Scoping DCC Correctly: The Part That Can Break Your Assessment

Blog banner image

DCC scope is not Cyber Essentials scope. Get it wrong and the whole assessment can wobble.


The easiest way to make a Defence Cyber Certification assessment painful is to get the scope wrong.

If the scope is too narrow, the assessment may not represent how MOD work is actually delivered.

Scope before evidence

A beautiful evidence pack does not save a bad scope. The ASR can only be as good as the boundary it describes.

DCC scope is broader

Cyber Essentials scope focuses on users, devices, cloud services, internet-facing systems and organisational boundaries.

DCC is broader.

The DCC scope is not published publicly, but it is made available to the MOD. It should explain:

- which business functions are in scope
- which systems are in scope
- which functions and systems are out of scope
- why those decisions are reasonable

The important word is functions. DCC is concerned with the resilience of the organisation delivering the work, not just the system that stores MOD data.

Start with business functions

Do not start with a spreadsheet of laptops. Start with how the organisation delivers.

Which teams, services and processes are critical to MOD delivery? This may include engineering, production, support, finance, HR, procurement, logistics, IT operations, cloud administration or quality management.

Then map the systems that support those functions. Some may not touch MOD data, but their failure could still stop delivery.

In scope, out of scope, and why

A good DCC scope explains exclusions as clearly as inclusions.

An excluded system needs a defensible reason. It may have no role in MOD delivery and no meaningful impact on the contract.

If that same system supports payroll for the only engineers who can deliver the work, the answer may change.

The goal is not the smallest scope

The goal is the correct scope. Making the assessment smaller at all costs can make the certification weaker.

What can go wrong?

DCC Level 1 includes readiness work where the scope should be checked early. This is not just admin: a misaligned scope can invalidate the award.

Imagine completing evidence review and practical scoring, then discovering that a critical business function was left out. Scoping is meant to prevent exactly that.

A simple scoping checklist

Use this as a starter:

1. List the business functions involved in MOD delivery
2. Identify the systems supporting each function
3. Mark functions and systems in or out of scope
4. Record the reason for each exclusion
5. Challenge the impact of failure or compromise
6. Validate the scope before building the ASR

Then challenge the scope:

  • What happens if this system is unavailable?
  • What happens if this supplier is compromised?
  • What happens if this team cannot work?
  • What happens if this data is lost or exposed?

These questions are more useful than only asking whether a system contains MOD data.

Get a quote

Use our DCC quote builder to estimate the likely assessment route and cost.

The short version

DCC scoping is not a formality. It defines what the certification actually means.

Get the boundary right first, then build the evidence.

For more information, email us at [email protected] or call us on 01609 635 932

Author

Simon Gurney

Simon Gurney

- CTO -

Simon is one of the Punk Security Directors and has over 17 years experience working within IT, primarily focused on automation and InfoSec.

read more