The U.K. Civil Aviation Authority (CAA) has announced its new ASSURE scheme developed in partnership with CREST, the not-for-profit accreditation and certification body for the technical security industry. ASSURE will play a key role in the CAA’s Cyber Security Oversight strategy to enable the aviation industry – including airlines, airports and air navigation service providers – to manage their cybersecurity risks without compromising aviation safety, security or resilience and to support the British governments’ National Cyber Security Strategy.
CREST and the CAA have accredited the first specialist cyber security third-party suppliers under the rigorous and continuous accreditation process defined in the ASSURE framework. To become an accredited ASSURE Cyber Supplier, an organization must have CREST membership in one of its core disciplines and submit an application for ASSURE accreditation for review by CREST and the CAA. Accredited ASSURE Cyber Professionals must demonstrate extensive knowledge in at least one of the following three ASSURE Specialisms: Cyber Audit & Risk Management, Technical Cyber Security Expert and ICS/ OT Expert.
The first ASSURE accredited companies are: Bridewell Consulting Ltd, Context Information Security, NCC Group, Nettitude, Pen Test Partners, Protiviti U.K. and SureCloud, with many more applications in the pipeline.
Where stipulated by the CAA, aviation organizations will be required to complete a self-assessment of their cyber security using the CAA’s Cyber Assessment Framework (CAF) for Aviation, which can be applied to organizations of varying size and complexity. Aviation organizations may then be required to contract with an ASSURE Cyber Supplier through the ASSURE Buyer’s Platform to audit their completed CAF for Aviation self-assessment, on behalf of the CAA.
CREST has also been working with the U.K. banking, telecommunications, nuclear and utilities sectors to develop effective accreditation schemes and intelligence-led cyber security testing and is also helping governments and regulators in other countries to adopt the same approach.