List X contractors are companies operating in the UK who are working on UK government contracts which require them to hold classified information. If you intend to hold classified material (at SECRET or above) on your premises as part of such a contract, you will need List X status – it is confirmation that your chosen secure facility meets the relevant standard.
To achieve List X status, you need to be sponsored by a government department and meet the requirements of the Her Majesty’s Government Security Policy Framework (HMG SPF). You can’t apply in advance – although there are a few things you can do to prepare if you think a contract may be forthcoming.
If you are considering List X status in preparation for a Ministry of Defence (MOD) contract, you will also need to be compliant with the Cyber Security Model (CSM) – a pre-requisite since April 2017 for all suppliers doing business with the MOD.
You may also find this webinar of interest. Presented by Ascentor’s Simon Jones in January 2020, Achieving List X Security Clearance covers an informative agenda and interesting detail around the reasons for robust defence supply chain security, a history of List X and useful tips of what a company can do to prepare for an external List X assessment. Simon also covers some of the aspects around security clearances and the MOD Cyber Security Model.
List X is mandatory if you need to hold SECRET or above information on your premises. So, it is must if you want to do business with government at this classification level.
By achieving List X status and CSM, you not only qualify to deliver your government contract, but you also increase the protection to your business as you will reduce the risk from the ever-increasing threat of harmful cyber attack.
As with all compliance regimes, businesses fear the time and effort involved, but such challenges often come with a silver lining. At Ascentor, we always seek to identify the business benefits of complying with standards and schemes, so your List X status may set you apart in more ways than one.
For List X certification you will need to demonstrate you have a secure space, specific company roles, responsibilities and information systems, and clear security policies, processes and plans that are embedded in your organisation.
Ascentor can steer you through what is needed to become List X certified. We start with our tried and tested Gap Analysis, a four-step process that will arm you with the knowledge to make business decisions regarding improvements and related resources.
On completion of an Ascentor Gap Analysis, you will understand where you are today, what needs to be done and an outline plan of how to achieve it. We can then support identified remediation activities and provide ongoing support to maintain your status and continually improve your cyber security posture in accordance with your business objectives.