Defence Cyber Certification (DCC) Level 1 Guidance

For suppliers working with the Ministry of Defence (MOD), Level 1 is typically required where there is low to moderate cyber risk. It demonstrates that your organisation has a comprehensive cybersecurity programme, not just point controls.

DCC provides organisation-level assurance, meaning once certified, you can reuse your certification across multiple bids and contracts. For growing defence suppliers, this is a commercial enabler as much as a security requirement.

Understanding DCC Level 1

Level 1 does expand on the number of controls assessed compared to level 0; it is designed to formalise good security practice. For most organisations, the focus is on documenting, evidencing and consistently applying controls that are already in place or partially implemented.

At Level 1, your organisation is assessed against 126 controls across 13 themes, which cover areas including:

• Governance and risk management
• Asset and system resilience
• Data protection and UK GDPR alignment
• Secure configuration and maintenance
• Incident preparedness and recovery

Cyber Essentials remains the mandatory technical foundation, but Level 1 builds on this by looking at how cybersecurity is managed across the organisation, rather than at individual technical settings alone.

Level 1 is about demonstrating that security is understood, proportionate, and embedded into day-to-day operations in a way that matches your size, risk profile and delivery to defence customers. Critically, assessors need to see practical implementation of controls—not just policies on paper.

A 'theoretical' score means the control exists in documentation. A 'practical' score means the assessor has verified it works in practice. For Level 1, you need practical scores across all 126 controls.

Below, we have set out a clear, step-by-step guide to achieving Level 1.

Step 1: Getting Scope Right

The most common reason for delayed or failed certifications is poor scoping.

DCC assesses your organisation's ability to deliver defence capability securely. This means scoping must include all business-critical systems, processes, and infrastructure that support MOD contracts—not just systems processing classified data. However, truly isolated systems with no bearing on contract delivery may be excluded if properly justified.

Under the updated defence standard, the scope typically includes:

• Systems essential to business operations
• Core business functions and services
• Supporting IT, OT and administrative systems
• Physical sites and people with access

If a system is required for your organisation to function and deliver defence capability, it is almost certainly in scope.

A strong Level 1 engagement starts with:

• Early engagement with an IASME-accredited Certification Body
• A clearly documented DCC scope statement provided by your CB
• Alignment between DCC and Cyber Essentials scopes
• Diagrams showing in-scope and out-of-scope systems
• Senior sign-off (CEO, CISO or equivalent)

Your Certification Body will provide and validate your scoping form early in the process, then issue an Assessment Submission Record that formally initiates your assessment. You cannot complete scoping independently and approach a CB afterwards—they must be involved from the start.

Periculo typically sees scope reviews uncover hidden dependencies such as HR platforms, finance systems or operational technology that organisations hadn't considered.

Fixing scope early saves months later.

Step 2: Preparing for the Assessment Submission Record

Once onboarded to the IASME platform, your organisation must complete the Assessment Submission Record. This is where Level 1 becomes operationally demanding.

For every applicable control, you must:

• Select the correct answer
• Provide clear contextual explanation
• Supply supporting evidence
• Ensure evidence is current, accessible and relevant

Evidence quality matters more than volume. Assessors are looking for proof of consistent practice, not policy documents that exist only on paper.

Examples of strong Level 1 evidence include:

• Risk registers linked to real systems
• Documented GDPR processes and DPIAs
• Demonstrable backup and recovery mechanisms—assessors need proof these are actively tested and monitored, not just documented in a policy
• Asset inventories mapped to business functions
• System hardening logs showing configurations are actively applied and monitored in practice
• Incident response procedures with evidence of actual exercises or responses

This is where guided support dramatically reduces friction. However, it's important to understand the role of your Certification Body versus independent consultancies.

IASME rules prohibit Certification Bodies from advising on how to meet specific controls or reviewing evidence in advance. Independent consultancies like Periculo are not restricted in this way, which is why we can provide detailed pre-assessment guidance, control mapping, and evidence validation that helps organisations prepare thoroughly before formal assessment begins.

Step 3: Readiness Checks and Avoiding Automatic Failure

Before submission, a Certification Body will perform a readiness check. Certain gaps can trigger automatic failure, including:

• Cyber Essentials scope misalignment
• Missing mandatory controls
• Inaccessible evidence
• Inconsistent answers across controls

At Level 1, many organisations technically "do the right things" but fail to articulate them clearly in assessor-friendly language.

Periculo's approach focuses on translating real-world security practices into clear, structured assessor responses without crossing the line into prohibited assessor assistance.

Step 4: Assessment Timeline and Process

Once your Assessment Submission Record is issued, the formal assessment period typically runs for up to 90 days as set by your Certification Body, though well-prepared organisations can complete it faster. Total time from initial scoping to certification depends heavily on your current maturity and readiness.

During the assessment process, clarification requests are common at Level 1 and should not be seen as failure.

Typical clarification requests include:

• Expanding on risk assessment methodology
• Demonstrating how resilience controls were implemented
• Clarifying scope boundaries
• Providing stronger evidence of consistency

Responding quickly and accurately is essential to avoid delays.

Step 5: Practical Assessment and Demonstration

Level 1 includes a practical assessment, usually via remote demonstration. You may be asked to "show" controls rather than describe them.

This can include:

• Demonstrating backup restoration
• Walking through access control enforcement
• Showing asset and patch management processes
• Explaining how incidents would be handled in practice

Organisations that rehearse these demonstrations consistently perform better.

Common Pitfalls

From supporting multiple Level 1 certification journeys, a few common patterns consistently emerge. Organisations often treat Level 1 as little more than an expanded Cyber Essentials assessment, underestimate the complexity of scoping, or rely too heavily on policy documents without sufficient operational evidence.

Another frequent issue is misunderstanding the timing of Certification Body engagement—attempting to complete preparation independently before approaching a CB, when in fact the CB must be involved from the scoping stage.

Preparation is also frequently left too late in the sales cycle, creating unnecessary pressure. In contrast, the most successful organisations approach DCC Level 1 as a business resilience exercise, embedding security into day-to-day operations rather than viewing it as a paperwork task.

Get in Touch

We help defence suppliers de-risk scope early, map existing controls directly to DCC requirements, and identify gaps before assessors do, accelerating readiness without breaching IASME rules. Our focus is on quality, clarity and confidence, enabling organisations to achieve DCC Level 1 without slowing down commercial momentum.

Achieving Level 1 is more than a compliance exercise; it provides a visible signal to the MOD that cyber resilience is taken seriously across the organisation. With the right guidance, Level 1 becomes a structured and predictable process. Contact us to find out more.