Aviation Security risks are dynamic and often unique in nature.  Those with malicious intent are constantly looking to develop new ways to circumnavigate aviation security measures and mount attacks on aircraft, people and infrastructure. To support the industry in understanding, assessing and managing these security risks it was recognised that the current oversight model needed to be developed to provide greater resilience and proactive management of current and emerging security risks.

The United Kingdom Civil Aviation Authority (UK CAA), in conjunction with the Department for Transport, embarked on this modernisation in 2015 with the aim of developing a Security Management System (SeMS) that could be rolled out and embedded across the UK aviation industry.

The challenge was wide-ranging, with the UK CAA needing to develop a Security Management System Framework that could be applied consistently across Airports, Air Carriers, Cargo, and In-Flight Suppliers and applicable to organisations of differing size and complexity.

It was important to shift the emphasis from adherence to basic compliance to a mature security posture, where the security culture of the organisation was such that the industry proactively managed its own security risks, reducing the likelihood of a risk coming to fruition and, should it materialise, reducing the impact and being more able to manage swift recovery—becoming more resilient.

To support this posture, it was crucial that the Industry and the Regulator embarked on a partnership approach and enhanced the transparency of dialogue and information sharing.

Working closely with the Department for Transport, industry and international governing bodies, the UK CAA has developed a SeMS Framework that encourages the philosophy of a top-to-bottom and bottom-to-top culture that ensures that all members of an organisation recognise that they have an important part to play in delivering an efficient, secure operation. The SeMS framework has harmonised all aviation security assurance requirements across all aviation security sectors, creating a positive security culture and recognising other areas such as safety and cyber security.

With its applicability to aviation organisations of varying size and complexity, the framework places accountability where it should sit at the organisational level and actively encourages aviation organisations to proactively manage their own risks, both at a local and national level, identifying and addressing vulnerabilities with a focus on relevant/actual incidents, barriers to risk mitigation and the effectiveness of controls in place.

Whilst the SeMS framework allows an entity to have clear oversight and greater governance, it also places security culture at its centre. In developing the SeMS framework, it became apparent that SeMS would not work unless there was buy-in and a commitment at the top to ensure that all staff, not just those directly involved in security, recognised that they have a stake in an organisation’s security culture and that they can report matters of concern and see them acted upon, as appropriate.

The UK CAA SeMS Team, in close collaboration with the industry, introduced further guidance to assist smaller entities on how to embed a SeMS, with a continued focus on those elements that will impact security. There is also further guidance on Security Culture, where a self-assessment tool has been developed for the Industry to utilise proactively.

The SeMS Framework has become the UK CAA’s recognised approach to the modernisation of aviation security, being the foundation for Risk-Based Oversight (RBO). The SeMS Framework’s proactive approach to security assurance allows organisations to effectively manage their own security risks without compromising aviation security. Guidance and supporting documents on the implementation and delivery of SeMS have led to wider collaboration both domestically and internationally.

By streamlining key processes, the assessment and reporting on security has become more efficient and less time-consuming and provides entities with greater assurance that they are managing security effectively. The open and collaborative approach has allowed the UK CAA to see not only the snapshot view of compliance but the entire security management system, including where industry vulnerabilities lay, allowing for appropriate mitigation. The proactive approach has encouraged the industry to go above and beyond compliance and actively mature as a sector.