The DCC Assessment Process Explained, Step-by-Step

This guide aims to break down the DCC assessment process. By understanding the process from preparation to certification, you can approach the assessment with a clear strategy for success.

The Role of the Certification Body (CB)

Before diving into the process, it is beneficial to understand the role of your assessing Certification Body (CB). Your chosen CB, accredited by IASME, is there to assess your compliance against the standard.

According to official IASME guidance, a CB can provide advice and clarification, but they cannot implement policies, make changes to your systems, or prepare your evidence for you.

This distinction is vital. If you need hands-on support to implement controls, write policies, or gather evidence, you must engage a separate, independent readiness partner. An organisation cannot assess its own implementation work.

The DCC Assessment Journey: A 7-Step Process

While the specifics can vary slightly depending on the DCC Level you are targeting, the overall assessment process follows a consistent path. Here is a step-by-step breakdown of what to expect.

Step 1: Determine Your Required DCC Level

First, you must identify the Cyber Risk Profile (CRP) level required by your MOD contract or tender. The CRP is determined by the MOD contracting authority and will be specified in the contract documents. This level (from 0 to 3) directly corresponds to the DCC level you must achieve.

Step 2: Achieve Cyber Essentials Certification

• DCC Level 0 and Level 1 require a valid Cyber Essentials (CE) certificate.
• DCC Level 2 and Level 3 require a valid Cyber Essentials Plus (CE+) certificate.

Step 3: Select an Accredited DCC Certification Body

After confirming the required Cyber Essentials baseline for your target DCC level, you must appoint an IASME-accredited DCC Certification Body to conduct the assessment. Early engagement is recommended to validate scope alignment, timelines, and assessment expectations.

Step 4: Define and Agree on the Assessment Scope

This is one of the most critical stages. You and your CB must formally agree on the scope of the assessment. As of Def Stan 05-138 Issue 4, the scope is presumed to be the whole organisation, not just the parts handling MOD data. If you believe a smaller scope is justifiable, you must provide a robust rationale to your CB, who will make the final decision.

Step 5: Complete the Assessment Questionnaire

Level 0 is a light-touch self-assessment covering 3 controls completed within the online portal. For Levels 1–3, your chosen Certification Body will provide an Assessment Submission Record (ASR) — a structured assessment spreadsheet used as the primary submission document. Within the ASR, you will answer the required control questions, explain how your organisation meets each requirement, and reference supporting evidence. The completed ASR and associated evidence are hosted by the applicant and shared securely with the Certification Body for scoring and certification decision.

Step 6: The Assessment and Remediation

Your assigned assessor will review your submitted answers and evidence. They will assess whether the evidence is sufficient to demonstrate that the control is fully implemented.

If the assessor finds a non-compliance, you will be given a remediation period to address the issue. This may involve implementing a new process, updating a policy, or providing more detailed evidence. The length of the remediation period can vary, so it is important to clarify this with your CB upfront.

Step 7: Certification Decision

Once the assessor is satisfied that you have met all the required controls, they will recommend you for certification. IASME will conduct a final quality check and, if successful, issue your organisation with a Defence Cyber Certification certificate. The certificate is valid for three years, with an annual attestation required to maintain its validity.

Your DCC Assessment Process Checklist

Use this checklist to track our progress through the Defence Cyber Certification journey:

• Identify Target DCC Level: Confirmed the required level and Cyber Risk Profile in our MOD contract.
• Achieve Cyber Essentials: Hold a valid, in-scope CE (L0–1) or CE+ (L2–3) certificate.
• Select a Certification Body: Engaged an IASME-accredited DCC Certification Body (CB).
• Agree Scope: Documented and agreed the assessment scope with our CB.
• Access Portal / Complete ASR: Completed Level 0 in the portal, or begun the ASR for Levels 1–3.
• Complete Assessment Responses: Answered all required controls and provided supporting evidence.
• Undergo Assessment: Submitted our assessment for CB review and scoring.
• Remediate (if needed): Addressed any non-conformities identified by the assessor.

Get Ready for Your Assessment

By understanding these steps and preparing thoroughly, you can navigate the journey efficiently.