BUY ONLINE

Table of Contents
Foreword ......................................................................................................................................................... 1

Chapter 1—Introduction ................................................................................................................................. 3

Reference Marks .............................................................................................................................. 4

Chapter 2—Management ................................................................................................................................ 5

2.1 SeMS Implementation Overview ...................................................................................................... 5
2.2 Corporate Commitment .................................................................................................................... 7
2.3 Authorities, Accountabilities and Responsibilities ............................................................................ 8
2.4 Security Objectives and Security Performance Standards ............................................................ 10
2.5 Security Culture .............................................................................................................................. 13
2.6 Provision of Resources .................................................................................................................. 14
2.7 Security Department ....................................................................................................................... 19
2.8 Security Communication ................................................................................................................. 20
2.9 Change Management ..................................................................................................................... 22

Chapter 3—Documentation ......................................................................................................................... 29

3.1 Aircraft Operator Security Program ................................................................................................ 29
3.2 Security Reporting .......................................................................................................................... 34

Chapter 4—Aviation Security Quality ......................................................................................................... 47

4.1 Quality Assurance and Quality Control .......................................................................................... 47
4.2 Quality Assurance Audits ............................................................................................................... 48
4.3 Quality Control ................................................................................................................................ 50
4.4 Security Audits ................................................................................................................................ 51
4.5 Security Surveys ............................................................................................................................. 56
4.6 Security Tests ................................................................................................................................. 56
4.7 Security Exercises .......................................................................................................................... 59

Chapter 5—Security Risk Management ...................................................................................................... 63

5.1 Security Risk Assessment .............................................................................................................. 63
5.2 Threat Identification and Assessment ............................................................................................ 66
5.3 Risk Management Process ............................................................................................................ 68
5.4 Operational Risk Assessment ........................................................................................................ 76
5.5 Integrated Risk Management ......................................................................................................... 80

Chapter 6—Additional Guidance ................................................................................................................ 83

6.1 Role of Regulations, Regulators and Regulated Entities ............................................................... 83
6.2 SeMS Dashboard and SeMS Implementation Plan ....................................................................... 95
6.3 Landside Security ......................................................................................................................... 107
6.4 Insider Threats .............................................................................................................................. 126

iii
 Security Management System Manual

6.5 In-Flight Theft ............................................................................................................................... 136

6.6 Aviation Cyber Security Management .......................................................................................... 137
6.7 Application of Risk Management Concepts to Cyber Threats and Risks ..................................... 154
6.8 Recognition of Equivalence .......................................................................................................... 196
6.9 Case Study–Aviation Security Culture–United Airlines ................................................................ 203
6.10 Case Study–Overflying Conflict Zones–LOT Polish Airlines ........................................................ 210
6.11 Case Study–Qantas Group Cyber Management Model ............................................................... 212

Acronyms .................................................................................................................................................... 217

iv
Chapter 1—Introduction
Security is not only the responsibility of top-level management or the Head of Security. Security involves
everyone and a positive security culture is essential in promoting and maintaining a secure environment.
Positive reinforcement of correct security actions sends the message throughout the organization that
management believes security to be a priority.

The Security Management System (SeMS) is the element of corporate management responsibility that sets
out a company's security policies and its intent to manage security as an integral part of its overall business. It
is important to keep in mind, however, that each entity must implement the system that works best in their
specific situation–there is no “one-size-fits-all” system.

SeMS is a business-like approach to security. As with any business plan, goals are set and levels of authority
are established. Ultimately, once implemented, a SeMS becomes woven into the fabric of the organization and
becomes part of its culture.

Security issues important to air carriers, but not necessarily directly related to compliance with the National
Civil Aviation Security Program (NCASP), may also be included in the SeMS. This reiterates that a SeMS is
designed to be an all-encompassing security process that promotes corporate security awareness and
enables delivery of assurance beyond just simple compliance. It is not meant, however, to replace the
NCASP.

SeMS, by integrating security awareness throughout the organization and verifying compliance through quality
assurance, can be a significant force in achieving the highest possible level of regulatory compliance. Specific
security practices, training and audit functions of a SeMS should be built to ensure compliance with applicable
national aviation security programs.

The goal of the IATA SeMS (required to be implemented by airlines through the IATA Operational Safety
Audit, IOSA) is to serve as a guideline for entities in helping them build effective aviation security measures. A
standardized structure, such as SeMS, provides better and more uniform security standards throughout the
aviation industry.

Through implementation of SeMS, an effective and focused risk assessment should contribute to making
security practices proactive, rather than relying on more traditional reactive and prescriptive procedures.

3
Sample Data – Not for Operational Use
 Security Management System Manual

SeMS offers quantitative and qualitative benefits that can improve overall performance and communication
within a company, as well as with State regulators. SeMS enhances a company's security culture, regulatory
collaboration and resource utilization. SeMS allows for optimum flexibility in the way entities develop and
implement security—aviation security in particular—by easily integrating it into their business model. SeMS is
essentially risk-based and encourages implementation of procedures that focus on outcomes rather than on
rigid compliance with directed requirements (where States allow this). SeMS is also leadership driven,
requiring senior management's commitment to building a strong security culture. That means the organiza-
tion's attitude and philosophy towards security must be strategic, proactive and enlightened. Senior
management must also define the corporation's risk appetite and resilience. Standardized security programs
and cohesive quality assurance will produce more effective and sustainable program delivery and should
result in fewer audit findings. Ultimately, SeMs delivers a better security posture.

4
Sample Data – Not for Operational Use
Chapter 2—Management
2.1 SeMS Implementation Overview
Aviation security, as part of the business of aviation, needs to be managed like any other element of business
or corporate activity. Senior management is ultimately responsible and held accountable for security within the
organization. They establish the organization's attitude toward security–the security culture. Employees look to
management as examples of what should and should not be done with regards to security.

No matter the size, type or complexity of operations, the top executive and senior management play a major
role in determining a company's commitment to security. The general direction and vision should come from
the highest level. Senior management is responsible for setting the security standards and promoting security
within the organization.

Many organizations tend to pay a lot of attention to security in times of crisis and leave security on the back
burner when things get back to normal. It is important to maintain an emphasis on security no matter the
threat level, develop contingency and resilience plans when the pressure is not at maximum, and continuously
adapt to the ever-evolving threat. Keeping security at the forefront contributes to maintaining a positive
security culture and it helps the organization to better anticipate risks and respond appropriately in the event of
a security breach or incident.

The following points should be addressed when a SeMS is implemented:

• Build on existing processes and procedures rather than starting over.

• Adopt “best practices” as the goal.

• Develop a company-wide system. Established at the corporate level, SeMS should then devolve to
individual departments. In case of an airline, Flight Operations, In-flight, Baggage Services, Passenger
Services, Airport Services, Call Center and all other departments that contribute to security, both frontline
and support, should have security goals and objectives.

• Each entity is responsible for the development of security procedures under the umbrella of SeMS, taking
into account their own operational environment and available resources as well as the regulatory
framework (in case of an airline, it will be primarily the law of their State of Registry and State(s) of
Operations).

• If some security operations are outsourced, contracts should identify the need for the supplier to conform
to the applicable policies of the SeMS in relation to the service provided. Subcontractor selection should
recognize standards of performance, rather than just a low bid.

The Dashboard (Section 6.2) is based on commonly agreed SeMS principles and is intended to assist
stakeholders seeking to implement SeMS within any framework. Referring to the core elements of SeMS, the
Dashboard provides several key activities to be performed and outcomes to be identified to demonstrate three
stages (levels) of SeMS development.

5
Sample Data – Not for Operational Use
 Security Management System Manual

The first level aims to assess an organization's readiness to implement SeMS by identifying its current
capability (organizational ability evaluation).

This assessment will result in substantial training and communication improvement, review and reissuance of
organizational policies (e.g., security commitment from senior management) and allocation of necessary
resources.

The next level covering key system development will be the implementation of SeMS. To fully implement
SeMS, there is, in most cases, an initial need for:

• Commitment from senior leadership to move in this direction

• Increased communication of the new approach

• Development of new, or an adjustment of existing, standard operating procedures

• Modification of cooperation standards between operational and non-operational units of the entity

• Development of performance indicators

The final level can be achieved once the organization's SeMS becomes mature. Successful implementation of
SeMS at this stage focuses on development of data analysis and quality assurance, which allows a maturity
level that is not limited to only preserving conformance.

When an organization decides that it will implement SeMS in its operations, it is essential that a plan be drawn
up. The implementation of SeMS is complex and involves several entities within and outside the organization.
It is paramount that all affected parties are aware of what is expected of them as well as who they will need to
cooperate with and at which moment in the project. Clearly, the scope is dependent on many variables,
including the size of the organization, the current level of integration, regulatory requirements, etc.

A model SeMS implementation plan is included in Section 6.2 (high-level activities). An organization will need
to identify each individual task, under all the main project components, detail them and provide a timeline.
Multiple tasks can and should be undertaken at the same time. However, some tasks will be dependent on the
outcomes of others. Clearly, the larger the organization, the greater the number of line items.

SeMS also offers an improved framework for Recognition of Equivalence processes described in Section 6.8
as it facilitates, for example, the recognition of Aircraft Operators Security Program (AOSP) equivalence
between States.

The system encourages collaborative work between States and airlines when there are threat and regulation
changes, which can help strengthen relationships between States, regulators and the industry. The system
also encourages airlines to have more responsibility for decision-making.

IATA supports the development of SeMS frameworks, allowing for building a mature SeMS within entities. This
will enable improvement in systematic security risk management as well as proactively identify gaps and
weaknesses. It is equally important to recognize that SeMS is a live process founded upon continuous review
and improvement, leading to constant reinforcement of the system.

6
Sample Data – Not for Operational Use
 Chapter 2—Management

2.2 Corporate Commitment

It is recommended that corporate commitment be formulated through the company security policy. The policy
is a mechanism for controlling corporate behavior by governing the behavior of people who work within that
organization. The policy exists to ensure, in each situation, that people will behave in a way that is predictable,
advisable and in the best interests of the organization and employees. Corporate security policy should define
security as a priority (like safety).

A company's security policy needs to relate to its security objectives. That means the latter should be a
consequence of what is established in the policy. Security objectives should be aligned with business
objectives. Therefore, a reconciliation of security and business requirements needs to take place to ensure
security objectives do not become disconnected and adversely affect the engagement of non-security
management.

In aviation, an aircraft operator may decide to use its safety policy (referred to in the IOSA Standards Manual
in Section ORG 1.2.1 and 1.2.2) as a reference point to develop a security policy. Such a policy should be
included in a controlled document and communicated throughout the organization. The safety and security
policies can be combined, depending on the size of the aircraft operator and its organizational structure. In
any case, safety and security are components of an overall corporate policy committing the organization to
continuous improvement of the management system. Therefore, the SeMS should be designed to enable such
an improvement process, either because of maturation of the system or in response to identified needs.

The organization, recognizing the need to manage aviation security, should issue a document/policy that
includes the following:

• A senior management commitment to security as a fundamental priority throughout the organization,

signed by the accountable executive

• A commitment to compliance with aviation security regulations and the adoption of industry best practices

• A commitment to the development and subsequent continuous improvement of its management system
and security culture

• Promotion of a culture that includes non-punitive reporting procedures, where feasible, and encourages
the reporting of any inadvertent human error

• A clear statement of the organization's security objectives and measures necessary to conform to security
regulations

• A description of the operational security duties and responsibilities of senior management

• Reinforcing statements that security (like safety) is a primary responsibility of all managers

• Communications processes that permit a free flow of information throughout the organization

• A clear statement that the security principles outlined in the organizational security policy apply to both
employees and contracted parties

• A requirement for continuous senior management review and improvement

7
Sample Data – Not for Operational Use
 Security Management System Manual

Executive management's commitment to security is illustrated by the degree to which security is given
exposure in the business’ routine processes. To support the establishment, implementation and communi-
cation of security responsibilities, the Board of Directors should consider:

• Having security as a standing item on the agenda of its meetings.

• Establishing a Security Review Board (committee) to provide a common platform for all affected
stakeholders to discuss security issues. This could be, depending on organizational arrangements, a body
merged with the Safety Board or set up separately.

• Ensuring business unit managers take the ownership of security responsibilities and related supportive
actions (especially corrective actions, as required).

• Requiring identification and escalation of issues.

• Supporting the policy with actions, such as:

○ Recurrent reinforcement of employees’ awareness on their security roles

○ Promoting routine managerial behaviors driven by risk assessments

○ Security planning and security quality control

The executive level should ensure security objectives are linked and complimentary to the overall business
and risk management strategy.

The executive statement of commitment to security should be available to all the air carrier's employees and
subcontractors to promote the message that the air carrier is strongly committed to security. Furthermore,
subcontractors may be required to confirm their agreement with the executive statement in writing (if deemed
necessary).

2.3 Authorities, Accountabilities and Responsibilities

Although motives might be different, all stakeholders share a similar interest in securing the aviation industry.
However, the potential for gaps and/or overlaps in responsibilities may exist when more than one entity is
handling security. It is crucial for regulator, airport and airline security officials to establish clear jurisdictional
boundaries, internally and externally, to ensure all entities understand where their respective jurisdictions
begin and end.

Whereas gaps in security create obvious problems and expose the entire aviation infrastructure to threats, the
presence of unnecessary overlaps between different groups can also lead to problems. Without proper
coordination, the presence of multiple entities providing security services could lead to inaccurate assumptions
that might, in fact, result in unintended gaps in the security system. Also, having multiple groups doing the
same job might lead to power struggles, where effort would be wasted competing with one another.

For airlines, according to IOSA Standards and Recommended practices, the following elements should be
considered when establishing security authorities and responsibilities:

• Senior management level accountability

• Security responsibilities (overall responsibility and product process responsibilities)

8
Sample Data – Not for Operational Use
 Chapter 2—Management

Depending on the size, structure and complexity of the organization, the allocation of responsibilities might be
different. Nevertheless, the entity shall ensure there is clearly assigned accountability1.

While accountability can be understood in a range of ways, it is one of the cornerstones of good governance.
Essentially, it is related to answerability and enforcement.

Answerability can be interpreted as the obligation to be held ultimately responsible for decisions and policies,
and for the performance of applicable functions, duties, tasks or actions. Enforcement means ensuring, and
being empowered to ensure, actions are executed or performed and contravening behaviors are remedied.
Accountability is neutral—it is neither a negative nor positive concept. Consequently, satisfactory results get
recognized and failure may involve sanctions.

Accountability must specify:

• Responsibilities2

• Authority (information to managers about the scope and limitations of their authority and responsibility,
organizational values, policies, rules, objectives, behavioral standards; expected results and resources
and how they will be monitored and assessed)

• Duty to provide guidance and support (regular and timely management information as well as access to
and advise from managers)

• Task to monitor and assess exercised responsibilities and authority (delivery, performance and quality,
compliance with internal standards)

• Taking appropriate actions when necessary (dealing with both satisfactory and unsatisfactory perform-
ance, negligence, exceeding authority)

In this context, it should be clearly defined who carries the ultimate accountability for security in the
organization, together with the fact that it cannot be delegated.

Responsibility, as an obligation to execute or perform assigned functions, duties, tasks or actions, is related to
the job description, function and authority of a certain position.

In practical terms, depending on the organizational arrangements, typically there will be more than one
managerial position responsible for different security duties. However, the final accountability should be
concentrated under one position (usually the Accountable Executive).

With all that in mind, a person holding a security manager's position should not only be knowledgeable and
experienced in terms of aviation security, but also capable of developing quantitative, analytical and strategic
thinking (i.e., have business and management skills). The airline should, therefore, seek to educate security
managers so they understand business concepts, are capable of building business cases, and share the
overall corporate vison, strategy and objectives.

1
Accountability—The obligation to accept ultimate responsibility for decisions and policies, and for the performance of applicable
functions, duties, tasks or actions; implies being answerable (i.e. accountable) for ensuring such responsibility is executed or
performed. Accountability may not be delegated (source: IRM).
2
Responsibility—An obligation to execute or perform assigned functions, duties, tasks or actions; typically includes an appropriate level
of delegated authority; implies holding a specific office, title, or position of trust (source: IRM).

9
Sample Data – Not for Operational Use
 Security Management System Manual

The security responsible person should be, as per IOSA (SEC 1.1.2), a person with direct access to the
highest level of management. Furthermore, as this person is accountable for ensuring the implementation of
the AOSP in the company, interaction with other business area managers/senior managers will be inevitable.
It should also be taken into consideration that IOSA SEC 1.5.2 requires the aircraft operator to ensure
functions are filled by personnel based on knowledge, skills, training and experience appropriate for the
position.

2.4 Security Objectives and Security Performance Standards

Security objectives will derive from the vison, mission and, ultimately, the purpose of establishing the Security
department within the organization. This should be a prerequisite for further development of measurements
and metrics, which are of importance for executive management.

The goal of security is to keep the business’ risk exposure within the threshold acceptable for the executive
management.

Measurements and metrics in security, like other governance, should be applied to reliably indicate the value
security is bringing to the organization. It is an old cliché to say “what doesn’t get measured doesn’t get done”.
Still, it should be recognized that security measurements are not so much about numbers, but rather about
performance. As a result, measurements should constitute Key Performance Indicators/Security Performance
Indicators (KPI/SPI) leading to the establishment of relevant targets. Early collection of baseline metrics
typically enable stakeholders to measure improvements or changes against each KPI over time.

Metrics should be developed based on what is meaningful for those seeking information from Security. Metrics
will also influence the communication content. Metrics should be SMART: Specific to what is required and
understandable, Measurable from available data, Actionable/Achievable driving change and positive results,
Relevant to what is important, and Timely because verifiably reliable data should be there when you need it.

When security recommendations are declined or a failure to address security incidents happens (especially
when that is recurrent), it may be because of little ownership for security matters in the business units or
insufficient quality of security recommendations. Security needs to look at the quality of its work, but also
consider a modified approach to escalate.

The examples below are nowhere close to being a comprehensive list. These are more of a starting point to
initiate and stimulate internal discussion tailored to every individual organization. They are intended to show
the link between objectives/drivers and metrics that could be applied. All entities present in the airport
environment may seek to break the categories down even further developing specific metrics for areas of
security they consider important.

Note:
Airline metrics and measurements should be used to monitor and assess SeMS processes to fulfill
requirements of IOSA SEC 1.9.2.

10
Sample Data – Not for Operational Use
 Chapter 2—Management

Figure 2.4.1—SeMS Approach–Alignment between Business Objectives and Aviation Security

Measurements/Metrics

Source: IATA

11
Sample Data – Not for Operational Use
 Security Management System Manual

Table 2.4.1—Examples of SeMS-Related Security/Key Performance Indicators in Aviation

Security

SeMS-Related Security/Key Performance Indicators (SPI/KPI) in Aviation Security

SPI/KPI Target Reactive (R)
Proactive (P) Indicator
Risks inventory updated Continuous update of the risk P
through proactive identification inventory/register
and mitigation
Identified risks signed-off 100% of identified risks signed-off P
Number of identified non- No more than one major/critical R
conformities from external non-conformity per audit with no
compliance monitoring activities reoccurrence during the follow-up
Timely resolution of internal No more than one major/critical R
compliance monitoring findings finding per internal quality control
activity with no reoccurrence
during the follow-up
The number of failed or 100% of internally identified P
ineffectual business unit findings rectified completely within
responses to issues identified by the internally established
Security as control weaknesses timeframe
Security cost per $ of revenue Not exceeding x% of security P
costs per $ of revenue
Rejecting or not-following Number of days necessary to P
security recommendations close security finding (the
maximum should not exceed
xx days–as per company policy)
Failing to address security % of internal security reports R
vulnerabilities attributable to documentation/
procedure deficiencies as a
primary/root cause (decrease of
xx% calculated year-over-year–as
per company policy)
% of internal security reports R
attributable to supervision/
oversight deficiencies as a
primary/root cause (decrease of
xx% calculated year-over-year–as
per company policy)
Impact of security occurrences xx% of mitigation measures P
requiring adjustment after first
review (as per company policy)
Post-awareness initiatives xx% of internal security P
(percent reduction in incidents) investigations attributable to lack
of awareness as a primary/root
cause (decrease of xx%
calculated year-over-year–as per
company policy)

Source: IATA

12
Sample Data – Not for Operational Use
 Chapter 2—Management

2.5 Security Culture

An enhanced security culture will strengthen the regulatory collaboration that can improve data sharing and
analysis, which will lead to better trust, education, development, regulation and enforcement, collectively. The
system is cost-effective to set-up and maintain the programs; it can also reduce enforcement costs. The
benefits will also lead to better cross-border data management and enhance the commitment to continuous
improvement among States and airlines.

Security culture is a type of organizational culture that encourages optimal security performance. Organization-
al culture is commonly understood to be a set of norms, beliefs, values, attitudes and assumptions that are
inherent in the daily operation of organizations and abided by all entities and personnel within those
organizations. Security culture cannot be considered in isolation of the organizational culture as a whole.

Just as leaders have a critical impact on organizations and their culture, organizational cultures greatly
influence leaders by guiding their decisions. Organizations should, therefore, ensure that the full commitment
at every level of leadership, from top management to supervisors, is applied at all times and in all activities,
strategies, policies and objectives to continuously improve the security culture.

Management should lead by example and encourage all employees to adopt a security mindset by advocating
security as an organizational and personal value and aligning their own behavior with this value.

To establish or improve security culture in organizations, measures should be developed to enhance such
norms, beliefs, values, attitudes and assumptions. These enhancements should aim to further the following
principles:

• Encourage awareness of and alertness to security risks by all personnel

• Promote the role that employees play in identifying, eliminating, reducing or otherwise managing security
risks

• Allow the necessary time and make the necessary effort to comply with security measures, even when
under operational time constraints or external pressure

• Promote willingness to accept responsibility, be proactive and make decisions autonomously in the event
of security breaches or incidents

• Challenge other employees in case of irregularities and accept being challenged

• Immediately report incidents or any suspicious activity that might be security-related

• Foster critical thinking regarding security and interest in finding potential security vulnerabilities and
solutions

• Appropriately handle security-sensitive information

The Security department needs to promote a sound security culture to create an atmosphere where every
employee can transmit information they have gathered on security issues.

Security culture is also discussed in the case study in Section 6.9.

13
Sample Data – Not for Operational Use