Theoretical vs Practical Scoring In DCC Level 1

Blog banner image

DCC Level 1 has two scoring phases. One checks the evidence story, the other checks reality.


DCC Level 1 has two scoring phases.

Theoretical scoring checks whether your evidence and Assessment Submission Record make sense. Practical scoring checks whether those claims survive contact with the organisation.

In short

Theoretical scoring asks: “does the evidence support the answer?”

Practical scoring asks: “is this actually happening?”

First, the ASR

Before scoring, the applicant completes the Assessment Submission Record, or ASR.

The ASR is a questionnaire spreadsheet where the organisation explains how it meets each DCC Level 1 control and lists supporting evidence.

That evidence might include:

  • policies
  • risk registers
  • screenshots
  • diagrams
  • vulnerability reports
  • supplier records
  • backup evidence
  • incident response material

The ASR should not just be a file list. It should explain what is implemented and why it is appropriate.

Theoretical scoring

During theoretical scoring, the assessor reviews the ASR and evidence.

They are checking:

- is the ASR complete?
- does the answer make sense?
- does the evidence match the answer?
- has the control been understood correctly?
- are there gaps to fix before practical scoring?

At this stage, the assessor trusts the evidence provided, but still checks whether the answers are sufficient. It is a readiness checkpoint.

Aim above 80%

DCC Level 1 requires organisations to appropriately implement 80% of the controls. Do not treat 80% as the target.

During theoretical scoring, aim for 90% or more. Practical scoring often lowers the score because organisations are messier than their evidence packs.

Policies may be inconsistently followed. Diagrams may be out of date. Controls may work in one team but not another.

Breathing room matters

If you scrape through theoretical scoring at 80%, practical scoring has very little room to find anything.

Practical scoring

Practical scoring is the final phase. The assessor validates the claims made during theoretical scoring through interviews, system review, process walkthroughs and possible site visits.

For example:

ASR says: privileged access is reviewed
Assessor asks: who reviews it, how often, and what happens when access is no longer needed?

ASR says: networks are segmented
Assessor asks: how is segmentation enforced, monitored and changed?

ASR says: risks are managed
Assessor asks: who owns the risks and how are decisions tracked?

Practical scoring is not about producing more paperwork. It proves the paperwork reflects reality.

Get a quote

Use our DCC quote builder to estimate the likely assessment route and cost.

The short version

Theoretical scoring checks the evidence story.

Practical scoring checks the organisation.

Build the ASR carefully, aim above the pass mark and make sure the people operating the controls can explain them.

For more information, email us at [email protected] or call us on 01609 635 932

Author

Simon Gurney

Simon Gurney

- CTO -

Simon is one of the Punk Security Directors and has over 17 years experience working within IT, primarily focused on automation and InfoSec.

read more