IPSA stands for Industry Personnel Security Assurance. It is one of those defence security terms that can easily be mistaken for an individual clearance, a certificate, or a general cyber accreditation. But, it is none of those things.
IPSA is an organisational assurance framework for personnel security in industry. Its purpose is to help eligible organisations in the defence supply chain manage personnel security to the standards expected when people hold or require National Security Vetting.
The practical focus is governance. Can the organisation manage vetted people properly? Can it apply aftercare responsibilities? Can it support UKSV sponsorship rights where appropriate? Can it show that the people who access sensitive or classified work are being managed with the same seriousness that government would expect internally?
What IPSA is for
IPSA supports organisations that need to manage personnel security as part of defence delivery. GOV.UK describes it as an assurance framework that will give organisations meeting the appropriate personnel security standards the ability to manage their own vetting through UKSV sponsorship rights. It also helps ensure that individuals who have undertaken National Security Vetting are effectively managed and provided with appropriate aftercare.
For suppliers, this matters where contract requirements, security conditions or the nature of the work mean that staff need access to classified material, sensitive systems, secure sites or controlled information. IPSA is about the organisation around those people: the processes, roles, records and controls that make personnel security work beyond the initial clearance decision.
What IPSA is not
IPSA is not the same thing as an individual security clearance. A person may hold National Security Vetting such as SC or DV, but IPSA is about the organisation’s ability to manage personnel security responsibilities.
It is also not a cyber security certification. IPSA does not replace CSMv4, DEFCON 658, Cyber Essentials, Secure by Design or other technical assurance expectations. Personnel security and cyber security overlap in real delivery, but they answer different questions.
It is not automatically required for every organisation that works somewhere in the defence supply chain. Eligibility and need should be driven by the contract, the nature of the work, the information being handled and the relevant MOD or industry security guidance.
Where IPSA fits with ISAC and wider defence security
The Industry Security Assurance Centre, or ISAC, provides security and business continuity policy and guidance for relevant defence contractors. GOV.UK describes ISAC responsibilities as including assistance to UK companies in obtaining Facility Security Clearance and/or IPSA status when contractually required to hold classified material at SECRET or above. ISAC also sponsors personnel security clearances for primary security controllers and deputies at relevant facilities where required.
That tells us something important about IPSA. It should not be treated as a generic badge for all suppliers. It is part of a wider industrial security environment, and its relevance depends on the contractual and security context.
Why defence suppliers should understand it
Even where a supplier does not immediately need IPSA status, understanding the concept is useful. Many delivery issues in secure programmes are caused by the gap between technical access and personnel assurance. A user might technically be able to access a workspace, system or dataset, but that does not mean the organisation has the right personnel security governance in place.
Suppliers need to know who requires access, what level of vetting is required, who owns the sponsor relationship, how aftercare is managed, what happens when people change role or leave, and how records are maintained. These are not peripheral questions. They affect onboarding, delivery speed, incident response, auditability and confidence in the supplier.
The connection with secure collaboration
Personnel security also connects directly with secure collaboration. A controlled collaboration environment is only as strong as the access model behind it. If users are not correctly onboarded, reviewed and removed, or if need-to-know is not enforced, the platform can become another place where sensitive information accumulates without sufficient governance.
For OFFICIAL-SENSITIVE work, this does not automatically mean IPSA is required. It does mean organisations should think clearly about user access, identity, role-based permissions, audit trails, account lifecycle management and how personnel security requirements are reflected in the operating model.
How Logiq can help
Logiq helps defence and government suppliers understand how personnel, process and technology fit together in secure delivery. For organisations handling sensitive information, that can include advice on assurance boundaries, secure operating models, access control, auditability, CSMv4 readiness, Secure by Design considerations and secure collaboration environments such as DISX.
DISX Secure Collaboration does not replace personnel security obligations. It provides a controlled environment that can support clearer access management, monitoring, collaboration governance and evidence-friendly working practices. The personnel security question still needs to be answered by the organisation and the contract, but the technology should not make that answer harder to implement.
Sensitive and classified work – the people angle
IPSA is about organisational assurance for personnel security. It is not a shortcut to individual clearance, and it is not a replacement for cyber assurance. For defence suppliers, its value is in understanding whether the organisation can manage the people side of sensitive and classified work with the discipline the MOD expects.
Related Links:
