Update May 2019: This post was originally published in April 2013. If you are looking for List X guidance you will find our post “How to prepare your company for achieving List X” of help. You might also visit our List X services page.
So you now have a government sponsor for List X and think all you need is some physical security in place, and all will be well. Think again. List X is not just about physical security as stated in the first blog of this series – List X Explained.
The overall requirement is for the company to comply with the Security Policy Framework but there are a number of specifics that need attention, including having personnel appointed to look after the process and a supporting policy.
In this blog we’ll set out the responsibilities of the List X Board Member and Security Controller, along with the requirements of the Company Security Instructions.
The List X Board Member
All List X companies are required to appoint a member of the company’s Board of Directors to act as the List X focus and overall champion. The appointed person must be British and has the following responsibilities:
- Ensure that the Contracting Authority (CA) and/or MoD Principle Security Advisor (PSyA) are informed about any changes to the company status e.g. Ltd to PLC, overall ownership, control or closure. In particular, the CA must be informed about any of the following:
- change in ownership that raises foreign interest above 5%;
- the appointment of new Board Directors;
- appointment of non-UK personnel with influence over protectively marked assets or appointments;
- the transfer of any list X responsibilities to another list X company.
- Providing support and authority to the Security Controller. The Board member should have regular meetings with the Security Controller to discuss any issues and areas where policy may be lacking or weaknesses in security procedures need board-level support to address;
- Approving the Company Security Instructions that are required to document list X commitments and responsibilities.
List X and the Security Controller
The Security Controller is the engine of the List X company and the Board Member’s right-hand person. The Security Controller must also be British and ensures that the company remains in compliance with the requirements of List X, although overall responsibility remains with the Board of Directors.
Specific duties include:
- Liaison with the Contracting Authority representative or appointed list X Security Advisor;
- Completing the annual list X compliance questionnaire;
- Implementing and monitoring the effectiveness of required security controls;
- Preparing and implementing:
- Company Security Instructions (see later);
- Risk Management and Accreditation Document Set for ICT security;
- Security Operating Procedures.
- Implementation security awareness training on list X requirements within the company;
- Implementing and managing a security incident management process and reporting to the Contractual Authority or PSyA;
- Maintaining clearances within the company;
- Implementing and managing the list X visitor process;
- Where authorised, complete self-accreditation requirements.
The Defence Industry Security Association (DISA) provide a variety of courses relevant to those working in the List X/Defence arena. Full details of these courses and of how to join DISA are shown on their website.
The Company Security Instructions
The Company Security Instructions are a mandated requirement and are the responsibility of the Security Controller to produce. They must be sanctioned by the List X Board member and issued with the authority and signature of the Managing Director. The purpose of the instructions is to detail the List X appointments, their specific responsibilities and make clear how they can be contacted for advice, guidance or to report an incident.
The successful implementation of List X requirements in a company depends on the commitment of the people charged with carrying out their responsibilities. Board commitment and support to the Security Controller provides the basis on which to build and allows the security controls to be implemented with minimum business impact but maximum security benefit.
Watch our webinar Achieving List X Security Clearance
You may also find this webinar of interest. Presented by Ascentor’s Simon Jones in January 2020, Achieving List X Security Clearance covers an informative agenda and interesting detail around the reasons for robust defence supply chain security, a history of List X and useful tips of what a company can do to prepare for an external List X assessment. Simon also covers some of the aspects around security clearances and the MOD Cyber Security Model.