Launched in January 2020, the CAA ASSURE scheme was developed in partnership with CREST and plays a key role in the CAA’s Cyber Security Oversight strategy, helping the aviation industry manage its cyber security risks, without compromising aviation safety, security or resilience. It also supports the UK Government’s National Cyber Security Strategy.
The UK Civil Aviation Authority (CAA) recognises its aviation cyber security regulatory oversight responsibilities under existing and emerging resilience, safety and security regulations. As a result, the CAA developed CAP 1753 ‘The Cyber Security Oversight Process for Aviation’, a proportionate, consistent and scalable six-step approach to cyber security oversight.
The ‘ASSURE Scheme’ is a third-party cyber security audit model that enables aviation organisations, in-scope of CAP 1753, to procure ASSURE cyber audit capabilities from a pool of competent and skilled ASSURE Cyber Suppliers. The ASSURE Cyber Suppliers, on behalf of the CAA and as Qualified Entities, perform independent ASSURE Cyber Audits against the aviation organisation’s Cyber Assessment Framework (CAF) for Aviation.
Approved ASSURE Cyber Suppliers
The ASSURE Scheme is a scalable and responsive model that provides aviation organisations with a level of assurance in their choice of audit supplier and a structure for how audits should be conducted.
Examples of the organisations within scope for ASSURE cyber audits include airports, air carriers and air navigation providers. Each in scope aviation organisation, when deemed applicable by the CAA, will need to procure an ASSURE Cyber Audit from an accredited ASSURE Cyber Supplier.
This audit will be performed by ASSURE Cyber Professionals who have been accredited through the scheme to conduct audits on behalf of the ASSURE Cyber Supplier.
Accredited ASSURE Cyber Professionals must demonstrate extensive knowledge in at least one of the following three ASSURE Specialisms: Cyber Audit & Risk Management, Technical Cyber Security Expert and ICS/OT Expert.
Accreditation Process if you are new to CREST
The accreditation process for the ASSURE Cyber Audit scheme follows the steps listed below.
Accreditation with CREST offers all service providers the opportunity to demonstrate their quality service provision and their ability to deliver these services. By becoming a member with CREST, all service providers get access to international markets and export opportunities.
Step 1: A mutual NDA is signed between CREST and the potential ASSURE Cyber Audit Supplier. There are no fees for this stage.
Step 2: The potential ASSURE Cyber Audit Supplier, is granted access to the CREST online membership portal, to view the application form and all requirements.
Step 3: Once ready the potential ASSURE Cyber Audit Supplier submit their application to CREST. An administration fee of £250 +VAT becomes payable on submission of an application.
Step 4: The CREST accreditation team will review your application and feedback is provided as required.
Step 5: Once the potential ASSURE Cyber Audit Supplier has met all requirements, the final review of the application will be done by the CAA.
Step 6: Once approval has been given by the CAA, the ASSURE Cyber Audit Supplier is notified of the approval, and their entry on the CREST website would be made live. There are no additional fees for this step.
There is an annual renewal process, where the re-verification of some key requirements is conducted. Annually at renewal there is an administration fee of £250.
Accreditation Process if you are a current CREST member
The accreditation process is simplified if you are a current CREST member company.
Your main CREST membership portal administrator will have access already to the application form. They will be able to start the application process and add collaborators from your company to assist with the completion.
The CREST accreditation team will review your application and feedback is provided as required. Once the potential ASSURE Cyber Audit Supplier has met all requirements, the final review of the application will be done by the CAA.
Once approval has been given by the CAA, the ASSURE Cyber Audit Supplier is notified of the approval, and their entry on the CREST website would be made live. There are no additional fees for this step.
There are no fees for a current CREST member company to add the ASSURE scheme to their membership.
If you have any questions at all on the CAA ASSURE scheme, or would like details on how to apply and the requirements for accreditation, then please contact [email protected]
Further details of ASSURE Cyber Professional and ASSURE Cyber Supplier requirements can be found here.