Periculo Achieves Defence Cyber Certification Level 1 Accreditation

We have some more exciting news to share – Periculo is now officially accredited by IASME as a Certification Body at DCC Level 1, enabling us to assess and certify other organisations at this level. This achievement is a big step forward for us, especially following our earlier Level 0 accreditation. We’re proud to expand our capabilities in the DCC scheme and eager to help our organisations strengthen their cybersecurity posture under this new standard.

In this post, we want to celebrate this milestone and explain what DCC Level 1 is all about and what it means.

What is the Defence Cyber Certification (DCC)?

The Defence Cyber Certification (DCC) is a new, comprehensive cyber security certification framework for UK defence suppliers, developed jointly by the UK Ministry of Defence (MOD) and IASME (the MOD’s official delivery partner for this scheme). It was introduced as part of a broader initiative to boost the digital resilience of the UK’s defence supply chain. In essence, DCC provides a formal, organisation-wide cyber security assurance that a supplier’s defences meet MOD standards and it’s poised to become a key requirement for doing business with the UK Defence sector.

One major benefit of the DCC scheme is that it replaces the old contract-by-contract cyber self-assessments with a single certification. Instead of filling out separate security questionnaires for every tender, a company can undergo a point-in-time security assessment and earn a DCC certificate that stays valid for three years (with simple annual check-ins to ensure you’re still on track).

This streamlined approach means a DCC certificate can be used to support multiple defence procurement bids without repeated full assessments each time, a game-changer in efficiency. Successfully obtaining and maintaining a DCC certification isn’t just about ticking boxes; it demonstrates an ongoing commitment to cyber resilience at an organisational level. It shows the MOD and prime contractors that your company takes security seriously and has been independently verified against a robust standard.

How does the DCC work?

The scheme is organised into four levels of certification (Level 0, 1, 2, and 3), corresponding to the degree of cyber risk associated with the work you do on a defence contract. Each level has a defined set of controls drawn from a UK Defence security standard (Def Stan 05-138), and the higher the level, the more advanced the security requirements. Importantly, all levels require at least Cyber Essentials certification as a baseline, with Levels 2 and 3 also requiring Cyber Essentials Plus.

Unlike some schemes, DCC is not a self-assessment;  no matter which level you aim for, an independent accredited assessor must evaluate your controls and evidence to confirm you meet the standard. If everything checks out, you earn a certificate and a digital badge valid for 3 years. If you fall short, you get a detailed report to help you improve, and you can try again.

The goal is to raise the cybersecurity bar for all defence suppliers consistently. As the MOD rolls out this program, we expect more contracts to mandate a certain DCC level for suppliers, so getting certified early can give you an edge.

Understanding IASME DCC Level 1

Now, let’s talk specifically about Level 1 of the Defence Cyber Certification. DCC Level 1 is intended for situations where a defence supplier is exposed to a low to moderate level of cyber risk in their work for the MO. This is one step above the foundational Level 0.

Whereas Level 0 focuses on just 3 fundamental controls, Level 1 requires compliance with 101 security controls spanning a broad range of good cybersecurity practices. In other words, Level 1 is a comprehensive check-up of an organisation’s cybersecurity health.

Companies aiming for Level 1 must demonstrate that they have a solid, effective cybersecurity program in place, not just policies on paper, but also good practices that are actually implemented across the organisation. This includes areas like access control, incident response planning, secure configuration, patch management, user training, and much more, all aligned with the MOD’s Def Stan 05-138 controls.

To put it simply, DCC Level 1 is about proving you do all the fundamental things right and then some. It shows that your organisation is not only practising basic cyber hygiene, but also following a wide array of best practices to protect against threats, appropriate for a moderate-risk environment.

Achieving Level 1 means you’ve moved beyond the bare minimum and built a comprehensive security framework that can withstand more sophisticated cyber risks. This level is a common target for many defence suppliers, because a lot of MOD contracts (especially those not dealing with highly classified or sensitive data) will likely fall into the low-to-moderate risk category.

Being Level 1 certified gives assurance to the MOD and your clients that you have robust cyber defences and processes in place for those scenarios. It’s a significant undertaking (remember, 101 controls!), but it greatly strengthens your cyber posture and credibility.

It’s worth noting that you don’t have to progress through the levels sequentially; you can directly apply for Level 1 (or any level) if that’s what you need, even if you never did Level. However, because each higher level builds on the lower ones, achieving Level 1 means you’ve inherently covered the Level 0 basics as well (and similarly, Level 2 covers Level 1’s scope, and so on).

Once attained, a DCC Level 1 certificate is valid for three years, with a yearly light touch check-in, and then a re-certification process in the third year to renew.

This cycle helps ensure that certified organisations continue to maintain those good practices over time – cybersecurity isn’t a “one and done” effort.

Periculo Can Now Offer DCC Level 1 Certification Assessments

We’re delighted to announce that, as of now, Periculo is accredited to deliver DCC Level 1 assessments and certifications. 

Having successfully done so, we’ve proven our understanding of the controls and the assessment methodology at Level 1. IASME, as the scheme authority, has now officially licensed Periculo as a Certification Body (CB) for DCC Level 1, which means we are authorised to conduct independent assessments of other companies at this level and recommend awarding the certification to those who meet the standard.

In practical terms, our new Level 1 Certification Body status expands the services we can provide to our clients and partners. Previously, with our Level 0 accreditation, we could help organisations certify at the very basic tier of the scheme. Now, we can go further and assess organisations against the full Level 1 requirements, issuing official DCC Level 1 certificates (on IASME’s behalf) to those who pass the assessment.

This reflects both our capability and knowledge of the DCC framework, and IASME’s trust in us to uphold their standards of quality, impartiality, and expertise when conducting these cybersecurity audits. We take that responsibility seriously. Our assessors will ensure every Level 1 engagement is thorough, fair, and aligned with the MOD’s expectations for supply chain security.

This accreditation also strengthens the wider support we provide to defence suppliers. Alongside DCC Level 0 and Level 1 assessments, Periculo helps organisations build credible supply-chain cyber assurance through Cyber Essentials readiness and certification support, and CREST-aligned penetration testing to identify and fix real-world risks. Put simply, whether you need to get certified, stay certified, or prove strong cyber resilience to win defence work, we can support you end-to-end.

What Does this Mean for Our Clients and Partners?

For our clients, both current and future, Periculo’s accreditation at DCC Level 1 is good news. It means that if your organisation needs to achieve DCC certification, you now have a trusted partner ready to guide you through the Level 1 certification process from start to finish.

We can serve as your assessor and certifier for Level 1, providing a one-stop service to help you prepare (within the bounds of what an assessor is allowed to do) and then performing the formal assessment when you’re ready. Instead of navigating the complexities of DCC alone, you’ll be working with experienced assessors who understand not just the technical controls but also the broader context of MOD requirements and procurement needs.

Our goal is to make the journey to certification as smooth as possible for you. We’ll clarify what each control is asking for, what evidence is needed, and common pitfalls to avoid when acting in an advisory capacity before the formal assessment. Then, when it’s time to assess, we will carry out a thorough and impartial evaluation. If there are gaps, we’ll let you know exactly what needs improvement; if you meet the standard, we’ll issue your certificate and digital badge!

From a broader perspective, having a DCC Level 1 certificate can provide several tangible benefits to your organisation. First, it proves your commitment to strong cybersecurity, which can enhance your reputation and credibility. Moreover, as the MOD integrates DCC into its contracts, being certified could become a prerequisite to even bidding on certain opportunities.

By getting Level 1 certified, you’re positioning your company ahead of those requirements, so you won’t be caught off-guard when a contract asks for it. In fact, the MOD has indicated that DCC compliance will increasingly be expected for suppliers as the scheme rolls out. Having the certificate means it can also streamline the procurement process; instead of answering lengthy security questionnaires for every bid, you can provide your DCC credentials as evidence of meeting the necessary standard. This saves time and reduces duplicated effort.

There’s also a competitive angle: achieving DCC Level 1 can give you an edge over competitors who haven’t yet certified. It’s a differentiator that shows you’ve invested in robust cyber protections. The DCC scheme was designed to strengthen organisational resilience and reduce cyber risks in the defence supply chain, so by certifying, you’re not just ticking a box, you’re likely improving your own internal security along the way.

These improvements can reduce the likelihood of incidents and improve your ability to respond if something does happen. As IASME said during the launch, DCC is a proactive way for suppliers to enhance their cyber security posture, meet MOD requirements, and gain a competitive edge, ultimately bolstering organisational resilience against cyber threats. In short, it’s a win-win: you make your company safer and more efficient, and you gain a recognised credential that opens doors in the defence sector.

Finally, for our partners and the wider community, Periculo’s expanded role in the DCC scheme is a reflection of our continued commitment to cybersecurity excellence. By achieving DCC Level 1 assessor status, we’ve demonstrated our own expertise and adherence to high standards. This should give our partners added confidence in working with us.

It also means we’re staying at the forefront of developments in defence cyber assurance. As we work on DCC assessments, we’ll be gathering insights into best practices and emerging requirements, knowledge we can share with our clients and partners to help everyone stay ahead of the curve. We believe in lifting the tide for all boats.

If you have any questions about DCC, whether it's about getting your company certified or understanding what level you might need, we’re here to help.

Feel free to reach out to us, and we can discuss your situation and provide guidance on how to get started. Remember, you don’t have to have a defence contract in hand to pursue DCC certification; you might choose to get certified proactively to strengthen your profile for future opportunities.