Defence Cyber Certification audits
Reduce DCC uncertainty and get a clearer route to Level 0 or Level 1 certification
If you have been asked for DCC by MOD or a prime contractor, we help you understand the route, scope it properly, and avoid wasting time on the wrong preparation work. Punk Security supports suppliers through Level 0 and Level 1, from Cyber Essentials and scoping through to readiness, scoring, and certification.
Get an indicative quote or speak to us for a free 30-minute consultation.
Why Punk Security
Practical DCC support from a team that understands defence delivery
We keep the process clear, commercially sensible, and easier to navigate for internal teams who already have enough going on.
Security-cleared auditors
We can support sensitive engagements with auditors who understand the expectations, handling standards, and trust needed in defence environments.
Strong customer experience
We focus on clarity, responsiveness, and keeping the process manageable rather than burying teams in vague requirements.
Defence sector experience
We understand how defence supplier assurance works in practice, including MOD expectations, prime contractor pressure, and the need to keep delivery moving while certification is underway.
TRUSTED BY
Level 0 and Level 1 are different journeys
DCC is an organisation-level certification, so the route depends on both the required level and the scope of the business being assessed. Level 0 is simpler and fixed-price. Level 1 brings more depth, more evidence, and more care around scope and scoring.
DCC Level 0
A lighter route for very low-risk work
Level 0 is based on 3 controls and is usually the most straightforward DCC route for organisations that need a lower-assurance outcome.
- Fixed pricing by organisation size
- Simpler path to certification
- Best suited to very low-risk supply chain activity
DCC Level 1
More evidence, more scoping, more assessment depth
Level 1 covers 101 controls and usually needs more support around scope, readiness, evidence quality, and practical scoring assumptions.
- Scoping matters because missed critical operations can affect certification
- Readiness and scoring stages let you make decisions before going further
- Site visits depend on the final scope and how similar locations are
Who this is for
This page is ideal if you need to book a DCC assessment and want to understand the likely cost first
It is designed for organisations that need to move toward certification, want a clearer view of cost before they commit, and need to understand what the assessment route is likely to involve.
You have been asked for Level 0
You want to book a straightforward Level 0 assessment, confirm whether Cyber Essentials is already covered, and understand the fixed-price route before you proceed.
You have been asked for Level 1
You need to budget properly for Level 1 and understand the scope, evidence, theoretical scoring, and practical scoring stages before booking the assessment work.
You need cost clarity before you commit
You want an indicative quote now, and a short conversation with Punk Security to sense-check the route, likely effort, and next steps before you book.
Indicative quote
Build an indicative DCC quote for your organisation
Choose the options that match where you are today to get a practical view of likely costs. Prices exclude VAT.
Organisation size
Choose the pricing bracket once. The same size is used for Cyber Essentials and DCC calculations.
Do you need Cyber Essentials?
Cyber Essentials is required before DCC. Include it here if you need us to provide certification.
Which DCC level do you need?
Pick the level requested by MOD or your Prime.
Level 1 scope and readiness
DCC scope must include the parts of the organisation that are critical to operations, otherwise certification may be revoked.
Scoping support
We work with the business to understand the full operational scope, including teams, services, delivery responsibilities and sites, so the DCC assessment covers the right parts of the organisation. Support scales by size: 1 day for micro, 2 for small, 3 for medium and 4 for large.
What should be included in DCC scope?
DCC scope should reflect the parts of the organisation that are genuinely critical to delivering the relevant defence work. The scope document should clearly show what is in scope, what is out of scope, and how those boundaries are separated in practice.
- The teams and people involved in delivery, support, and management of the in-scope work
- The services, systems, and processes relied on to deliver that work
- The locations or sites where in-scope activity is carried out
- Any supporting functions that materially affect secure delivery or operational resilience
- Clear statements of what sits outside scope so the assessment boundary is defensible
- Network diagrams that show separation between in-scope and out-of-scope environments where relevant
The aim is to define a scope that is accurate, defensible, and broad enough to reflect how the organisation actually operates.
Readiness check
A one-day consulting review to identify how likely the organisation is to succeed before committing further. This stage is required for Level 1.
Included as a mandatory 1-day stage.Template package
Optional template pack for key documents and registers.
Theoretical scoring rounds
Theoretical scoring reviews the ASR and supporting evidence before practical scoring. Two rounds is recommended.
Practical scoring
Practical scoring is required for Level 1. Site visits depend on accurate scoping, and similar sites may only need one representative visit.
Unique physical sites to visit
Practical scoring starts at 5 days for the first site, plus 2 extra days for each additional site.Reporting and debrief
An optional final management report and debrief highlighting the remaining control gaps and our recommendations for the organisation to address them.
What to expect
Level 0 and Level 1 follow different assessment routes
The IASME guidance is a useful reference point here: both routes start with Cyber Essentials, but Level 1 introduces a much broader evidence and assessment process.
Level 0
A simpler route for very low-risk work
IASME describes Level 0 as the route for suppliers with a very low assessed cyber risk. It is based on 3 controls and does not require an Assessment Submission Record.
- Start with Cyber Essentials certification
- Work to a fixed price based on organisation size
- Prepare evidence against the 3 Level 0 controls
- Move through a lighter assessment route than Level 1
Level 1
A broader process with scope, evidence, theoretical and practical assessment
IASME positions Level 1 for low to moderate assessed cyber risk. Applicants need to describe how they meet the controls, provide supporting evidence, and then progress through theoretical and practical scoring.
- Start with Cyber Essentials certification
- Define the scope carefully and complete a statement of scope
- Answer the assessment questions and prepare evidence against 101 controls
- Go through theoretical scoring first, then practical scoring
Level 1 support
Staged work, clear exit points
The Level 1 process should not feel like a runaway project. We split preparation into stages so you can confirm scope, test readiness, improve evidence and decide whether to continue before practical scoring.
The formal assessment quote still depends on the final scope, but the builder gives a working view of the preparation and issuing costs you can expect.
Confirm the operational scope
Identify the parts of the organisation that are critical to delivery. Getting this wrong can put certification at risk later.
Check readiness before going further
A short readiness review shows whether the organisation is likely to succeed or should pause to fix gaps first.
Exit point
Leave certification for now and work on the more difficult gaps in your own time, using our optional template pack if needed.
Score the evidence
Theoretical scoring rounds review the ASR and supporting evidence. Better prepared evidence usually means fewer rounds.
Exit point
Exit the certification process if the organisation cannot evidence compliance before the more expensive on-site testing element begins.
Validate practical assumptions
Site visits depend on scope and similarity between locations. Similar sites may only need one representative visit.
Common questions
FAQs
Do we need Cyber Essentials first?
Yes. Cyber Essentials is the starting point for DCC. If you already hold it, the builder keeps that cost out of the total.
Why is Level 1 not a single fixed price?
Level 1 depends on scope, evidence quality, locations and how much support is needed before formal assessment.
Can we stop after readiness or scoring?
Yes. The builder reflects staged decision points so you can pause if the organisation is not ready to continue.
What does the issuing cost cover?
For Level 1, the certification issuing cost is fixed by organisation size and matches the Level 0 pricing bracket.
Can you help us decide whether we need Level 0 or Level 1?
Yes. If the contractual position is not fully clear yet, we can use the initial consultation to sense-check the likely route and what evidence you should gather next.
Do all sites need to be visited?
Not always. If sites are genuinely similar, practical scoring may only need one representative visit, subject to the final scope and assessment approach.
Next step
Get an indicative quote or talk your DCC route through with us
If you need to plan DCC Level 0 or Level 1, we can help you understand the route, scope it properly, and price it clearly before you commit further.
Request your DCC consultation or quote
Send us your details and we will come back with the route and quote summary from the builder, or arrange your free 30-minute consultation.