A Security Management System (SeMS) provides an entity with a framework of operating principles and guidance which enable it to enhance security performance by proactively managing risks, threats, and areas where there are gaps and vulnerabilities which may have a negative impact on that performance.
SeMS is:
- based on a risk-driven framework designed to embed security within your operations and culture
- suitable for any entity within the aviation sector, regardless of size or operation
- an enabler for the UK Civil Aviation Authority (CAA) as it develops a flexible, risk-based oversight regime
- an enabler for entities required to meet quality control provisions of articles 12, 13 and 14 of Baseline Security Measures as retained in UK Regulation and UK Law.
The UK CAA remains aligned with IATA, ICAO, ECAC and other regulatory bodies in the move towards modernising aviation security and considers SeMS key in achieving this.
Our SeMS mission statement
The Civil Aviation Authority (CAA) is committed to sustaining and improving public confidence in air travel through constant industry self-assurance and responsible management of risk, combined with a focused and adaptive regulatory approach.
A Security Management System (SeMS) enables an organisation to identify and manage its own security risks in a proactive manner, with an effective security culture as the bedrock. SeMS provides top down assurance that the security measures taken to manage those risks are effective, on the basis that:
- security risks are managed at the right level
- there is appropriate accountability for security standards
- security performance is managed effectively with clear oversight in place
- a positive security culture is embedded across the organisation
We will work alongside organisations as they exploit the insights and efficiencies delivered by a mature and effective SeMS - and we will utilise the resulting assurance data to develop an adaptive and risk-based oversight regime in the move towards Risk Based Oversight (RBO).
Implementing SeMS
The implementation of SeMS is straightforward:
- we encourage organisations to incorporate or develop existing governance arrangements, systems and processes wherever possible
- we do not prescribe additional or specific IT systems or platforms
- we are committed to providing support to Industry partners to ensure they may exploit the opportunities and efficiencies a mature SeMS offers
Further information is available on implementing a SeMS.
The phases of SeMS development
Gap Analysis
The entity completes a Gap Analysis to identify which areas of their operation are already in line with the Security Management System (SeMS) Framework, and which will require further development to meet Framework requirements.
Phase 1
The Civil Aviation Authority (CAA) will conduct a Phase 1 assessment to verify if the SeMS is present and suitable. This assessment comprises:
- an evidential assessment of key SeMS processes
- a meeting between a CAA Manager and the entity's Accountable Manager
Phase 2
Once sufficient time has elapsed for the entity's SeMS to mature, the CAA conducts a Phase 2 assessment to establish if the SeMS is operating and effective
This assessment comprises:
- an evidential assessment of documented processes
- an interview conducted by CAA Senior Managers with the entity's Accountable Manager
- operational assessments conducted across the entity's site or sites
Phase 2B
At Phase 2B, the entity provides continued assurance of its SeMS.
This comprises:
- quarterly submissions of SeMS Performance Data to the CAA
- an Assurance Assessment to verify that the SeMS continues to be operating and effective
- operational assessments conducted across the entity's site or sites
Growing numbers of organisations across all modes are actively developing their SeMS.
We are leading the way in making SeMS a reality for the wider aviation industry and continue to support the ever-increasing numbers of entities making use of the advantages of implementing a robust and effective SeMS.
Risk Based Oversight
It is envisaged that Risk Based Oversight (RBO) utilises additional security assurance data, including SeMS performance data, to adjust the frequency and/or target of CAA observations.
RBO will:
- offer an entity the prospect of adjustments to, regulatory observation and routine compliance visits
- develop our oversight regime by providing us with capacity options for future compliance oversight. This will be supported by our approach to risk management and means of supporting industry partners in an ever evolving aviation landscape.
We are currently developing our RBO approach with Industry with a view to identifying the most appropriate data sets on which the adjustments to our oversight regime will be based. SeMS is a necessary precursor for the CAA to achieve this.
Training
Training is available on a variety of Aviation Security topics, including SeMS, and is particularly relevant for Security Managers and Accountable Managers.
Our training provides a great opportunity to meet with the Regulator and Industry colleagues, share best practice, and find out more about implementing a successful SeMS.
SeMS guidance material
- CAP 1223 SeMS Framework Document
- CAP 1273 Implementing Security Management Systems: an outline
- CAP 1224 Note for Accountable Managers
- CAP 1297 Security Management System (SeMS) : Frequently Asked Questions
- CAP 1997 Guidance for Small Organisations
- SeMS entity self-assessment questionnaire – Gap Analysis
- Security culture self-assessment tool
Contact us
For more information contact the SeMS team at sems@avsec.caa.co.uk.
Provide page feedback
Please enter your comments below, or use our usual service contacts if a specific matter requires an answer.
Fields marked with an asterisk (*) are required.