Aerospace Security

CAA and CREST accredit first companies under new ASSURE scheme

Posted 21 January 2020

The Civil Aviation Authority (CAA) has announced its new ASSURE scheme developed in partnership with CREST, the not-for-profit accreditation and certification body for the technical security industry and the accreditation of the first companies under the scheme.

Above: CAA offices, Gatwick.
Copyright CAA

ASSURE will play a key role in the CAA’s Cyber Security Oversight strategy to enable the aviation industry – including airlines, airports and air navigation service providers – to manage their cyber security risks without compromising aviation safety, security or resilience and to support the UK governments’ National Cyber Security Strategy.

CREST and the CAA have accredited the first specialist cyber security third-party suppliers under the rigorous and continuous accreditation process defined in the ASSURE framework. To become an accredited ASSURE Cyber Supplier, an organisation must have CREST membership in one of its core disciplines and submit an application for ASSURE accreditation for review by CREST and the CAA. Accredited ASSURE Cyber Professionals must demonstrate extensive knowledge in at least one of the following three ASSURE Specialisms: Cyber Audit & Risk Management, Technical Cyber Security Expert and ICS/ OT Expert.

The first ASSURE accredited companies are: Bridewell Consulting Ltd, Context Information Security, NCC Group, Nettitude, Pen Test Partners, Protiviti UK and SureCloud, with many more applications in the pipeline.

“The CAA is committed to broad and collaborative engagement with industry and key stakeholders to continuously improve our cyber security oversight model,” said Peter Drissell, Director of Aviation Security at the CAA. “By working with CREST to develop the ASSURE accreditation scheme, the aviation industry has access to the highest levels of skill, knowledge and competence to face the changing threat landscape and encourage a proactive approach to cyber security.”

Where stipulated by the CAA, aviation organisations will be required to complete a self-assessment of their cyber security using the CAA’s Cyber Assessment Framework (CAF) for Aviation, which can be applied to organisations of varying size and complexity. Aviation organisations may then be required to contract with an ASSURE Cyber Supplier through the ASSURE Buyer’s Platform to audit their completed CAF for Aviation self-assessment, on behalf of the CAA.

“ASSURE is the latest scheme to strengthen the UK’s Critical National Infrastructure against growing cyber threats and supports the CAA’s Cyber Security Oversight strategy,” said Ian Glover, president of CREST. “CREST has also been working with the UK banking, telecommunications, nuclear and utilities sectors to develop effective accreditation schemes and intelligence-led cyber security testing and is also helping governments and regulators in other countries to adopt the same approach.”