UK ISMS (Information Security Management Systems) regulation

Closed 26 Jan 2024

Opened 30 Oct 2023

Contact

Cyber Security Policy Team

cyberconsultation@caa.co.uk

Feedback updated 6 Mar 2024

We asked

Between 30 Oct 2023 and 26 Jan 2024, we asked you to comment and form opinions on the proposed UK ISMS regulation which aims to improve cyber resilience in respect of aviation safety. The regulation, firmly based on EASA’s Part-IS, was shared in this form to allow it to be developed, improved, and ensure alignment with the UK aviation market and regulatory structure.

We received 29 responses, made up of a combination of organisations, individuals, and UK aviation industry groups. These responses represent a significant proportion of the industry covering all of the  regulatory areas within the proposed scope of the regulation.

In addition to the core UK ISMS regulation, the consultation requested comments on the associated AMC and GM (Acceptable Mean of Compliance and Guidance Material) which is also based on those documents published by EASA to be used in conjunction with Part-IS.

You said

Responses reflected the variety of challenges faced by each separate industry area which led to some common themes and a wide range of perspectives. One key theme highlighted concerns about over-regulation and how well the requirements will operate in conjunction with existing safety and security regulations. 

Within this, organisations cited the international nature of the industry with many organisations working across borders, and concerns were expressed about how UK ISMS might duplicate similar regulations and requirements outside of the UK, not least for those organisations who are already working towards compliance with Part-IS. 

Some organisations have given us a view of the potential difficulties that would be faced in meeting changes that would impact existing supplier contracts. Noting, reducing the risks around the resilience and security of the supply chain is a priority for all. 

Another key concern raised, was on the proposals around reporting requirements. It was stated that an overly burdensome process for reporting to the regulatory authorities could prevent an organisation from focussing on responding and managing a serious incident, and that opportunities exist within current practices under the current MOR requirements in safety regulation.

Feedback received on the AMC/GM was very much interlinked with the comments on policy and principles within the regulation text, but it was very clear that this document is incredibly important to all organisations and high-quality guidance is needed to support effective implementation and operation of an ISMS. 

Overall, the consultation gave a varied outcome, however it revealed a common want to implement proportionate measures to combat the risks associated to cyber security. 

We did

Analysis of the responses provided to this consultation this will feed directly into our process for preparing the drafting and transposition documents of the rule making process. It is also forming the basis for reflection within our internal working groups across all the CAA. 

Our next steps will be to provide our formal opinion and instruction document to the Department for Transport, in order to commence with this regulatory change.

Work with wider government departments and regulatory bodies on how to fulfil overall ambitions of the proposed regulation, and to align with government ambitions to increase cyber resilience across all sectors.

We will continue to engage with industry stakeholders on the key topics that have been raised in this consultation. 

Work on further detailed supporting and guidance material to supplement the regulation.  

The CAA is committed to transparency and will expand this engagement in due course with the potential for further public consultation.

Overview

The CAA, working with the DfT, is proposing to introduce a new regulation to help in the protection of UK aviation from cyber attacks. This regulation will ensure that the UK is actively engaging with the increase threat from cyber, and the UK aviation industry is properly protected against cyber attacks. It will also support the ICAO Aviation Cybersecurity Strategy (link to external website: icao.int), and will ensure the UK is compliant with ICAO Annexes and SARPs.

The regulation introduces new requirements on aviation organisations for the management of cyber security risks that could impact the safety and security of civil aviation, and will encompass aerodromes, air operations, aircrew, air traffic management, maintenance organisations as well as design and production organisations.

The CAA expects the introduction of this regulation to enhance safety and security through:

  • an increased level of safety, protecting civil aviation from information security risks and making it more resilient to information security events and incidents;
  • an economic benefit for the organisations, helping to protect against the potential for liability costs and the operational and reputational damage caused by cyber incidents

Regulation

Regulations contain requirements which must be complied with.  The CAA’s statutory role is to consider the required content of regulations, consult on our proposed changes to the regulations, take consultation responses into account before forming a final view and then communicate that view to the Secretary of State (Department for Transport) in the form of an Opinion.  Our Opinions are published.  The Secretary of State makes the final decision whether to implement CAA’s proposed changes to the regulations, and the final wording of the regulations.  The proposed wording of the regulations in this consultation may well change if and when the Secretary of State decides to amend the regulations.

The CAA’s proposal is to introduce a standalone regulation relating to information security risks, and to make incidental amendments to the existing regulatory framework to incorporate this new regulation into the legal requirements for industry.

Acceptable Means of Compliance and Guidance Material

Acceptable Means of Compliance (AMC) are means by which the requirements in the Implementing Rule and the Essential Requirements of the Basic Regulation to which it relates can be met. However, entities may show compliance by other means. 

An entity may choose to offer an Alternative Means of Compliance (AltMoC) which must be reviewed and accepted by the CAA. However, it is important to note they will lose the presumption of compliance provided by the CAA AMC so it is essential for the operator to demonstrate that the AltMoC meets the intent of the Implementing Rule and the Essential Requirements of the Basic Regulation. 

Guidance Material (GM) is non-binding and provides explanatory and interpretation material on how to achieve the requirements in the law and the AMC. It contains information, including examples, to assist the applicant with the interpretation of the legislative provisions.

This consultation

The first document presented in this consultation contains the outline structure of the regulation, which includes the scope of applicability.

RMT0019 - ISMS Regulation - Outline Structure for Consultation (pdf - opens in a new window)

The second document in this consultation includes the Acceptable Means of Compliance (AMC) and Guidance Material (GM) associated with this regultation.

RMT0019 - ISMS Consultation - Draft-AMC-GM  (pdf - opens in a new window)

Please access both of these documents and review before using the online survey link below to submit a response to this consultation.

Why your views matter

It is important to the CAA that everyone has an opportunity to voice their opinion on matters that could affect them. There is also a legal requirement to consult when creating or amending regulations as well as AMC and GM.

We welcome comments from every sector of the community. This includes the general public, government agencies and all sectors of the aviation industry, whether as an aviator, aviation consumer and/or provider of related products and services.

How to respond

This consultation will close on the date stated at the top of this page and we cannot take into account comments received after this date. We will assume that all responses can be published once the consultation has closed. There is an option to request for your name to remain private, but in any event your email address will never be published.

Please submit your comments using the online survey link below. 

What happens next

At the end of the response period, we will review and publish each comment and submission received.

Your feedback will be considered as we refine the AMC and GM and guide the development of the regulatory changes.

Audiences

  • Commercial airlines
  • Airport operators
  • Air Navigation Service Providers
  • Industry representative bodies
  • Flightcrew
  • Air traffic control staff
  • Cargo shippers
  • Ground handling providers
  • Aerodrome Operators
  • Training organisations
  • ATS initial training organisations
  • Flight operations
  • Airworthiness maintenance organisations
  • Aviation Design & Certification

Interests

  • Safety
  • Security
  • Air Traffic Control
  • Airworthiness
  • Flight Operations
  • AMC & GM consultations
  • Implementing Rules