Secure 0118 359 2220 Get Started

Press ESC to close or Enter to search

Popular Pages
Managed IT Cyber Security Case Studies Pricing Contact
Home
About Us
Services
Managed IT Services Cyber Security & Compliance Microsoft 365 Cloud & Hosting Backup & Disaster Recovery Connectivity & Telephony Incident Response & 24/7 IT Support Reading
Pricing
Tools
Domain Health Check About You Password Generator
Resources
Case Studies Threat Intelligence Blog & Insights Guides FAQs Customer Portal Remote Support
Contact
Get Started
Live Security Feed
Your IPDetecting...
NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025 NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025
View Dashboard
Sector Specific

Airport Security Questionnaire Preparation Guide

For Aviation Fuel Suppliers and Airport Service Providers

18 min read January 2026

For Aviation Fuel Suppliers and Airport Service Providers

A practical guide to responding to airport security questionnaires and meeting aviation sector cyber security requirements

Published: January 2026

Author: Dead Simple Computing Ltd

Version: 1.0

Contents

  • Executive Summary
  • Why Airports Are Asking
  • What You'll Be Asked
  • Common Questionnaire Frameworks
  • Section-by-Section Guidance
  • Evidence You'll Need
  • Answering Difficult Questions
  • Common Gaps and Quick Fixes
  • Moving Toward Certification
  • Template Responses
  • Questionnaire Response Checklist
  • How DSC Can Help

1. Executive Summary

If you supply services to airports—particularly aviation fuel—you're likely receiving security questionnaires. Major airports are systematically assessing their supply chain's cyber security posture, and fuel suppliers are high on the list.

Why this is happening:

  • Aviation is Critical National Infrastructure
  • NIS2 and the UK Cyber Security and Resilience Bill increase obligations
  • High-profile supply chain attacks have raised awareness
  • Airports are liable for their supply chain security
  • Insurance and regulatory requirements are tightening

What airports want to see:

  • Formal security policies and governance
  • Technical controls (access management, patching, monitoring)
  • Incident response capability
  • Business continuity planning
  • Staff awareness training
  • Ideally: ISO 27001 or Cyber Essentials Plus certification

The opportunity:

Suppliers who can confidently answer questionnaires and demonstrate security will maintain and win contracts. Those who can't will face increasing pressure and potential loss of business.

DSC advantage:

We've worked in aviation fuel operations. We understand your environment—24/7 operations, fuel farms, legacy systems, operational technology. This isn't generic IT security advice.

2. Why Airports Are Asking

Regulatory Pressure

NIS Regulations / NIS2:

Aviation is a designated essential service sector. Airport operators must ensure the security of systems supporting aviation operations, including their supply chain.

Cyber Security and Resilience Bill:

The Bill strengthens supply chain security requirements and introduces "Designated Critical Supplier" status. Fuel suppliers could be designated.

CAA / DfT Requirements:

Aviation regulators expect operators to manage cyber security risks across their operations, including third parties.

Industry Drivers

Supply chain attacks:

Major incidents in 2025 (M&S, JLR, Synnovis) demonstrated supply chain vulnerabilities. Airports don't want to be next.

Insurance requirements:

Aviation insurance increasingly requires demonstrated cyber security across operations.

Operational dependency:

Airports depend on fuel supply. A cyber incident affecting fuel operations could ground flights and close airports.

What Airports Are Thinking

From the airport perspective:

  • "Our fuel supplier has access to our systems/data"
  • "A fuel supply disruption would impact our operations"
  • "We're responsible for our supply chain security"
  • "Regulators will ask us about our suppliers"
  • "We need evidence of security, not just assurances"

The Direction of Travel

This pressure will increase, not decrease:

  • Questionnaires will become more detailed
  • Certification requirements will become contractual
  • Audits and site visits will become standard
  • Non-compliant suppliers will lose business

Get ahead of it now.

3. What You'll Be Asked

Typical Questionnaire Scope

Governance and Management

  • Security policies
  • Roles and responsibilities
  • Risk management
  • Management commitment

Technical Security

  • Network security
  • Access control
  • System hardening
  • Patching and updates
  • Encryption
  • Mobile devices
  • Remote access

Data Protection

  • Data classification
  • Data handling procedures
  • Encryption
  • Retention and destruction

People

  • Staff screening
  • Security awareness training
  • Acceptable use policies
  • Leaver processes

Operations

  • Change management
  • Backup and recovery
  • Logging and monitoring
  • Vulnerability management

Incident Response

  • Incident response plan
  • Notification procedures
  • Business continuity
  • Disaster recovery

Supply Chain

  • Your suppliers
  • Third-party access
  • Subcontractor management

Compliance

  • Certifications held
  • Regulatory compliance
  • Audit history

Question Volume

Expect anywhere from 50 to 200+ questions depending on the airport and their framework. Major airports often use comprehensive frameworks.

Response Format

Typically:

  • Yes/No/Partial answers
  • Free text explanations
  • Evidence upload
  • Follow-up questions on gaps

4. Common Questionnaire Frameworks

Airport-Specific Questionnaires

Many airports have developed their own questionnaires, often based on:

  • ISO 27001 controls
  • NCSC guidance
  • Industry best practice
  • Regulator expectations

Standardised Frameworks

Some airports use standardised frameworks:

SIG (Standardised Information Gathering)

Comprehensive questionnaire covering security domains. Common in financial services but adopted elsewhere.

CAIQ (Consensus Assessments Initiative Questionnaire)

Cloud Security Alliance framework, used for cloud services.

Supplier security questionnaires

Various industry-standard formats.

What They're Based On

Most questionnaires map to:

  • ISO 27001 / ISO 27002 controls
  • NCSC 10 Steps to Cyber Security
  • Cyber Essentials controls
  • NIST Cybersecurity Framework
  • CAF (Cyber Assessment Framework)

Understanding these frameworks helps you understand what questionnaires are really asking.

5. Section-by-Section Guidance

Section: Information Security Governance

What they're asking:

Do you have formal security policies and management commitment?

What good looks like:

  • Documented Information Security Policy
  • Policy approved by senior management
  • Policy communicated to staff
  • Regular policy review (at least annual)
  • Assigned security responsibilities
  • Security reporting to management

Key questions:

  • Do you have an Information Security Policy?
  • Who is responsible for information security?
  • How often is security reviewed at management level?
  • Is there a dedicated security role or function?

What to have ready:

  • Information Security Policy document
  • Evidence of management approval
  • Organisation chart showing security responsibilities
  • Minutes/records of management review

Section: Risk Management

What they're asking:

Do you understand and manage your security risks?

What good looks like:

  • Documented risk assessment process
  • Risk register/assessment for information security
  • Regular risk reviews
  • Risk treatment decisions documented
  • Risks reported to management

Key questions:

  • Do you conduct regular risk assessments?
  • How do you identify and prioritise security risks?
  • How are risk treatment decisions made?

What to have ready:

  • Risk assessment methodology document
  • Risk register (sanitised if needed)
  • Evidence of risk review

Section: Access Control

What they're asking:

Do you control who can access what?

What good looks like:

  • Unique user accounts (no shared accounts)
  • Access based on need/role
  • Regular access reviews
  • Privileged access managed
  • Strong authentication (MFA)
  • Prompt removal of leaver access

Key questions:

  • Do all users have unique accounts?
  • How is access to systems authorised?
  • Do you use multi-factor authentication?
  • How is privileged/admin access managed?
  • How quickly is access removed when staff leave?

What to have ready:

  • Access control policy
  • User access provisioning procedure
  • Evidence of MFA implementation
  • Leaver process documentation
  • Evidence of access reviews

Section: Network Security

What they're asking:

Is your network protected?

What good looks like:

  • Firewalls at network boundaries
  • Network segmentation
  • Secure wireless configuration
  • Remote access secured (VPN + MFA)
  • Network monitoring

Key questions:

  • Do you use firewalls?
  • Is your network segmented?
  • How is remote access secured?
  • Do you monitor network activity?

What to have ready:

  • Network diagram (high-level)
  • Firewall configuration evidence
  • Remote access policy
  • VPN configuration evidence

Section: System Security

What they're asking:

Are your systems secure and maintained?

What good looks like:

  • Secure baseline configurations
  • Regular patching (especially critical/high)
  • Supported software only
  • Anti-malware deployed
  • Vulnerability scanning

Key questions:

  • How do you ensure systems are securely configured?
  • What is your patch management process?
  • Do you use any unsupported software?
  • Do you have anti-malware on all endpoints?
  • Do you conduct vulnerability scanning?

What to have ready:

  • Patch management policy/procedure
  • Evidence of patch status
  • Vulnerability scan reports (summary)
  • Anti-malware deployment evidence
  • List of any unsupported systems (with risk acceptance)

Section: Data Protection

What they're asking:

How do you protect data?

What good looks like:

  • Data classification scheme
  • Encryption for sensitive data (transit and rest)
  • Secure data disposal
  • Backup procedures
  • Data retention policy

Key questions:

  • Do you classify data by sensitivity?
  • Is data encrypted in transit and at rest?
  • How do you securely dispose of data?
  • How often do you backup data?

What to have ready:

  • Data classification policy
  • Evidence of encryption (email, storage, transmission)
  • Data disposal procedures
  • Backup policy and evidence of testing

Section: Physical Security

What they're asking:

Is your physical environment secure?

What good looks like:

  • Access control to premises
  • Visitor management
  • Secure areas for sensitive equipment
  • Clear desk policy
  • Equipment disposal procedures

Key questions:

  • How is physical access to your premises controlled?
  • How do you manage visitors?
  • Where are servers/critical systems located?

What to have ready:

  • Physical security policy
  • Visitor procedures
  • Evidence of access controls (fobs, locks, etc.)

Section: Personnel Security

What they're asking:

Do you screen and manage your people?

What good looks like:

  • Pre-employment screening
  • Security awareness training
  • Acceptable use policies
  • Defined leaver process

Key questions:

  • Do you conduct background checks on staff?
  • Do staff receive security awareness training?
  • Is there an acceptable use policy?

What to have ready:

  • Screening/vetting procedures
  • Training records/completion rates
  • Acceptable use policy
  • Joiner/leaver procedures

Section: Incident Management

What they're asking:

Can you respond to security incidents?

What good looks like:

  • Documented incident response plan
  • Defined roles and responsibilities
  • Incident classification
  • Notification procedures (including to customers)
  • Plan tested at least annually

Key questions:

  • Do you have an incident response plan?
  • How would you notify us of an incident?
  • Have you tested your incident response?
  • What is your notification timeframe?

What to have ready:

  • Incident response plan
  • Evidence of testing (tabletop exercise records)
  • Incident notification template
  • Contact details for reporting

Section: Business Continuity

What they're asking:

Can you continue operating after a disruption?

What good looks like:

  • Business continuity plan
  • Recovery time objectives defined
  • Backup and recovery procedures
  • Plan tested

Key questions:

  • Do you have a business continuity plan?
  • What are your recovery time objectives?
  • Have you tested your recovery capabilities?

What to have ready:

  • Business continuity plan
  • Recovery objectives
  • Evidence of testing (backup restore tests, DR exercises)

Section: Supply Chain

What they're asking:

Do you manage security risks from your suppliers?

What good looks like:

  • Critical suppliers identified
  • Supplier security assessed
  • Security requirements in contracts
  • Supplier monitoring

Key questions:

  • How do you assess supplier security?
  • Do contracts include security requirements?
  • Who are your critical IT/security suppliers?

What to have ready:

  • Supplier management procedures
  • Evidence of supplier assessment
  • Contract clauses for security

Section: Certifications and Compliance

What they're asking:

What formal certifications do you hold?

What good looks like:

  • Cyber Essentials (minimum)
  • Cyber Essentials Plus (better)
  • ISO 27001 (best)
  • Current and valid certificates

Key questions:

  • Do you hold Cyber Essentials certification?
  • Are you ISO 27001 certified?
  • Are your certifications current?

What to have ready:

  • Copies of certificates
  • Scope statements
  • Expiry dates
  • Plans for certification (if not yet certified)

6. Evidence You'll Need

Documentation

Policies:

  • Information Security Policy
  • Access Control Policy
  • Acceptable Use Policy
  • Data Protection Policy
  • Incident Response Policy
  • Business Continuity Policy
  • Remote Working Policy

Procedures:

  • User access management
  • Joiner/mover/leaver process
  • Patch management
  • Backup and recovery
  • Incident response
  • Change management

Records:

  • Risk assessments
  • Training completion
  • Access reviews
  • Incident logs
  • Audit results
  • Management reviews

Technical Evidence

  • Network diagrams
  • Firewall rule summaries
  • Patch status reports
  • Vulnerability scan summaries
  • Backup test results
  • MFA deployment status
  • Anti-malware coverage

Certifications

  • Cyber Essentials certificate
  • Cyber Essentials Plus certificate
  • ISO 27001 certificate
  • Any other relevant certifications

Tip: Create an Evidence Pack

Maintain a standard evidence pack that can be shared with questionnaires:

  • Current certificates
  • Security policy (or summary)
  • High-level network diagram
  • Training completion summary
  • Incident response summary
  • Key contact details

This saves time and ensures consistency.

7. Answering Difficult Questions

"Do you have...?" (When you don't)

Don't lie. Questionnaire responses may be audited.

Do explain:

  • What you do have
  • Your plans to address the gap
  • Any compensating controls
  • Realistic timeline for implementation

Example:

"We do not currently hold ISO 27001 certification. We are Cyber Essentials Plus certified (certificate attached). We have engaged with consultants to begin ISO 27001 implementation with target certification in Q3 2026."

"Provide evidence of..." (When evidence is limited)

Provide what you can:

  • Screenshots
  • Configuration exports
  • Policy extracts
  • Attestation statements

Explain limitations:

"Full vulnerability scan reports contain sensitive information. We have provided a summary showing scan frequency, coverage, and critical/high finding counts and remediation status."

Questions About Legacy Systems

Aviation fuel operations often include legacy systems (fuel management, SCADA, etc.).

Be honest about limitations:

"Our fuel management system runs on [older platform]. As this is a specialised operational system, patching is managed through the vendor's maintenance schedule. The system is network-segmented from corporate IT and monitored for anomalies."

Highlight compensating controls:

  • Network segmentation
  • Enhanced monitoring
  • Restricted access
  • Vendor support arrangements

Questions About OT/Operational Technology

Explain your approach:

"Operational technology systems (fuel management, metering) are managed separately from corporate IT with network segmentation, restricted access, and specific change management processes appropriate to operational systems."

Questions About Third-Party Access

If fuel system vendors have remote access:

Explain controls:

  • How access is authorised
  • How access is authenticated (MFA, VPN)
  • How access is logged and monitored
  • How access is reviewed

8. Common Gaps and Quick Fixes

Governance Gaps

Gap Quick Fix
No Information Security Policy Create one (template available, can be done in days)
No assigned security responsibility Formally assign to someone senior
No management review Schedule quarterly security review meeting

Technical Gaps

Gap Quick Fix
No MFA Enable MFA on Microsoft 365, VPN, critical systems
Inconsistent patching Implement patch management process, automate where possible
No vulnerability scanning Engage scanning service or deploy tool
Shared accounts Eliminate shared accounts, create individual accounts
No endpoint protection Deploy EDR/anti-malware to all endpoints

Process Gaps

Gap Quick Fix
No incident response plan Create plan using NCSC template
No training programme Implement online security awareness training
No access reviews Schedule quarterly access reviews
No backup testing Test backup restoration, document results

Documentation Gaps

Gap Quick Fix
Policies not documented Document existing practices as policies
No evidence of processes Start recording/documenting activities
Out-of-date documents Review and update, implement review cycle

Longer-Term Fixes

Gap Action Timeline
No certification Achieve Cyber Essentials 4-8 weeks
Need CE+ Progress from CE to CE+ 4-8 weeks
Need ISO 27001 Full implementation project 6-12 months
Legacy systems Segmentation, monitoring, vendor engagement Ongoing

9. Moving Toward Certification

Why Certification Matters

Certification provides:

  • Third-party validation
  • Simplified questionnaire responses
  • Competitive advantage
  • Customer confidence
  • Reduced assessment burden

Certification Pathway

Step 1: Cyber Essentials

  • Self-assessment questionnaire
  • Five basic technical controls
  • Achievable in 2-4 weeks
  • Good starting point

Step 2: Cyber Essentials Plus

  • Same controls as CE
  • Independent technical verification
  • Assessor tests your systems
  • Higher assurance for customers
  • Often sufficient for aviation requirements

Step 3: ISO 27001

  • Comprehensive security management system
  • Covers governance, risk, technical controls
  • Independently audited
  • International recognition
  • Increasingly requested by major airports

What Certification Demonstrates

Certification What It Shows
Cyber Essentials Basic controls in place
Cyber Essentials Plus Controls verified by independent testing
ISO 27001 Comprehensive security management, continuous improvement

Impact on Questionnaires

With certification, questionnaire responses become easier:

Without certification:

  • Answer every question in detail
  • Provide evidence for each answer
  • Justify your approach
  • Face more follow-up questions

With certification:

  • Reference certification for covered areas
  • Provide certificate as evidence
  • Focus on areas outside certification scope
  • Faster, more confident responses

10. Template Responses

Governance

Q: Do you have an Information Security Policy?

"Yes. Our Information Security Policy was approved by [Managing Director/Board] on [date] and is reviewed annually. The policy establishes our commitment to protecting information assets and sets out roles, responsibilities, and key security principles. A copy is available on request."

Q: Who is responsible for information security?

"Overall responsibility for information security rests with [Name, Title]. Day-to-day security management is handled by [Name/Team/IT Provider]. Security is reviewed at management level [quarterly/monthly]."

Access Control

Q: Do you use multi-factor authentication?

"Yes. MFA is enforced for all cloud services (Microsoft 365), remote access (VPN), and privileged access to critical systems. We use [Microsoft Authenticator/other] for MFA."

Q: How do you manage user access?

"User access is provisioned based on role requirements following a formal request and approval process. Access rights are reviewed quarterly. When staff leave, access is revoked on their last day via our leaver process."

Technical Controls

Q: Describe your patch management process.

"We operate a formal patch management process. Critical and high-severity patches are assessed and applied within [14 days] of release. All systems are patched monthly. Patching is managed by [internal team/MSP] and tracked through [system/tool]."

Q: Do you conduct vulnerability scanning?

"Yes. We conduct [quarterly/monthly] vulnerability scans of external-facing systems and [frequency] scans of internal systems. Results are reviewed, prioritised by severity, and remediated according to our patch management policy. Summary reports are available on request."

Incident Response

Q: Do you have an incident response plan?

"Yes. Our Incident Response Plan defines roles, responsibilities, and procedures for identifying, containing, and recovering from security incidents. The plan is tested [annually] through tabletop exercises. Our plan includes notification procedures for affected customers."

Q: How quickly would you notify us of an incident affecting our data/services?

"We will notify customers of any security incident that may affect their data or services within [24/48] hours of detection. Notification would be made to your designated security contact via [email/phone] with follow-up information as the incident is investigated."

Certifications

Q: What security certifications do you hold?

"We currently hold [Cyber Essentials Plus / ISO 27001] certification. Our certificate is valid until [date]. A copy is attached."

Q: Are you working toward any certifications?

"We are currently [Cyber Essentials certified and working toward CE+ certification / implementing ISO 27001 with target certification in Q[X] 2026]. We have engaged [consultant/certification body] to support this process."

11. Questionnaire Response Checklist

Before You Start

  • Understand the deadline
  • Review all questions before answering
  • Gather existing documentation
  • Identify key respondents for different sections
  • Check for evidence requirements

During Response

  • Answer all questions (don't leave blanks)
  • Be honest about gaps
  • Provide evidence where requested
  • Use consistent answers throughout
  • Note where improvement is planned

Quality Check

  • All questions answered
  • Evidence attached correctly
  • Answers are accurate and honest
  • Answers are consistent with each other
  • Contact details provided for follow-up

After Submission

  • Keep copy of submitted responses
  • Save all evidence provided
  • Note any commitments made
  • Track follow-up questions
  • Document improvement actions

For Next Time

  • Update master response document
  • Address gaps identified
  • Gather missing evidence
  • Progress certification plans
  • Build evidence library

12. How DSC Can Help

Dead Simple Computing has direct experience in aviation fuel operations. We understand your environment and can help you meet airport security requirements.

Questionnaire Support

Response assistance:

  • Help preparing questionnaire responses
  • Review responses before submission
  • Evidence gathering and organisation
  • Follow-up question support

Gap identification:

  • Identify gaps in current security
  • Prioritise remediation
  • Quick wins to improve responses

Certification

Cyber Essentials / CE+:

  • Readiness assessment
  • Gap remediation
  • Certification support

ISO 27001:

  • Gap analysis
  • Implementation support
  • Certification preparation

Security Services

Managed IT:

  • Compliance-ready IT support
  • Security built in
  • Evidence and reporting

Security Services:

  • MDR (24/7 monitoring)
  • Vulnerability management
  • Security awareness training

Advisory

vCISO:

  • Strategic security leadership
  • Customer and airport engagement
  • Audit support
  • Ongoing compliance management

Why DSC

  • We've worked in aviation fuel operations
  • We understand operational environments
  • CISSP qualified, ISO 27001 certified
  • Practical approach for SMEs
  • UK-based team

Contact us:

About This Guide

This guide was prepared by Dead Simple Computing Ltd in January 2026 to help aviation fuel suppliers and airport service providers respond to security questionnaires.

This guide is for informational purposes. Specific questionnaire requirements vary by airport. Organisations should respond accurately to actual questions asked.

© 2026 Dead Simple Computing Ltd. All rights reserved.

Related Guides

Sector Specific Engineering Sector Cyber Security Guide