Guidance

Industry Security Assurance Centre

Find out about the Industry Security Assurance Centre (ISAC) and its associated responsibilities.

Overview

The Industry Security Assurance Centre is responsible for providing relevant defence contractors with up-to-date security and business continuity policy and guidance.

We provide specialist and relevant advice to reduce security and business continuity risks and amplify Ministry of Defence (MOD) and government security policy requirements. These security services are provided to DE&S and the defence industry. This includes the provision of visit and visitor clearances through the International Visits Control Office (IVCO).

Contact us

For routine security enquiries please contact the Industry Security Assurance centre: ISAC-Group@mod.gov.uk

Industry Security Assurance Centre responsibilities

We are responsible for:

  • assisting UK companies in obtaining Facility Security Clearance (FSC) and/or Industry Personnel Security Assurance (IPSA) status when contractually required to hold classified material at SECRET (Foreign CONFIDENTIAL) or above
  • helping UK companies to verify the security status of foreign facilities and citizens through liaison with national security authorities
  • approving the hand carriage of classified material being taken overseas by casual courier
  • approving some transportation plans relating to the movement of physical, classified assets travelling overseas
  • sponsoring personnel security clearances for primary security controllers and their deputy at an FSC facility and IPSA personnel security controllers and their deputy, if required.

The ISAC Vault

The ISAC Vault is the website we use to share security advice and policy between DE&S and FSC and IPSA facilities. The available documentation is to promote effective security governance.

National security vetting and government contracting

Access more information on security vetting and clearance

Security awareness

Understanding UK threat levels

The threat of international terrorism comes from a diverse range of sources and a threat could manifest itself from a lone individual or group. The terrorist threat can take a number of forms, as terrorists may use a variety of methods of attack to achieve their objectives.

While the UK has faced a variety of terrorist threats in the past, a unique combination of factors place the current threat on a scale not previously encountered.

The terrorists draw their inspiration from a global message articulated by internationally recognisable figures.

The threat from terrorism when overseas

Information on threats to personal safety arising from terrorist activities, political unrest, lawlessness, violence, natural disasters, epidemics, anti-British demonstrations and aircraft/shipping safety. It is designed to help you make informed decisions about whether or not to travel to a particular country.

The threat of espionage

The UK is a high priority espionage target and a number of countries are actively seeking UK information and material to advance their own military, technological, political and economic programmes.

The International Visits Control Office

The responsibilities of the International Visits Control Office (IVCO):

  • to process visit requests for foreign nationals who are required to visit MOD, Royal Navy, or Facility Security Clearance (FSC) sites in the UK
  • to process visit requests for security cleared FSC Contractors seeking to visit overseas Government, Military and Contractor sites
  • to process all requests for security cleared UK Nationals wishing to visit either NATO HQ or a NATO Agency
  • to advise UK Defence Industry, MOD UK, and overseas Governments on the International Visits Control process

Please note: IVCO are not responsible for processing Military/Government Personnel visiting to Military/Government Establishment however there are exception sites, and your point of contact will advise you if a submission is required.

IVCO Contact information

E-mail: DESPSyA-IVCO@mod.gov.uk
Tel: +4430 015 98813
Opening times: 10am to 3pm, Monday to Friday

Please note we will be unable to deal with requests or queries outside these hours. Calls to IVCO should only be made within the times specified above.

Types of Visits

There are several types of visits that IVCO can process. The type of visit required can be selected on the appropriate form.

One-time

  • valid for up to 3 years (inwards only) 1 year (outwards)
  • valid only for the site(s) and subject specified at the outset
  • maximum 100 visitors per visit request

Recurring

  • covers a period of up to 12 months
  • no limit to the number of visits within the 12 months
  • valid only for the site(s) and subject specified at the outset

Emergency

  • a visit that has not met IVCO’s required lead times
  • only valid for a 30-day period
  • only accepted in exceptional circumstances -must be supported by a written justification letter from the host site and the following is the requirement for the letter of justification, headed on host company paper, reason for the late RFV submission, importance of attendance of visitors and the reason visit cannot be arranged

Amendments

  • enables visitors to be added to an extant visit (up to 100 visitors per amendment: a maximum of 10 amendments per visit)
  • enables the end date to be extended (must not exceed the date limit of the original visit type. e.g., an extension to a recurring visit cannot exceed 12 months)
  • additional sites cannot be added as an amendment to an RFV
  • dates cannot be amended to bring start date of visit forward

International Agreements

  • multinational Industrial Security Working Group (MISWG) / NATO
  • visits to member states that do not exceed 21 days in duration and/or OFFICIAL SENSITIVE in classification can be arranged directly between site security establishments without prior IVCO approval.

European Defence Industry Restructuring (EDIR) Framework Agreement (Also Known as the LOI)

  • visits up to OFFICIAL SENSITIVE can be arranged directly between facilities.
  • visits can proceed up to Secret on agreed shareable projects ONLY (Project teams to advise)
  • LOI /EDIR should be completed and sent directly to the security controller at the host site
  • if the visit exceeds 21 days (regardless of classification) a copy of the completed LOI /EDIR needs to be submitted to IVCO for retention ONLY IVCO approval is not required

Please see below list for MISWG members:

  • Albania
  • Canada
  • Finland
  • Israel
  • Luxembourg
  • Norway
  • Slovenia
  • UK
  • Australia
  • Croatia
  • France
  • Italy
  • Montenegro
  • Poland
  • Spain
  • USA
  • Austria
  • Czech Rep
  • Germany
  • Japan
  • Netherlands
  • Portugal
  • Sweden
  • Belgium
  • Denmark
  • Greece
  • Latvia
  • New Zealand
  • Romania
  • Switzerland
  • Bulgaria
  • Estonia
  • Hungary
  • Lithuania
  • North Macedonia
  • Slovakia
  • Turkey

Outward visits

  • any UK Defence and Industry personnel travelling overseas to access or discuss classified material (including information or sensitive areas), who are visiting any industry with FSC, or Military/Government must submit an eRFV

Outward Visit Procedure

  • UK Visitor: complete the following sections 1, 2 3 and 5 to 12 of the e-RFV form and forward the e-RFV to the Security officer. Please note if the visit classification is Restricted/Official-Sensitive or above, a government or military point of contact MUST be named in Annex 1 (Military sites may require 2 points of contact)
  • Security Officer: complete Section 13 of the e-RFV to confirm they have checked that the visitor’s clearances stated on the e-RFV are correct and valid for the duration of the visit and then forward the request on to IVCO
  • IVCO: complete Sections 4, 14 and 15 and forward the completed e-RFV to the relevant Embassy/National Security Agency

Please note: once submitted to the Embassy or National Security Agency IVCO do not receive updates. Please liaise with your host to determine the status of the visit. Security classification of the visit and individuals’ security clearances must be stated in full, i.e., Secret or Top Secret no abbreviations will be accepted.

NATO Procedure

  • NATO Agencies: Require an eRFV to be submitted. The Security classification of the visit and the Security Clearances of the visitors must be written in full, prefixed by NATO. For example, NATO Secret. Visitors must hold a minimum of NATO Secret to access NATO agency sites
  • NATO HQ: require a NATO HQ Pass application form to be completed. Unfortunately, an eRFV is not accepted for visits to NATO HQ
  • there are 2 types of passes: temporary or annual
  • an annual pass requests will only be permitted if the visitor requires regular access at least twice a month, each month, anything else will need to be a temporary pass
  • UK Visitor: must complete sections 2 - 5 of the NATO HQ Pass Application form and forward to their security officer
  • Security Officer: completes section 6 and forwards application to IVCO for processing.
  • visitors must have valid security clearance. The expiry date of the security clearance MUST be declared, or the application will be rejected
  • IVCO: will notify the requester of submission and provide the NATO reference number, which will be needed for access to site
  • please note if WIFI access is required, it must be stated in Section 5 of the NATO Pass Application

Outward Visit Lead Times

Standard lead time is 25 working days’ notice for processing e-RFVs for countries not listed below. 

Please check minimum lead times on the table below for country to be visited these are the countries minimum requirement and do not allow IVCO to conduct their checks therefore please add an additional week on top.

All countries emergency visit requests require a minimum of 10 working days’ notice and must be supported by a letter of justification (LOJ) from the host site.

Lead times for both MISWG and other countries/NATO Organisations: 

Lead times (in weeks) for visits to MISWG member countries:

Australia 6 Italy 5
Austria 5 Japan 5
Belgium 5 Luxemburg 4
Bulgaria 5 Netherlands 4
Canada 6 New Zealand 4
Croatia 6 Norway 5
Czech Republic 4 Poland 4
Denmark 4 Portugal 5
Finland 4 Slovakia 4
France 5 Spain 6
Germany 4 Sweden 4
Greece 5 Switzerland 5
Hungary 4 Turkey 4
Iceland 4 United Kingdom 4
Israel 4 United states 6

Lead times (in weeks) for visits to other countries/NATO organisations that are not part of MISWG

Bahrain 4 Oman 4
Brazil 5 Qatar 4
Brunei 4 Saudi Arabia 4
India 4 Singapore 5
South Africa 5 Kuwait 4
UAE 4 South Korea 5
NATO Agencies 1    
NATO HQ 1    

Additional information for outward visits

US

  • do not use PO Box addresses
  • zip codes (postcodes) must be supplied for all sites
  • only use unclassified email addresses

Norway

  • Norway will only accept the e-RFV template.  (To edit it, save the document to the desktop, open and edit it)
  • Norway will not accept visit requests that extend beyond the current calendar year. For example, a year’s visit starting 01/06/2023 must end on 31/12/2023 and a new RFV submitted for the period in 2024

Israel

  • Israel will not accept visit requests that extend beyond the current calendar year. For example, a year’s visit starting 01/06/2023 must end on 31/12/2023 and a new RFV submitted for the period in 2024. Israel can only accept RFV’S using the word tools RFV they are unable to open e-RFV.

Inward Visits

Foreign nationals visiting a UK MOD, Military or FSC contractor site that require access to protectively marked information and/or access to a restricted area must provide official confirmation of their security clearance in the form of an RFV.

Inward Visit Procedure

  • Foreign National (Visitor): complete Sections 1-12 of the e-RFV form and forward the e-RFV to the Foreign Nationals’ Security Officer.  Please note if the visit classification is Restricted/O-S or above, a UK MOD or Military point of contact MUST be named in Annex 1. (IVCO will reject the RFV if one is not supplied)
  • The Foreign Nationals’ Security Officer: complete Section 13 of the e-RFV and forward the request on to their National Security Advisor (NSA), London based Embassy or High Commission
  • NSA, London based Embassy or High Commission: complete Section 14 and 15 and forward the complete e-RFV to IVCO
  • IVCO: Processes the e-RFV in accordance with the information provided, and in conjunction with the relevant authority. The authority will consider whether the visit is justified, and that the clearance level required is acceptable. They will advise on any information that can/cannot be seen or areas that can/cannot be accessed by the visitor
  • IVCO: Once the appropriate authority is content for the visit to proceed, IVCO will issue a formal approval letter to the Security Officer at the Host site(s)
  • IVCO: informs the NSA, London based Embassy or High Commission of the outcome

Inward Visit Lead Times

All inward visit applications must be submitted on an electronic Request for Visit (eRFV) form and forwarded to IVCO.

  • 20 Working days (not including date of submission) for recurring (Visit can last up to 1 year) and one-time visits (visit can last up to 3 years)
  • 10 Working days for Amendments
  • 10 Working days (not including date of submission) for Emergency visits (Visit can only last up to 30 days)

Frequently asked questions

What is a security aspects letter?

The ‘secret matter’ in an invitation to tender (ITT) or contract containing DEFCON 659A must be defined to the contractor in writing. The special obligations laid upon the contractor become legally effective only when the MOD has issued a notice in writing, defining which aspects of the ITT or contract are graded at OFFICIAL-SENSITIVE or above. This is achieved by means of a security aspects letter (SAL) written by the contracting authority, or by the inclusion of a security aspects clause in the ITT or contract. A SAL provides a contractual means of ensuring that security is addressed in the work that a Contractor is undertaking. A SAL is not required if the Contractor will not be exposed to any classified material graded above OFFICIAL. In such cases the Contractor must still be informed of their security obligations via DEF CONS included in the contract.

The contractor is required to confirm in writing that he understands and will implement the terms of the SAL or clause. The SAL is the legal instrument under which a UK contractor may be prosecuted under the Official Secrets Act. The SAL must therefore be issued to the contractor with the ITT or contract document. DE&S PSyA’s office must be informed in advance if this is not possible.

Do I have a designated field adviser?

In most cases, DE&S PSyA assurance advisors are assigned by region These regions are: Scotland; England (North); England (East); England (West); England (South East) and London; England (South West) and Wales; and Hampshire. For details of your assurance advisor please contact the Security Advice Centre.

What are the timescales involved for hand carriages and transportation plans?

The required notice periods for hand carriages are:

  • EU/RoW (exc Australia/US) - 2 working days
  • US/Australia - 5 working days.

For transportation plans the required notice periods are:

  • within UK - 3 working days notice
  • EU (except Italy) - 5 days
  • US/Italy/Australia/rest of world - 10 days

Please note that due to current resource issues we may not be able to approve ‘emergency requests’ with shorter lead times.

Contact details for the Defence Courier Service

The Defence Courier Service (DCS) is based at:

Defence Courier Service
West End Road
RUISLIP
Middlesex
HA4 6DQ

Telephone: 020 8589 3432 or see the British Forces Post Office services guide

How does my company gain a Facility Security Clearance (FSC)?

Facility Security Clearance (FSC) formerly known as ‘List X’ refers to contractors or subcontractors which have been formally assessed by the relevant Government authority and reached the required standard as defined in GoVS 007 – Security to hold, process or manufacture materiel at SECRET (foreign CONFIDENTIAL) or above on the company premises. FSC is not available on request, it must be sponsored by a contracting authority (CA).

The CA can be:

  • a Ministry of Defence entity: This is extensively, but not invariably, in the form of a project team (PT).
  • another government department: A number of UK Government departments, may also award a facility FSC status.
  • an existing FSC holding company: An enterprise with an existing government contract may act as a contracting authority to one or more third-party subcontractors who may inherit the responsibility to hold classified assets. Any move to appoint a subcontractor must be approved by the original contracting authority.
  • NATO: Where a contract requires a UK enterprise to hold NATO CONFIDENTIAL (or above) information at their facility, the contracting authority will require assurance from DE&S PSyA’s office that the facility is suitable for FSC status.
  • overseas governments and their contractors. In the event that an overseas contracting authority require a UK enterprise to be awarded FSC, the UK government may complete this on their behalf Key requirements for FSC status:
  • a contract at SECRET (foreign CONFIDENTIAL) or above
  • a requirement either for the work to be done on the contractor’s premises or for classified information to be held on site

Who is my contact for IT accreditation?

For sites with existing accredited systems please contact CyDR.

PSyA documents

LOI request for visit form

NATO HQ pass application form

Request for visit (RFV) form

ListXtranet account application form

Request an accessible format.
If you use assistive technology (such as a screen reader) and need a version of this document in a more accessible format, please email ddc-modinternet@mod.gov.uk. Please tell us what format you need. It will help us if you say what assistive technology you use.

Updates to this page

Published 12 December 2012
Last updated 25 March 2024 + show all updates
  1. Updated information on international visits.

  2. Updated Facility Security Clearance (FSC) policy and guidance for UK Defence contractors and MOD contracting authorities.

  3. Updated 'Facility Security Clearance (FSC) policy and guidance for UK Defence contractors and MOD contracting authorities'.

  4. Updated 'Facility Security Clearance (FSC) policy and guidance for UK Defence contractors and MOD contracting authorities'.

  5. Updated information under 'Inward visits' and 'Emergency visits' sections.

  6. Added 'Facility Security Clearance (FSC) policy and guidance for UK Defence contractors and MOD contracting authorities'.

  7. Email address under 'The International Visits Control Office' updated.

  8. 'Overview', 'Contact us', 'Industry Security Assurance Centre responsibilities' 'The ISAC Vault', 'National security vetting and government contracting', 'Security awareness' and 'Frequently asked questions' sections updated.

  9. Updated contact details.

  10. ListXtranet Account Application form added

  11. Added new documents for digital signature instructions and List X Notice 2015/03.

  12. Added contact details.

  13. Included PDF version of Request for visit form.

  14. Updated contact details under the 'restricted website' section.

  15. Updated the bullet points for 'how does my company become list X'.

  16. Amended email address.

  17. Amended email address.

  18. Updated content in line with the Government Security Classifications, and updated information about processing IVCO inward visits.

  19. Removed Christmas notice.

  20. Uploaded 'Request for visit' form and added information about IVCO shutdown during the Christmas and New Year period.

  21. Updated Courier service address

  22. First published.

Sign up for emails or print this page