DCC Level 0 vs Level 1: What MOD Suppliers Need To Know

Blog banner image

DCC Level 0 and Level 1 are very different assessments. Here is the quick version for MOD suppliers.


Defence Cyber Certification, or DCC, is the MOD-backed scheme for improving cyber resilience across the defence supply chain. It is built on Defence Standard 05-138 and delivered through IASME’s scheme and approved Certification Bodies.

Most suppliers need to answer one question:

Do we need DCC Level 0 or DCC Level 1?

Level 0 is a light self-assessment. Level 1 is a full assessed certification with evidence review, scoring and practical validation.

Cyber Essentials still matters

Cyber Essentials is required for DCC Level 0 and Level 1. DCC renews every three years, or after a major scope change, but Cyber Essentials still renews annually.

If your Cyber Essentials scope is untidy, fix that first. It is much easier to build DCC evidence on top of a clean baseline.

DCC Level 0

DCC Level 0 is submitted through the IASME portal. You answer a small control set and your assessor reviews the submission.

You do not need a full evidence pack, site visits or sensitive internal material.

The Level 0 controls cover:

1. Cyber Essentials
2. UK DPA / GDPR alignment
3. Resilience against cyber attack and system failure

Level 0 is achievable for most organisations, but it still needs sensible answers. Be ready to explain Data Protection Impact Assessments, risk, network segmentation and resilience.

DCC Level 1

DCC Level 1 is not a self-assessment. An approved Certification Body investigates every Level 1 control and validates that your claims hold up.

There are 101 controls, including Cyber Essentials. The other controls cover areas such as:

  • risk management
  • threat intelligence
  • network segmentation
  • patching
  • resilience
  • governance
  • operational security

Organisations need to appropriately implement 80% of the controls.

Do not aim for 80%

The practical assessment often exposes gaps that were not obvious during evidence review. Aim higher before you treat the assessment as ready.

Can you skip Level 0?

Yes.

DCC Level 0 is not a prerequisite for DCC Level 1. If your contract, prime contractor or customer requirement points you at Level 1, you can go straight there.

Level 0 can still help suppliers get familiar with the scheme before a larger assessment.

Quick comparison

DCC Level 0 is a self-assessment with minimal evidence review, a small control set and no normal requirement for site visits. It is best for early alignment.

DCC Level 1 is fully assessed. It covers 101 controls, requires evidence review and may include site visits. It is best when you need stronger independent assurance.

Both levels require Cyber Essentials.

Get a quote

Use our DCC quote builder to estimate the likely assessment route and cost.

The short version

DCC Level 0 is a manageable self-assessment around Cyber Essentials, data protection and resilience.

DCC Level 1 is a full certification assessment with evidence, scoring and practical validation.

They are not interchangeable. Work out which level you need before the tender clock starts ticking.

For more information, email us at [email protected] or call us on 01609 635 932

Author

Simon Gurney

Simon Gurney

- CTO -

Simon is one of the Punk Security Directors and has over 17 years experience working within IT, primarily focused on automation and InfoSec.

read more