The Defence Cyber Certification (DCC) scheme is a new framework for any organisation looking to work with the UK Ministry of Defence (MOD). It provides a unified standard for cybersecurity, ensuring that the entire defence supply chain is resilient against modern threats.
This guide aims to break down the DCC assessment process. By understanding the process from preparation to certification, you can approach the assessment with a clear strategy for success.
Before diving into the process, it is beneficial to understand the role of your assessing Certification Body (CB). Your chosen CB, accredited by IASME, is there to assess your compliance against the standard.
According to official IASME guidance, a CB can provide advice and clarification, but they cannot implement policies, make changes to your systems, or prepare your evidence for you.
|
A Certification Body CAN...
|
A Certification Body CANNOT...
|
|
Explain the DCC scheme and its controls
|
Implement any policies or procedures
|
|
Help you prepare for Cyber Essentials
|
Make any changes to your network or systems
|
|
Clarify questions and evidence requirements
|
Answer assessment questions on your behalf
|
|
Verify the scope of your assessment
|
Prepare the evidence they will later assess
|
|
Supply blank template documents
|
Dictate the answers to assessment questions
|
This distinction is vital. If you need hands-on support to implement controls, write policies, or gather evidence, you must engage a separate, independent readiness partner. An organisation cannot assess its own implementation work.
While the specifics can vary slightly depending on the DCC Level you are targeting, the overall assessment process follows a consistent path. Here is a step-by-step breakdown of what to expect.
First, you must identify the Cyber Risk Profile (CRP) level required by your MOD contract or tender. The CRP is determined by the MOD contracting authority and will be specified in the contract documents. This level (from 0 to 3) directly corresponds to the DCC level you must achieve.
After confirming the required Cyber Essentials baseline for your target DCC level, you must appoint an IASME-accredited DCC Certification Body to conduct the assessment. Early engagement is recommended to validate scope alignment, timelines, and assessment expectations.
This is one of the most critical stages. You and your CB must formally agree on the scope of the assessment. As of Def Stan 05-138 Issue 4, the scope is presumed to be the whole organisation, not just the parts handling MOD data. If you believe a smaller scope is justifiable, you must provide a robust rationale to your CB, who will make the final decision.
Level 0 is a light-touch self-assessment covering 3 controls completed within the online portal. For Levels 1–3, your chosen Certification Body will provide an Assessment Submission Record (ASR) — a structured assessment spreadsheet used as the primary submission document. Within the ASR, you will answer the required control questions, explain how your organisation meets each requirement, and reference supporting evidence. The completed ASR and associated evidence are hosted by the applicant and shared securely with the Certification Body for scoring and certification decision.
Your assigned assessor will review your submitted answers and evidence. They will assess whether the evidence is sufficient to demonstrate that the control is fully implemented.
If the assessor finds a non-compliance, you will be given a remediation period to address the issue. This may involve implementing a new process, updating a policy, or providing more detailed evidence. The length of the remediation period can vary, so it is important to clarify this with your CB upfront.
Once the assessor is satisfied that you have met all the required controls, they will recommend you for certification. IASME will conduct a final quality check and, if successful, issue your organisation with a Defence Cyber Certification certificate. The certificate is valid for three years, with an annual attestation required to maintain its validity.
Use this checklist to track our progress through the Defence Cyber Certification journey:
By understanding these steps and preparing thoroughly, you can navigate the journey efficiently.
If the line between the advisory role of a CB and the hands-on support you need seems challenging, Periculo can help.
As a dedicated DCC readiness partner, we provide the implementation support, policy development, and evidence preparation needed to get you assessment-ready, ensuring you can face your chosen Certification Body with confidence.