Defence Cyber Certification audits
DCC Level 0 and Level 1 audit quotes for defence suppliers
If MOD or a prime contractor has asked for Defence Cyber Certification, we help you confirm the required level, scope it properly, and avoid spending time on the wrong preparation work. Punk Security supports suppliers through Level 0 and Level 1, from Cyber Essentials and scoping to readiness, scoring, and certification.
Build an indicative DCC quote or book a free 30-minute consultation.
Why Punk Security
Practical DCC support from a team that understands defence delivery
We keep the process clear, commercially sensible, and easier to navigate for internal teams who already have enough going on.
Security-cleared auditors
We can support sensitive engagements with auditors who understand the expectations, handling standards, and trust needed in defence environments.
Strong customer experience
We focus on clarity, responsiveness, and keeping the process manageable rather than burying teams in vague requirements.
Defence sector experience
We understand how defence supplier assurance works in practice, including MOD expectations, prime contractor pressure, and the need to keep delivery moving while certification is underway.
Why teams trust us
DCC advice built around sensitive supplier environments
The people reviewing your route should understand both the certification requirement and the practical pressure on defence delivery teams.
Security-cleared auditors
Suitable for sensitive engagements where assurance work needs careful handling and credible reviewers.
Defence supplier context
Support shaped around MOD and prime contractor expectations, not generic compliance advice.
Scoping before scoring
We help confirm what is in scope before you spend time preparing evidence or remediating controls.
Level 0 and Level 1 follow different routes
DCC is an organisation-level certification, so the route depends on both the required level and the scope of the business being assessed. Level 0 is fixed-price and usually simpler. Level 1 needs more evidence, tighter scoping, and a staged scoring process.
DCC Level 0
A lighter route for very low-risk work
Level 0 is based on 3 controls and is usually the most straightforward DCC route for lower-assurance requirements.
- Fixed pricing by organisation size
- Simpler path to certification
- Best suited to very low-risk supply chain activity
DCC Level 1
A deeper route with staged decision points
Level 1 covers 101 controls and usually needs more care around scope, readiness, evidence quality, and practical scoring assumptions.
- Scope matters because missed critical operations can affect certification
- Readiness and scoring stages create decision points before practical assessment
- Site visits depend on the final scope and how similar locations are
Who this is for
For suppliers who need a DCC assessment and want cost clarity first
This page is for organisations moving toward certification that need a clearer view of route, cost, and assessment effort before committing budget.
You have been asked for Level 0
You want to book a straightforward Level 0 assessment, confirm whether Cyber Essentials is covered, and understand the fixed-price route before you proceed.
You have been asked for Level 1
You need to budget properly and understand the scope, evidence, theoretical scoring, and practical scoring stages before booking assessment work.
You need cost clarity before you commit
You want an indicative quote now, plus a short conversation to sense-check the route, likely effort, and next steps before you book.
Indicative quote
Build an indicative DCC quote for your organisation
Choose the options that match where you are today to get a practical view of likely costs. Prices exclude VAT.
Organisation size
Choose the pricing bracket once. The same size is used for Cyber Essentials and DCC calculations.
Do you need Cyber Essentials?
Cyber Essentials is required before DCC. Include it here if you need us to provide certification.
Which DCC level do you need?
Pick the level requested by MOD or your Prime.
Level 1 scope and readiness
DCC scope must include the parts of the organisation that are critical to operations, otherwise certification may be revoked.
Scoping support
We work with the business to understand the full operational scope, including teams, services, delivery responsibilities and sites, so the DCC assessment covers the right parts of the organisation. Support scales by size: 1 day for micro, 2 for small, 3 for medium and 4 for large.
What should be included in DCC scope?
DCC scope should reflect the parts of the organisation that are critical to delivering the relevant defence work. The scope document should clearly show what is in scope, what is out of scope, and how those boundaries are separated in practice.
- The teams and people involved in delivery, support, and management of the in-scope work
- The services, systems, and processes relied on to deliver that work
- The locations or sites where in-scope activity is carried out
- Any supporting functions that materially affect secure delivery or operational resilience
- Clear statements of what sits outside scope so the assessment boundary is defensible
- Network diagrams that show separation between in-scope and out-of-scope environments where relevant
The aim is an accurate, defensible scope that reflects how the organisation actually operates.
Readiness check
A one-day consulting review to identify how likely the organisation is to succeed before committing further. This stage is required for Level 1.
Included as a mandatory 1-day stage.Template package
Optional template pack for key documents and registers.
Theoretical scoring rounds
Theoretical scoring reviews the ASR and supporting evidence before practical scoring. Two rounds is recommended.
Practical scoring
Practical scoring is required for Level 1. Site visits depend on accurate scoping, and similar sites may only need one representative visit.
Unique physical sites to visit
Practical scoring starts at 5 days for the first site, plus 2 extra days for each additional site.Reporting and debrief
An optional final management report and debrief highlighting the remaining control gaps and our recommendations for the organisation to address them.
What to expect
Both routes start with Cyber Essentials, but Level 1 goes much deeper
Level 0 has a lighter assessment path. Level 1 adds scope confirmation, an Assessment Submission Record, supporting evidence, theoretical scoring, and practical scoring.
Level 0
A simpler route for very low-risk work
Level 0 is for very low assessed cyber risk. It is based on 3 controls and does not require an Assessment Submission Record.
- Start with Cyber Essentials certification
- Work to a fixed price based on organisation size
- Prepare evidence against the 3 Level 0 controls
- Move through a lighter assessment route than Level 1
Level 1
A broader process with scope, evidence, theoretical scoring and practical scoring
Level 1 is for low to moderate assessed cyber risk. Applicants describe how they meet the controls, provide supporting evidence, and then progress through theoretical and practical scoring.
- Start with Cyber Essentials certification
- Define the scope carefully and complete a statement of scope
- Answer the assessment questions and prepare evidence against 101 controls
- Go through theoretical scoring first, then practical scoring
Level 1 support
Staged work with clear exit points
Level 1 does not need to become an open-ended project. We split preparation into stages so you can confirm scope, test readiness, improve evidence, and decide whether to continue before practical scoring.
The formal assessment quote still depends on final scope, but the builder gives a working view of preparation, scoring, and issuing costs.
Confirm the operational scope
Identify the functions, systems, services, suppliers, and sites that are critical to delivery. Getting this wrong can put certification at risk later.
Check readiness before going further
A short readiness review shows whether the organisation is likely to succeed or should pause to fix gaps first.
Exit point
Pause certification and work on the more difficult gaps in your own time, using our optional template pack if needed.
Score the evidence
Theoretical scoring rounds review the ASR and supporting evidence. Better prepared evidence usually means fewer rounds.
Exit point
Exit the certification process if the organisation cannot evidence compliance before the more expensive on-site testing element begins.
Validate practical assumptions
Site visits depend on scope and similarity between locations. Similar sites may only need one representative visit.
Common questions
DCC FAQs by assessment level
Open the relevant section to compare the lighter Level 0 route with the more detailed Level 1 assessment process.
DCC Level 0 FAQs
Do we need Cyber Essentials first?
Yes. Cyber Essentials is the starting point for DCC. If you already hold it, the builder keeps that cost out of the total, but the DCC scope still needs to align with the relevant Cyber Essentials scope.
What does the Level 0 route involve?
Level 0 is based on 3 controls and is usually the lighter route for very low-risk supply chain activity. It still needs an accurate scope, current Cyber Essentials, and evidence that the required controls are in place.
Is Level 0 fixed price?
Yes. The builder uses fixed Level 0 assessment pricing by organisation size. Cyber Essentials is only added if you need us to provide it.
DCC Level 1 FAQs
What does a DCC scope document need to include?
The scope should show what is in and out, the essential functions and services needed to operate securely and resiliently, the systems and sites involved, key suppliers or support functions, and how the DCC scope aligns with Cyber Essentials. It should also explain the reason for any exclusions.
How much scope detail is enough?
Enough for an assessor to understand the boundary without guessing. In practice, that usually means named business functions, systems, sites, owners, supplier dependencies, Cyber Essentials overlap, out-of-scope rationale, and diagrams where separation or shared services matter.
What is theoretical scoring?
Theoretical scoring reviews your Assessment Submission Record, explanations, and supporting evidence before practical scoring. It helps identify clarification requests, weak evidence, or misunderstood controls before you move into the final practical stage.
What is practical scoring?
Practical scoring verifies that the controls work as described. The assessor checks evidence in practice, which may include interviews, samples, system checks, and site visits depending on the confirmed scope and assessment approach.
What are the Level 1 decision points and off ramps?
The first decision point is once scope has been confirmed, because scope drives cost, evidence, and site assumptions. The next decision points come after each theoretical scoring round, when you can continue, pause to fix gaps, or stop before practical scoring.
Next step
Build your DCC quote or book a consultation
If you need to plan DCC Level 0 or Level 1, we can help you understand the route, scope it properly, and price it clearly before you commit further.
Book a DCC consultation
Send us your details and we will help confirm the required level, scope, and next step. If you have used the quote builder, we will only include that summary if you interacted with it.
Call us:
01609 635 932
We use your details only to respond to this DCC enquiry. See our privacy policy.