviation Authority launches consultation on proposed modifications to the licence of Gatwick Airport Limited
25 February, 2021
UK to revert to previous rules for Visibility and Distance from Cloud Minima for flying in visual meteorological conditions
28 January, 2021
Read all News
International Civil Aviation Day
7 December, 2020
Read All Blogs