UK ISMS (Information Security Management Systems) regulation

Closes 22 Dec 2023

Opened 30 Oct 2023


The CAA, working with the DfT, is proposing to introduce a new regulation to help in the protection of UK aviation from cyber attacks. This regulation will ensure that the UK is actively engaging with the increase threat from cyber, and the UK aviation industry is properly protected against cyber attacks. It will also support the ICAO Aviation Cybersecurity Strategy (link to external website:, and will ensure the UK is compliant with ICAO Annexes and SARPs.

The regulation introduces new requirements on aviation organisations for the management of cyber security risks that could impact the safety and security of civil aviation, and will encompass aerodromes, air operations, aircrew, air traffic management, maintenance organisations as well as design and production organisations.

The CAA expects the introduction of this regulation to enhance safety and security through:

  • an increased level of safety, protecting civil aviation from information security risks and making it more resilient to information security events and incidents;
  • an economic benefit for the organisations, helping to protect against the potential for liability costs and the operational and reputational damage caused by cyber incidents


Regulations contain requirements which must be complied with.  The CAA’s statutory role is to consider the required content of regulations, consult on our proposed changes to the regulations, take consultation responses into account before forming a final view and then communicate that view to the Secretary of State (Department for Transport) in the form of an Opinion.  Our Opinions are published.  The Secretary of State makes the final decision whether to implement CAA’s proposed changes to the regulations, and the final wording of the regulations.  The proposed wording of the regulations in this consultation may well change if and when the Secretary of State decides to amend the regulations.

The CAA’s proposal is to introduce a standalone regulation relating to information security risks, and to make incidental amendments to the existing regulatory framework to incorporate this new regulation into the legal requirements for industry.

Acceptable Means of Compliance and Guidance Material

Acceptable Means of Compliance (AMC) are means by which the requirements in the Implementing Rule and the Essential Requirements of the Basic Regulation to which it relates can be met. However, entities may show compliance by other means. 

An entity may choose to offer an Alternative Means of Compliance (AltMoC) which must be reviewed and accepted by the CAA. However, it is important to note they will lose the presumption of compliance provided by the CAA AMC so it is essential for the operator to demonstrate that the AltMoC meets the intent of the Implementing Rule and the Essential Requirements of the Basic Regulation. 

Guidance Material (GM) is non-binding and provides explanatory and interpretation material on how to achieve the requirements in the law and the AMC. It contains information, including examples, to assist the applicant with the interpretation of the legislative provisions.

This consultation

The first document presented in this consultation contains the outline structure of the regulation, which includes the scope of applicability.

RMT0019 - ISMS Regulation - Outline Structure for Consultation (pdf - opens in a new window)

The second document in this consultation includes the Acceptable Means of Compliance (AMC) and Guidance Material (GM) associated with this regultation.

RMT0019 - ISMS Consultation - Draft-AMC-GM  (pdf - opens in a new window)

Please access both of these documents and review before using the online survey link below to submit a response to this consultation.

Why your views matter

It is important to the CAA that everyone has an opportunity to voice their opinion on matters that could affect them. There is also a legal requirement to consult when creating or amending regulations as well as AMC and GM.

We welcome comments from every sector of the community. This includes the general public, government agencies and all sectors of the aviation industry, whether as an aviator, aviation consumer and/or provider of related products and services.

How to respond

This consultation will close on the date stated at the top of this page and we cannot take into account comments received after this date. We will assume that all responses can be published once the consultation has closed. There is an option to request for your name to remain private, but in any event your email address will never be published.

Please submit your comments using the online survey link below. 

Submit a response


  • Commercial airlines
  • Airport operators
  • Air Navigation Service Providers
  • Industry representative bodies
  • Flightcrew
  • Air traffic control staff
  • Cargo shippers
  • Ground handling providers
  • Aerodrome Operators
  • Training organisations
  • ATS initial training organisations
  • Flight operations
  • Airworthiness maintenance organisations
  • Aviation Design & Certification


  • Safety
  • Security
  • Air Traffic Control
  • Airworthiness
  • Flight Operations
  • AMC & GM consultations
  • Implementing Rules