Cyber Security Model and List X Gap Analysis Service 


The Defence Cyber Protection Partnership (DCPP), comprising UK Ministry of Defence (MOD) representatives, 13 prime suppliers and defence industry trade bodies, was established in 2012 with the aim of improving cyber security maturity in the defence community. Their work resulted in the Cyber Security Model (CSM) – a pre-requisite since April 2017 for all suppliers doing business with the MOD and applicable to prime contractors as well as the supply chain. 

The CSM will enable government procurers to mandate proportionate cyber security standards from suppliers, appropriate to the level required for each contract.  

In addition to the CSM, if you need to hold classified material at Secret or above, you will need List X certification – a confirmation that your chosen secure facility meets the relevant MOD standard by meeting a series of conditions. 

As with all compliance regimes, businesses fear the time and effort involved, but business challenges often come with a silver lining. At Ascentor, we always seek to identify the extra benefits. By complying with the CSM, you can not only qualify to deliver your contract, but also increase the protection to your business – you will reduce the risk from the ever-increasing threat of harmful cyber attack. 


The DCPP felt that the  cyber security baseline for government – the Cyber Essentials (CE) Scheme – did not represent a broad enough degree of security; it only covered five major technical security controls and did not include wider aspects such as governance and risk management. The CSM therefore builds on CE with some additional control requirements. 

The MOD contracting authority will dictate the Cyber Risk Level of each contract for the prime contractor and any sub-contractors. The prime contractor will be responsible for ensuring the sub-contractors comply to the relevant level. 

The levels range from ‘Not Applicable’ through to ‘High’ with the Cyber Risk Profiles ranging from CE Basic (recommended but not mandated) to CE Plus with an additional 42 controls. The levels are covered in more depth in our blog article ‘An update to the MOD’s Cyber Security Model (CSM)‘. 

Having prepared for the higher levels of the CSM, you will be some way towards achieving List X certification, but there is more to List X than the CSM. You will need to have a secure space, specific company roles, responsibilities and information systems, and clear security policies, processes and plans that are embedded in your organization.    


Ascentor can steer you through CSM and/or List X compliance. We start with our tried and tested Gap Analysis, a four-step process that will arm you with the knowledge to make business decisions regarding improvements and related resources. The exercise is fast and efficient – typically completed within one week – yet suitably tailored to your specific requirements. 

Ascentor CSM Gap Analysis 

 Ascentor CSM Gap Analysis









A service that will quickly establish your status and include a recommended action plan.

How does it work? 

At a high level, the four steps cover: 

  • A Scoping Meeting (virtual or in person): to provide a clear introduction to the gap analysis process, set objectives, scope, expectations, activities, timings and deliverables with project stakeholders. 
  • Document Review: a comprehensive review of current documentation, policies and procedures describing the security controls for physical, procedural, personnel and technical security.  
  • Site Visit: to assess the physical, implementation, procedural, personnel and security controls. We will interview agreed personnel and view evidence of the maturity of the controls. 
  • Report and Action Plan: written (and optionally verbal) confirmation of findings, conclusions and recommendations.  

Feel confident in your approach to the CSM or List X 

On completion of an Ascentor Gap Analysis, you will understand where you are today and what needs to be done, not just to comply with the requirements of your contract, but because it is the right thing to do. 

Next Steps 

To take your first steps towards being CSM or List X ready or to validate where you have got to so far, get in touch now. Contact Dave James or Simon Jones at Ascentor, for a no obligation, confidential discussion: 

Telephone: 01452 881712 

Email: [email protected] or [email protected] 


Email Ascentor Image Map