Overview of ASSURE Cyber Security Scheme
The Civil Aviation Authority (CAA) has created an accredited third-party cybersecurity audit scheme (ASSURE), developed in partnership with CREST to provide rigorous and continuous audits for the aviation sector.
The key objective for this scheme is to enable the aviation industry (airlines, airports and air navigation service providers) to manage cybersecurity risks without compromising aviation safety, security or operational resilience.
Benefits Of The ASSURE Cyber Security Scheme
This scheme enables aviation organisations, in-scope of CAP1753, to procure ASSURE Cyber Audit capabilities from a pool of competent and skilled ASSURE Cyber Suppliers. The ASSURE Cyber Suppliers, on behalf of the CAA perform independent ASSURE Cyber Audits against the aviation organisation’s Cyber Assessment Framework (CAF) for Aviation, as described in step four ‘ASSURE Cyber Audit’ of CAP1753.
The benefits of this new partnership include.
- We are now an accredited ASSURE Cyber Supplier in which our staff have become accredited ASSURE Cyber Professionals across all specialism areas in the process.
- Our knowledgeable, experienced and qualified cyber professionals can be deployed to assess an audit.
- We can provide a validated opinion of ‘achieved’, ‘partially achieved’ or ‘not achieved’ with associated commentary against each CAF for Aviation contributing outcome.
- Recommendations will be provided where ‘partially achieved’ or ‘not achieved’ contributing outcomes have been identified from an ASSURE Cyber Audit.
About The ASSURE Cyber Security Scheme
Each aviation organisation, when deemed applicable by the CAA, will need to procure cyber audit services from an accredited ASSURE Cyber Supplier using the ASSURE buyer’s platform.
Accredited ASSURE Cyber Professionals must be able demonstrate extensive knowledge in at least one of the following three specialisms:
1. Cyber Audit & Risk Management;
2. Technical Cybersecurity Expert;
3. Industrial Control Systems/Operational Technology Expert.
LRQA Nettitude are an accredited ASSURE Cyber Supplier and have the complete range of accredited ASSURE Cyber Professionals across the three specialism areas. All three specialisms must be present before an ASSURE Cyber Audit can be undertaken. LRQA Nettitude is able to provide the complete end-to-end audit journey for an aviation organisation with their knowledgeable, experienced and qualified cyber professionals.
ASSURE Cyber Security Scheme Process
The Cybersecurity Oversight Process for Aviation, is covered in CAP 1753 and it consists of the six key steps outlined below:
2. Critical systems scoping
3. Cyber self-assessment for aviation
4. ASSURE Cyber Audit
5. Provisional Statement of Assurance; and
6. Final Statement of Assurance and Letter of Compliance
The CAA Cyber Oversight Team will assess the applicability of each step with an aviation organisation during the initial engagement step, each of the steps will be discussed, agreed and determined at this time with an organisation. The CAA will base this discussion on several factors including, the assessment of cybersecurity risk, the aviation organisation complexity, and any regulatory requirements that apply.
An aviation organisation, deemed applicable by the CAA, will need to procure cyber audit services from an accredited ASSURE Cyber Supplier. An aviation organisation will be required to make the following available to the ASSURE Cyber Professional(s):
- Completed Critical Systems Scoping Template;
- Completed Critical system scoping diagrams;
- Completed CAF for Aviation for all in-scope systems; and
- All necessary supporting evidence.
Following the self-assessed ASSURE Cyber Audit the ASSURE Cyber Professional(s) will review and evaluate the ASSURE specific areas of the CAF for Aviation and issue an ASSURE Audit Report to the aviation organisation detailing:
- A validated opinion of ‘achieved’, ‘partially achieved’ or ‘not achieved’ with associated commentary against each CAF for Aviation contributing outcome, based on the evidence provided by the aviation organisation and the associated indicators of good practice;
- Recommendations where ‘partially achieved’ or ‘not achieved’ contributing outcomes have been identified from the ASSURE Cyber Audit. The aviation organisation may use this to update the Corrective Action Plan section of the CAF for Aviation.
The ASSURE Cyber Professionals will also have a “wash-up” call with the CAA to discuss the ASSURE Cyber Audit. Further information and detail can be found in the ‘ASSURE Implementation Guide’.
Why LRQA Nettitude?
LRQA Nettitude have extensive experience of working in the Aviation Industry on cybersecurity assessments and audits, threat hunting and penetration testing exercises as well as PCI DSS engagements. Our experts have helped a number of organisations in other sectors with their NCSC Cyber Assessment Framework (CAF) preparation and final submission. We have also been researching and working in OT, firmware and transportation from marine, rail, nuclear and aviation for over a decade.
As a result, we are well placed to assist aviation organisations by reviewing a completed CAF for Aviation with validated opinions, observations and expert commentary on the contributing self-assessed outcomes. The ability to be realistic around the risks faced and pragmatic in approaching risk reduction and remediation is key in ensuring that priority in given to the right outcomes.
LRQA Nettitude can also provide additional services to aviation organisations at many levels if required from tactical guidance and advice on technical aspects of their IT/OT systems through to research into legacy or niche elements, right through to maturing and developing capability and organisational cyber strategy.