Understanding Defence Cyber Certification (DCC)

Developed by the MoD and IASME, and aligned with international leading practices, the aim of DCC is to enhance cyber resilience within the defence supply chain, and provide independent, verifiable assurance of this resilience based on pre-defined levels of compliance.   The scheme builds on the Defence Standard 05-138 (Def Stan 05-138), the cyber security standard used by the MoD for organisations supplying or providing services to the defence sector.  Where Def Stan 05-138 sets out what controls are needed, the DCC provides an evidence-based approach to proving that those controls are in place.

The scheme defines four different compliance levels, which correspond to the identified risk of the supplier and align with the compliance levels in Def Stan 05-138.  As part of certification, Cyber Essentials or Cyber Essentials Plus (depending on compliance level) needs to be achieved, and a specific set of controls from Def Stan 05-138 need to be implemented (with the controls required again depending on compliance level).  Certification for DCC lasts three years, subject to annual check-ins.  The DCC is not mandatory but is highly recommended by the MoD, and allows you to bid for multiple contracts with a single certification rather than completing a self-assessment questionnaire for every MoD contract, reducing duplication of work.  As such, uptake is likely to increase over the coming years

One of the most significant benefits of achieving DCC is that it opens the door to MoD contracts not available to uncertified competitors, with many MoD tenders requiring DCC at a certain level.  Without it, bids may not even be considered.  Even for contracts that do not explicitly require certification to the scheme, DCC can provide a competitive edge over organisations that are not certified, acting as an independent and verifiable differentiator.  As the DCC involves an evidence-based assessment of your organisation’s security controls by a licensed, third-party certification body, it provides much higher level of assurance across contracts.

In addition, DCC expands upon Cyber Essentials and Cyber Essentials Plus certification, and further enhances your security posture.  Depending on the level of compliance, the measures required for DCC include detection facilities, supplier management, incident handling and business continuity risk assessments.  The controls outlined within Def Stan 05-138 are also closely aligned with those found in other established information/cyber security frameworks, such as ISO 27001 and the National Institute of Standards and Technology Cyber Security Framework (NIST CSF) 2.0.  This again reduces duplication of effort when achieving further certifications, allowing your organisation to build on existing practices, rather than from the ground up.

‍

It is relatively straightforward to identify whether DCC is applicable to your organisation.  The scheme is for organisations working within UK defence, including organisations that are direct suppliers to the MoD or prime contractors, as well as the wider supply chain, i.e., subcontractors and technology and service providers working on behalf of a prime contractor.  It can also apply to organisations planning defence work in the future or seeking earlier readiness.  

The need for DCC and its controls is determined by cyber risk and access.  For example, a supplier of planes, helicopters, tanks, etc., to the MoD will represent a far greater level of risk than a uniform supplier.  If you are a part of the supply chain that presents a greater risk to the MoD, you will be required to meet a higher bar for security, hence why the scheme defines multiple levels that suppliers can comply with.

‍

The scheme incorporates the controls from Def-Stan 05-138, which organisations need to implement in part or in full, depending on their designated compliance level.  It’s important to remember that DCC is not an SAQ-based scheme, and your implementation of the controls will be verified by an external assessor.

The controls sit within four objectives:

• Objective A: Managing Security Risk, e.g., risk assessment, internal audits
• Objective B: Protecting Against Cyber Attack, e.g., firewalls
• Objective C: Detecting Cyber Events, e.g., intrusion detection monitoring
• Objective D: Minimising the Impact of Security Incidents, e.g., backups.

These objectives share characteristics of both ISO 27001 and the NIST CSF.  However, DCC differs from ISO 27001 in that the controls are mandatory rather than risk-based, meaning you will need to implement all of the controls required for your designated compliance level instead of selecting them based on a risk assessment.  

As mentioned, the scheme has four levels of compliance which dictate the Def Stan 05-138 controls you need to have in place.  Your compliance level will depend on your organisation’s Cyber Risk Profile.

Level 0

The most basic level, for organisations with very low assessed cyber risk.  It requires compliance with three basic controls, in addition to Cyber Essentials.  To achieve a pass at this level, 100% of the controls must be fully implemented.

Example control: Control 2134: Ensure UK GDPR Compliance

Example question: Does the organisation conduct Data Protection Impact Assessments against data types it stores or processes?

Level 1

Aimed at organisations with low to moderate assessed cyber risk.  It requires compliance with 101 basic controls, in addition to Cyber Essentials.  To achieve a pass at this level, you will need at least 80% of the total points per area (objective).

Example control: Control 2403: Penetration testing

Example question: Does the organisation ensure penetration testing is conducted on externally facing systems at least every 12 months?

Level 2

Aimed at organisations with a high assessed cyber risk.  It requires compliance with 139 controls, in addition to Cyber Essentials Plus.  The required score to pass at this level is the same as Level 1, i.e., 80% per area.  

Example control: Control 1301: Automated Asset Inventory

Example question: Does the organisation use automated tools for asset discovery and management to maintain an up-to-date asset inventory?

Level 3

Aimed at organisations with the highest level of assessed cyber risk.  It requires compliance with 144 controls (all controls in Def Stan 05-138), in addition to Cyber Essentials Plus.  Level 3 organisations must implement 100% of the defined controls in order to pass.

Example control: Control 1204: Threat intelligence capabilities

Example question: Does the organisation have established threat intelligence capabilities?

It’s important to ensure asset management is continuous throughout the year, instead of being updated last minute for the sake of assessment.  Many organisations approach asset management manually, for example using spreadsheets.  If this is the case for you, the decision to upgrade to an automated tool (as is required for compliance with Control 1301) will need to be based on the compliance level you are aiming to achieve.  Level 3 compliance requires 100% alignment with every control, so an automated tool will be necessary.  Failing to implement this means only Level 2 can be achieved.

Threat intelligence relies on your organisation gathering a significant amount of information.  Per ISO 27001, effective threat intelligence requires you to collect information at the strategic, tactical, and operational levels, and determine whether the gathered information is relevant to your organisation and the impact it will have.  This requires effort and analysis; it is not just about receiving information, but also using it to make decisions on control improvements and to provide informed responses to emerging threats.

One of the first steps is to identify what level of compliance you need to achieve, or would be looking to achieve.  Based on this, you can then decide whether to certify against Cyber Essentials or Cyber Essentials Plus (assuming you are not already certified).  It may be that previous MoD contracts held by your organisation identify its level.  However, if you have not been assigned a Cyber Risk Profile, your certification body will be able to help you identify the appropriate compliance level.

You will also need to understand your scope.  Unlike Cyber Essentials, where you can exclude parts of your organisation from your certification scope, DCC requires you to certify all parts of your organisation that are essential to its operation, ideally your entire organisation.  As such, policies, procedures and controls must be applied across your organisation as a whole, not just parts of it.

Once your organisation has determined the level required, and the relevant Cyber Essentials certification has been achieved, you can then begin to assess your current cyber security posture, identify any gaps and subsequently align your controls to the latest version of the Def Stan 05-138.  You can also take a ‘hybrid’ approach to your compliance level, aiming for a higher level while still achieving certification at a lower level if needed, ensuring that effort invested is not wasted.

Once you are satisfied that your organisation meets the necessary control requirements, the certification process for all four levels is as follows:

1. Contact IASME and obtain a list of authorised certification bodies
2. Select a certification body from the list to conduct your assessment
3. The selected certification body will outline the process and provide costs
4. Once a contract has been signed, the assessment will begin
5. The assessor will identify any remaining gaps and offer advice, but will not implement solutions
6. You will receive certification or a report of failure (confidential)

Certification lasts for 3 years, subject to annual check-ins.  However, compliance with the scheme needs to be continuous.  Controls need to be maintained and operational year-round instead of being remediated or brought back into compliance just ahead of each review cycle.

As DCC is a new scheme, many organisations have had initial difficulties in understanding their scope and how it differs from their Cyber Essentials scope.  As such, it is advisable to seek guidance from a DCC expert on the appropriate certification scope if your organisation is uncertain in this area.  

Some organisations have also struggled with evidencing controls.  While they may be used to stating what they do in supplier questionnaires, they may be less familiar with the level of formal, documented evidence needed to demonstrate that controls are consistently in place and operating as intended.  It’s also important to avoid falling into the trap of over-engineering controls, for example by creating excessively detailed policies and procedures that go beyond what is required, as this can introduce unnecessary complexity and make ongoing compliance more difficult to maintain.

Another common mistake is a lack of DCC-specific roles being assigned.  As is the case in ISO 27001, where an ISMS manager (or equivalent) needs to be appointed, you must ensure someone is responsible for DCC.  Without this, there is a risk that the scheme will become fragmented within your organisation and confusion will arise over ownership and accountability for meeting specific requirements.   Finally, all levels of DCC compliance require certification to either Cyber Essentials or Cyber Essentials Plus.  So, alongside your maintenance of DCC-specific requirements and controls, you also need to ensure your CE/CE+ compliance is maintained, and that you keep pace with the annual updates to the Essentials scheme.  To learn about the most recent update to CE and CE+, read our Cyber Essentials Update 2026 blog.