List X Explained

If you are a commercial company seeking to hold government information with a security classification of SECRET or above on your own premises you’ll need ‘List X’ accreditation. This article will give you a very brief introduction to List X, with useful links and points of contact that will help you in the process.

Update May 2019: This post was originally published in April 2013. If you are looking for List X guidance you will find our post ‘ How to prepare your company for achieving List X ‘ of help. You might also visit our List X services page.

What is List X?

The term ‘List X’ is the UK equivalent to Facility Security Clearance (FSC) used in the rest of the world. The term refers to contractors or subcontractors that have been placed on the List X database because they are carrying out work on their own premises that bears a UK Government classification of SECRET or above.

Sponsorship for List X

Companies cannot ‘apply’ for List X status; they must be ‘sponsored’ by a Contracting Authority (CA) that intends passing them classified information. The CA can be:

  • A UK government body;
  • An existing List X company;
  • Overseas government or defence contractors;
  • NATO

The CA will detail the security aspects of the List X requirement e.g. what classified information is to be held and why.

Who Manages List X?

As the Ministry of Defence (MoD) is the CA for the majority (85%) of List X sites, the whole process is managed by the MoD Defence Equipment & Support (DE&S) Principal Security Advisor (PSyA) based at Abbey Wood, Bristol. The PSyA maintains the database of approved List X sites and also a restricted access website for List X companies. For details of how to get access, phone the PSyA on 0306 79 34378.

List X Security Requirements

The process of obtaining List X is not just about an assessment of the physical controls in place at the premises where the classified information is to be held. It encompasses the whole security culture of an organisation including risk management, personnel security and security roles and responsibilities. For example, it is mandated that List X companies have a Board Level representative that accepts responsibility for maintaining the requirements of List X and informing the CA if any changes in the company are likely to impact on their List X status such as change in company ownership.

It is worth noting that the List X assessment does not cover the accreditation of IT systems. Accreditation of IT systems should be initiated with the CA’s accreditation authority (Defence Assurance & Information Security for MoD).

The Security Controller

Another mandated role for List X companies is the Security Controller. Specific duties include:

* Interpreting, implementing and monitoring compliance with List X security controls;
* Maintaining a relationship with the CA and/or MoD PSyA;
* Preparing and implementing company security instructions, Risk Management and Accreditation Document Sets (RMADS) and Security Operating Procedures (SyOPs);
* Education and awareness training;
* Incident management;
* Inform CA and MoD PSyA on changes to the List X requirement;
* Controlling visitors within the ‘need-to-know’ rule.

The Defence Industry Security Association (DISA) provide a variety of courses relevant to those working in the List X/Defence arena. Full details of these courses and of how to join DISA are shown on their website .

The Security Advisor & List X Assessment

The CA or MoD PSyA will appoint a Security Advisor who will be responsible for advising on the List X security requirements and inspecting the premises on an annual basis to ensure compliance. A List X Assessment, Checklist and Guidelines document is usually sent to the List X company at the start of the process and then annually. This document is in the form of a comprehensive questionnaire that captures the information necessary for approval for sites to handle, store, process or manufacture classified assets. It covers the Mandated Requirements (MR) listed in the Security Policy Framework and at the last count was nearly 50 pages long and takes considerable effort to complete.

Watch our webinar – Achieving List X Security Clearance

You may also find this webinar of interest. Presented by Ascentor’s Simon Jones in January 2020, Achieving List X Security Clearance covers an informative agenda and interesting detail around the reasons for robust defence supply chain security, a history of List X and useful tips of what a company can do to prepare for an external List X assessment. Simon also covers some of the aspects around security clearances and the MOD Cyber Security Model.


Other posts you might like

List X – roles and responsibilities

How to prepare your company for achieving List X

Ten Top Tips for writing Information Risk Appetite Statements


For further information

Ascentor  can steer you through what is needed to become List X certified.

We start with our tried and tested Gap Analysis, a four-step process that will arm you with the knowledge to make business decisions regarding improvements and related resources.

Find out more about our List X services

You may also be interested in:

Building business resilience

Building business resilience - through Information Security, Business Continuity and Disaster Recovery

How strong is your business resilience to threats to IT, information and physical security? And how can security standards like ISO 27001 and ISO 22301 help?

Ascentor's cyber security review 2020

Ascentor’s cyber security review of 2020

It was the year a different kind of virus dominated. But that didn’t stop cyber criminals exploiting it. We look back at 2020.

Cyber security myths of SMEs

Cyber security myths putting SMEs at risk

SMEs have long been a favourite hunting ground for cyber criminals and, in the worst case scenario, may not survive. We look at some of the myths that put SMEs at risk of cyber crime.