Our approach to cyber security oversight, the Cyber Security Oversight Process for Aviation, is laid out in
CAP 1753 and it consists of six key steps:
The applicability of each step will be discussed and agreed with an aviation organisation during the initial engagement step and determined based on several factors including; the assessment of cyber security risk, aviation organisation complexity, and regulatory requirements.
We will contact regulated aviation organisations listing the applicable cyber security regulations and describing which of the six keys steps will need to be completed and by when. If you have not yet been contacted but would like to engage, please contact us at
Cyber security oversight will also be incorporated into our existing
Performance Based Oversight (PBO) processes.
We are aware that some information relating to cyber security oversight may be sensitive.
Before submitting sensitive cyber security information to the CAA please contact us at
email@example.com. You will receive secure Information Handling Instructions to ensure commensurate protections are established based on the sensitivity of the information in question.
It is important that systems (including networks, information technology - IT and operational technology - OT) which are critical to an aviation organisation are within scope of cyber security oversight. Guidance on identifying critical systems has been produced and is available in
The guidance given in
CAP 1849 provides a recommended method to identify critical systems through performing a functional decomposition from the aviation organisations' key aviation functions. Our
scoping template helps aviation organisations to document their identified critical systems and critical suppliers.
Once an aviation organisation has identified its' critical systems it can assess them against the
Cyber Assessment Framework (CAF) for Aviation to get an understanding of the cyber security posture of their organisation and critical systems.
The Cyber Assessment Framework (CAF) is an outcome-focused assessment against fourteen principles and four objectives, it was developed by the
National Cyber Security Centre (NCSC).
CAF for Aviation is a reformatted copy of the NCSC core CAF v3.0 and has been designed specifically for aviation.
The NCSC CAF v3.0, and by association, the CAF for Aviation, have been developed to meet the following requirements:
Guidance on completion of the CAF for Aviation can be found in
CAP 1850. This also includes informative cyber security references (or relevant standards) against each of the fourteen principles as well as examples of the types of evidence that we would expect to support the self-assessment.
The CAA intends to use the CAF for Aviation to oversee aviation organisations' management of cyber security risks and the information received will be incorporated into our Performance Based Oversight (PBO) and Performance Based Regulation (PBR) processes.
We have created an accredited third-party cyber security audit model (ASSURE). 'Third parties' refers to ASSURE Cyber Suppliers that are subject to a rigorous and continuous accreditation process under the ASSURE framework.
Each in scope aviation organisation, when deemed applicable by the CAA, will need to procure an ASSURE Cyber Audit from an accredited ASSURE Cyber Supplier via the ASSURE platform. This audit will be performed by ASSURE Cyber Professionals who have been accredited to conduct audits on behalf of the ASSURE Cyber Supplier.
ASSURE Cyber Professionals are each accredited in one or more, of the following three specialisms (all specialisms must be present for an ASSURE Cyber Audit):
Read all @UK_CAA
UK Civil Aviation Authority Statement On Reference Period 3 Referral
20 November, 2019
UK Civil Aviation Authority looks to widen scope for assistance dogs on flights
29 October, 2019
CAA confirms Operation Matterhorn concludes today as final flight heads to UK
7 October, 2019
Read all News
Girls in aviation day
22 October, 2018
Tackling crime and improving safety
4 October, 2018
International women in engineering day
22 June, 2017
Read All Blogs