DCC Level 0 and Level 1 Audits

Book a Defence Cyber Certification assessment with a clearer route, clearer cost assumptions, and fewer surprises. Punk Security provides DCC Level 0 and Level 1 audit services for suppliers who need certification evidence for MOD or prime contractor requirements.

Build a DCC assessment quote

Assessment, not implementation

This page is for organisations that want to book or price the DCC assessment route itself.

If you need help getting ready, writing evidence, remediating gaps, or implementing controls before the audit, see our DCC support and implementation service.

Who this assessment is for

• You have been asked for DCC Level 0 or Level 1 by MOD or a prime contractor.
• You want to understand the likely assessment route before committing budget.
• You need to include Cyber Essentials in the plan, or confirm that your existing certificate is enough.
• You need Level 0 fixed-price assessment or a Level 1 quote based on scope, scoring effort, and site assumptions.
• You want a short conversation with auditors before booking so the quote is based on sensible assumptions.

Why Punk Security

• Security-cleared auditors who understand the expectations, handling standards, and trust needed in defence environments.
• Defence sector experience across MOD, prime contractor, and supplier assurance expectations.
• Strong customer experience: clear communication, practical next steps, and no vague requirement dumping.
• Level 0 and Level 1 coverage, including Cyber Essentials, readiness gates, theoretical scoring, practical scoring, and certification issue.

Level 0 assessment

Level 0 is the lighter DCC route for very low assessed cyber risk. It is based on 3 controls and does not require an Assessment Submission Record.

The Level 0 assessment route covers:

• Current Cyber Essentials certification.
• Scope alignment between Cyber Essentials and the DCC assessment boundary.
• Evidence against the 3 Level 0 controls.
• A simpler assessment route than Level 1.
• Fixed assessment pricing based on organisation size.

Level 1 assessment

Level 1 is for low to moderate assessed cyber risk. It is based on 101 controls and involves a broader assessment process, including scope, evidence, theoretical scoring, and practical scoring.

The Level 1 assessment route can include:

• Cyber Essentials as the starting point.
• Scope confirmation before the assessment progresses.
• A readiness check so you can decide whether to continue or pause.
• Review of the Assessment Submission Record and supporting evidence.
• Theoretical scoring rounds.
• Practical scoring, including site assumptions.
• Certification issuing.
• Optional management report and debrief.

Level 0 and Level 1 compared

What the quote builder covers

Our DCC audit cost builder gives an indicative route before you speak to us.

It lets you choose:

• Organisation size: micro, small, medium, or large.
• Cyber Essentials status: already certified or need certification.
• DCC level: Level 0 or Level 1.
• Level 1 scoping support, where needed.
• Level 1 template package, where needed.
• Theoretical scoring rounds.
• Practical scoring site assumptions.
• Optional reporting and debrief.

For Level 0, the builder gives a fixed assessment price based on organisation size. For Level 1, the builder gives a working estimate because the final assessment effort depends on scope, evidence quality, scoring rounds, and site assumptions.

Open the DCC quote builder

What happens after you request a quote

• The quote request includes your chosen DCC level, organisation size, Cyber Essentials position, Level 1 options, and cost summary.
• We review the route and check whether the assumptions look sensible.
• You can use the free 30-minute consultation to confirm the level, Cyber Essentials position, scope, site assumptions, and next step.
• If Level 0 is the right route, the assessment can usually move forward on fixed pricing.
• If Level 1 is the right route, we confirm scope and effort before the formal assessment work proceeds.
• After a consultation, we can provide the Level 0 template pack referenced on the quote-builder page. Wider template implementation and gap fixing sits under DCC support and implementation.

Level 1 stages and exit points

Level 1 should not feel like a runaway project. The assessment route is staged so you can make sensible decisions before committing to the most expensive parts.

1. Confirm the operational scope.
2. Check readiness before going further.
3. Exit if the organisation is not ready and needs support or implementation work.
4. Score the evidence through theoretical scoring.
5. Exit if the organisation cannot evidence compliance before practical scoring.
6. Validate assumptions through practical scoring and site visits.
7. Issue certification when the assessment outcome supports it.

What affects Level 1 cost

• Scope arguments. DCC is organisation-level assurance, so support functions and critical operations can matter even when they are not the obvious MOD-facing system.
• Cyber Essentials mismatch. Cyber Essentials scope and DCC scope are not automatically identical, so the overlap needs to be explained.
• Weak evidence ownership. Policies without owners, review dates, registers, screenshots, or operational proof rarely land well.
• Personal data records. Many companies have GDPR policies but no usable record of processing, DPIA screening, or processor register.
• Resilience evidence. Backups are often configured but not restored, tested, or mapped to business recovery expectations.
• Level 1 site assumptions. Multiple sites, operational technology, production systems, or inconsistent locations can quickly change practical assessment effort.

What we need to quote or book the assessment

• The level requested by MOD or your prime, if known.
• Your current Cyber Essentials certificate and scope statement.
• A list of key systems, sites, business functions, and suppliers.
• Any existing policies, registers, risk assessments, DPIAs, backup records, and incident response documents.
• Site assumptions for practical scoring.
• A named contact who can answer scope and evidence questions.

Common assessment questions

Do we need Cyber Essentials first?

Yes. Cyber Essentials is the starting point for DCC. If you already hold it, the quote builder keeps that cost out of the total.

Why is Level 1 not a single fixed price?

Level 1 depends on scope, evidence quality, locations, theoretical scoring effort, practical scoring effort, and whether support is needed before formal assessment.

Can we stop after readiness or theoretical scoring?

Yes. The Level 1 route has decision points so you can pause if the organisation is not ready to continue.

What does the Level 1 issuing cost cover?

For Level 1, the certification issuing cost is fixed by organisation size and matches the Level 0 pricing bracket used in the builder.

Do all sites need to be visited?

Not always. If sites are genuinely similar, practical scoring may only need one representative visit, subject to final scope and assessment approach.

Can you help us get ready before assessment?

Yes, but that is a separate offer. See DCC support and implementation if you need readiness, evidence, remediation, templates, or hands-on implementation before the audit.

Useful references

• IASME Defence Cyber Certification resources
• DCC Level 0 and Level 1 audit cost builder
• DCC support and implementation