IASME’s Defence Cyber Certification (DCC) was announced in May 2025, a certification scheme established by IASME with deep collaboration with UK MOD. Whereas previously it was not possible for a commercial organisation to meet MOD information assurance and supply chain resilience requirements until a contract had been put in place and the Cyber Security Model (CSM) initiated, DCC now makes this possible. To some degree at least.
On our recent Make UK Defence webinar, DCC was discussed in length. Despite both IASME and, to a much lesser extent MOD, assertions to the contrary, DCC is still separate from actual MOD CSM Issue 4 assurance. As much as there may well be value in conducting DCC for your business it must be noted that DCC does not currently give automatic assurance to CSM v4 and the MOD has not stated anywhere that DCC replaces, satisfies CSM v4 requirements.
The above statement in italics and bold is not to say that DCC is not a valuable framework. It is. It is just important that people understand what they are getting for their investment if DCC is pursued. To help you understand DCC better we have created the following blog, after all:
“Knowledge doesn’t make decisions for you, but it sharpens the blade you make them with” CoPilot
The 5-Step Readiness Roadmap to DCC
Navigating new compliance standards can be daunting for non-technical business directors. This roadmap provides a clear path to achieving and maintaining your certification.
Step 1: Identify your Cyber Risk Profile (CRP) and DCC Level
The first step is understanding which of the four Cyber Risk Profile (CRP) maturity levels applies to or is relevant to your business: Level 0 (Basic), Level 1, Level 2, or Level 3 (Expert). Under the new model, MOD Delivery Teams perform a risk assessment to determine a contract’s CRP. You should look for a Risk Assessment Reference (RAR) number in your invitation to tender or contact your contracting authority to identify the required level. It is vital to realise that these new levels do not map directly across from the legacy “Very Low” to “High” categories of CSM Issue 3. They are entirely separate grading systems. Level 0 is intended for very low-risk organisations, while Level 3 requires “defence in depth” capabilities for substantial risk perceived as being presented to MOD programmes.
Step 2: Establish the Baseline (Cyber Essentials/CE+)
The DCC scheme is not a standalone framework, it is built on the foundation of Cyber Essentials (CE). Before you can achieve any DCC level, you must first secure the appropriate CE baseline. For Levels 0 and 1, a valid Cyber Essentials certificate is required. For the more rigorous Levels 2 and 3, your organisation must achieve Cyber Essentials Plus, which involves a hands-on technical audit. This ensures that all defence suppliers meet a verified national standard for basic cyber hygiene before moving into defence-specific requirements.
Step 3: Gap Analysis against DefStan 05-138 Issue 4
Once your baseline is secure, you must measure your processes against Defence Standard 05-138 (DefStan 05-138) Issue 4. This standard defines the specific controls required for each DCC level, with the number of requirements increasing significantly as you move up. Level 0 requires compliance with just three basic controls, including CE, being able to demonstrate UK GDPR conformance and operating resilient systems. Level 1 jumps to 101 controls, while Level 2 demands 139, and Level 3 requires 144 controls are applied across your business and corporate infrastructure. CSM Issue 4 draws heaviliy upon the NIST 800-171 framework for inspiration. A thorough gap analysis will help you identify whether your current protections are actually in place and effective, rather than just being written down in a policy.
Step 4: Gathering Evidence for IASME Verification
Unlike the old SAQ where self-assessment was the limit, the DCC requires independent, evidence-based verification. The scheme is managed by IASME, the MOD’s official delivery partner, which works with accredited Certification Bodies (CBs) to assess suppliers. The new process requires you to collect and organise “active evidence” to prove your compliance. This typically includes technical logs (such as patching reports), training records to prove staff awareness, access logs, and documented procedures for incident response. While Level 0 is a self-assessment reviewed by an assessor, Levels 1, 2 and 3 are fully audited, requiring a deep-dive review of your collected evidence.
Step 5: The Assessment and Maintaining Continuous Compliance
After a successful assessment, you will be granted a DCC certificate valid for three years. However, the MOD now expects continuous compliance rather than a set and forget approach. You are contractually required to perform an annual check-in (or attestation) on the anniversary of your contract award to confirm you still meet the standards. Furthermore, you must maintain a valid Cyber Essentials or CE+ certificate throughout the duration of your DCC certification. This ongoing cycle ensures your organisation remains resilient against evolving digital threats while fulfilling its obligations under DEFCON 658.
Frequently Asked Questions
How much does DCC cost for SMEs?
The cost of certification depends on the size of your organisation and the level of DCC you are pursuing. For a small business (10–49 employees), a Level 0 certification typically starts at £525 plus VAT. Costs for higher levels involve more extensive auditing, while not officially confirmed by IASME, some industry estimates for a Level 1 assessment for an SME reach approximately £15,000 to £20,000 but again, this will come down to scale. As DCC is a commercial scheme owned by IASME, it is advisable to seek specific quotes from accredited Certification Bodies.
Does ISO 27001 count towards DCC?
While ISO 27001 is a globally recognised standard that shares many similarities with the DCC, it does not replace the need for DCC certification. The DCC is specifically designed to align with DefStan 05-138 Issue 4, which is the mandatory standard for MOD contracts. However, if your organisation is already ISO 27001 compliant, you should find that your ISO 27001 controls will meet most, if not all, of the DCC requirements. This does depend however upon the similarity and extent of the scope applied to both frameworks.
Is DCC mandatory for MOD contracts?
No it isn’t, however, the MOD’s Chief Information Security Officer’s Letter to Industry did recommend that those currently delivering, or seeking to deliver services to the MOD should look to achieve Level 0 should they wish to proactively demonstrate a commitment to cyber resilience and remain competitive. Author’s Note: Seek advice before making a heavy financial commitment. I will happily have a brief conversation with you to ensure you know what your investment will achieve – Gareth Shaw, MD Pera Prometheus.
Can I define the scope of my DCC assessment?
Yes, the DCC offers some flexibility regarding scope. Unlike the standard CSM v4 requirements that typically apply across an entire organisation, the DCC allows a business to define a specific scope for its assessment. This is particularly useful for SMEs that may only handle sensitive defence data on a specific, isolated segment of their network, allowing them to focus resources where the risk actually resides. Be aware however that achieving DCC on an unrealistic scope will not equate to an equally positive outcome when defining the scope for CSM v4.
Stay Safe, Stay Secure
