List N is effectively a facilities security clearance for companies within the civil nuclear industry supply chain that handle Sensitive Nuclear Information (SNI). Such companies must protect the information in accordance with Regulation 22 of the Nuclear Industries Security Regulations (NISR) 2003.
Although ONR recommends you have one, you won’t always need a formal Security Plan, but you will need an appropriate information security governance programme. It should be aligned with the Government Functional Standard (GovS 007) by evidencing arrangements against five of the ten Fundamental Security Principles within the Office of Nuclear Regulation’s (ONR) guidance publication “Security Assessment Principles for the Civil Nuclear Industry”.
GovS 007 details outcomes that are required to achieve a proportionate and risk-managed approach to security. The ONR principles cover leadership and management for security; organisational culture; competence management; cyber security and Information Assurance; and workforce trustworthiness.
We’ve covered List N in more depth in two blog articles:
To be part of a civil nuclear supply chain, you must demonstrate compliance to a series of measures and be awarded List N status for the relevant part(s) of your business.
Assessing that your information protection measures are appropriate is the responsibility of the relevant licensed operator to whom you are contracted. The ONR may also choose to conduct an inspection to assess your arrangements for the security of SNI.
As with all compliance initiatives, companies fear the time and effort involved, but business challenges often come with a silver lining. By fulfilling your industry obligations, you will also better protect your business by reducing the risks from the ever-increasing threat of harmful cyber attack.
Ascentor can steer you through what is needed to achieve List N status. We start with our tried and tested Gap Analysis, a four-step process that will arm you with the knowledge to make business decisions regarding improvements and related resources.
On completion of an Ascentor Gap Analysis, you will understand where you are today, what needs to be done and an outline plan of how to achieve it. We can then support identified remediation activities and provide ongoing support to maintain your status and continually improve your cyber security posture in accordance with your business objectives.
Why not read how Ascentor helped the Office for Nuclear Regulation (ONR) develop a risk-based assessment methodology for CS&IA inspections of List N facilities.