By Gareth Shaw, Founder, Pera Prometheus
Table of Contents
As part of our ongoing blog series on information and cybersecurity within the UK Defence Industry, we’ve previously explored the DEFSTAN 05-138 & Cyber Security Model and Secure by Design. These frameworks focus on securing information systems and data throughout the supply chain. Now, we turn our attention to the equally critical area of personnel security, specifically, the Industry Personnel Security Assurance (IPSA) framework.
Read more: Cyber Security Model & DEFSTAN 05-138 and Secure by Design.
IPSA is a requirement for any organisation wishing to hold security clearances for their own personnel and contractors who have access to HMG classified information. Currently IPSA only applies to MOD clearances although it is possible that the IPSA model will apply to wider HMG Departments in the future.
What Is IPSA?
Industry Personnel Security Assurance (IPSA), previously known as “List V,” is a government framework led by the Industry Security Assurance Centre (ISAC) under the Ministry of Defence. IPSA is designed to ensure that companies sponsoring individuals for National Security Vetting (NSV) meet the same personnel security standards expected within the MOD.
IPSA is not just about getting people security cleared (or “vetted”), it’s about managing personnel risks over time, through governance, culture, and compliance mechanisms. As the IPSA policy puts it:
“IPSA accreditation is a privilege and not a right. It is provided at the discretion of the accreditors in accordance with this policy and in accordance with public law principles.”
Why Is IPSA Important?
With information security threats rising alongside of global tensions in parallel to changing cultural loyalties, insider risks, although ever present, are on the rise and requires more than firewalls and software to resist them. Human factors from negligence, ignorance, malicious intent or coercion represent a real and persistent threat to MOD information and the Defence Industry that supports it.
IPSA assures that your organisation has the policies, processes, and procedures in place to monitor and manage personnel who have access to classified materials. This includes:
- Vetting and Aftercare
- Risk Assessments and Incident Management
- Behaviour Monitoring and Security Culture
- Governance (Board Level)
Who Needs to Be IPSA-Compliant?
Your organisation must be IPSA accredited if it:
- Holds a Facility Security Clearance (FSC) (previously known as List X)
- Sponsors individuals for Security Check (SC) or Developed Vetting (DV)
You may be eligible to join the IPSA accreditation scheme conducted by ISAC if:
- You are registered with Companies House
- You have a contract requiring you to supply security cleared personnel for MOD contracts
- You currently have, or expect to have, 20 or more vetted individuals within the next three years
Key Components of the Personnel Reliability Framework (PRF)
The IPSA framework is structured around the Personnel Reliability Framework (PRF), a model designed to help organisations manage the risks associated with individuals who have access to sensitive or classified information. There are seven core components, and each can be broadly grouped under one or more of the following categories:
- Policy – Formal security governance and structure
- Process – Repeatable activities and risk management mechanisms
- People – Culture, behaviours, and responsibilities
- Output – Evidence of effectiveness, assurance, and compliance
1. Governance and Leadership
This sets the foundation for a strong security posture. It includes clear roles and responsibilities, board-level ownership, integration between HR and security, and senior leadership driving personnel security values.
2. Insider Threat Risk Assessment
Organisations must have a formal risk assessment process to identify insider threats and vulnerabilities and apply mitigations accordingly. It should align with their wider risk management framework.
Read more: Insider Risk Threat
3. Pre-Employment / Pre-Vetting Screening
Before sponsoring an individual for national security vetting, companies must carry out Baseline Personnel Security Standard (BPSS) checks and confirm a legitimate need for access.
4. Ongoing Personnel Security
This refers to the continuous aftercare and monitoring of vetted personnel. Organisations must submit Change of Personal Circumstances (CPC) and Aftercare Incident Reports (AIR) where necessary, and regularly review personnel suitability.
5. Monitoring and Assessment of Workers
Organisations are expected to monitor behaviours and potential changes in staff wellbeing or performance that may indicate risk. This can include line manager feedback, audits, and proactive reporting.
6. Investigation and Disciplinary Practice
When issues arise, clear procedures must exist to conduct investigations and take appropriate disciplinary action. The approach should be fair, consistent, and in line with wider government security standards such as GS007.
7. Security Culture and Behavioural Change
Organisations must foster a culture that encourages secure behaviours, openness, and reporting. This includes delivering training, awareness campaigns, and equipping staff to understand their responsibilities.
Each of these seven components contributes to an overall assurance model that helps ensure individuals remain reliable, trustworthy, and secure throughout their time on classified projects.
Figure: IPSA-PRF (Page 7)
My Thoughts
As someone who works closely with businesses across the Defence sector, I see IPSA as more than just another compliance requirement, it’s a mark of trust. It signals that your organisation takes personnel risk seriously and is ready to meet MOD expectations.
In order to attain IPSA you need to not only produce a coherent PRF, which is relatively easy to write, but also implement it effectively and make the processes an active part of your business culture.
At Pera Prometheus, we have all ready helped a number of organisations successfully achieve IPSA accreditation. If you want to work with the MOD, we’ll help make sure you’re fit for purpose.
