Preparing for DCC: A Step-By-Step Readiness Roadmap

IASME’s Defence Cyber Certification (DCC) was announced in May 2025, a certification scheme established by IASME with deep collaboration with UK MOD. Whereas previously it was not possible for a commercial organisation to meet MOD information assurance and supply chain resilience requirements until a contract had been put in place and the Cyber Security Model (CSM) initiated, DCC now makes this possible. 

To help you understand DCC better we have created the following blog, after all:

“Knowledge doesn’t make decisions for you, but it sharpens the blade you make them with” — CoPilot

Pera Prometheus is now an approved DCC Level 0 Certification Body. That means we do not just advise you on DCC, we assess and certify your organisation directly. The insight in this post draws on that experience from both sides of the process.

The 5-Step Readiness Roadmap to DCC

Navigating new compliance standards can be daunting for non-technical business directors. This roadmap provides a clear path to achieving and maintaining your certification.

Step 1: Identify your Cyber Risk Profile (CRP) and DCC Level

The first step is understanding which of the four Cyber Risk Profile (CRP) maturity levels applies to or is relevant to your business: Level 0 (Basic), Level 1, Level 2, or Level 3 (Expert). Under the new model, MOD Delivery Teams perform a risk assessment to determine a contract’s CRP. You should look for a Risk Assessment Reference (RAR) number in your invitation to tender or contact your contracting authority to identify the required level. It is vital to realise that these new levels do not map directly across from the legacy “Very Low” to “High” categories of CSM Issue 3. They are entirely separate grading systems. Level 0 is intended for very low-risk organisations, while Level 3 requires “defence in depth” capabilities for substantial risk perceived as being presented to MOD programmes.

Step 2: Establish the Baseline (Cyber Essentials/CE+)

The DCC scheme is not a standalone framework, it is built on the foundation of Cyber Essentials (CE). Before you can achieve any DCC level, you must first secure the appropriate CE baseline. For Levels 0 and 1, a valid Cyber Essentials certificate is required. For the more rigorous Levels 2 and 3, your organisation must achieve Cyber Essentials Plus, which involves a hands-on technical audit. This ensures that all defence suppliers meet a verified national standard for basic cyber hygiene before moving into defence-specific requirements. As an approved Cyber Essentials, Cyber Essentials Plus and DCC Level 0 Certification Body, Pera Prometheus can support your organisation through both the baseline certification and the DCC assessment in one place, making the process straightforward from start to finish.

Step 3: Gap Analysis against DefStan 05-138 Issue 4

Once your baseline is secure, you must measure your processes against Defence Standard 05-138 (DefStan 05-138) issue 4. This standard defines the specific controls required for each DCC level, with the number of requirements increasing significantly as you move up. Level 0 requires compliance with just three basic controls, including CE, being able to demonstrate UK GDPR conformance and operating resilient systems. Level 1 jumps to 101 controls, while Level 2 demands 139, and Level 3 requires 144 controls are applied across your business and corporate infrastructure. CSM V4 draws heavily upon the NIST 800-171 framework for inspiration. A thorough gap analysis will help you identify whether your current protections are actually in place and effective, rather than just being written down in a policy.

Step 4: Gathering Evidence for IASME Verification

Unlike the old SAQ where self-assessment was the limit, the DCC requires independent, evidence-based verification. The scheme is managed by IASME, the MOD’s official delivery partner, which works with accredited Certification Bodies (CBs) to assess suppliers. The new process requires you to collect and organise “active evidence” to prove your compliance. This typically includes technical logs (such as patching reports), training records to prove staff awareness, access logs, and documented procedures for incident response. While Level 0 is a self-assessment reviewed by an assessor, Levels 1, 2 and 3 are fully audited, requiring a deep-dive review of your collected evidence. As a DCC Level 0 Certification Body, Pera Prometheus reviews this evidence directly. From experience, the area where organisations most commonly fall short at Level 0 is not the technical controls, it is the documentation. A valid Cyber Essentials certificate, a clear GDPR conformance statement and evidence of resilient systems must all be in place and retrievable before your assessment begins. Getting these three things right early saves considerable time.

Step 5: The Assessment and Maintaining Continuous Compliance

After a successful assessment, you will be granted a DCC certificate valid for three years. However, the MOD now expects continuous compliance rather than a set and forget approach. You are contractually required to perform an annual check-in (or attestation) on the anniversary of your contract award to confirm you still meet the standards. Furthermore, you must maintain a valid Cyber Essentials or CE+ certificate throughout the duration of your DCC certification. This ongoing cycle ensures your organisation remains resilient against evolving digital threats while fulfilling its obligations under DEFCON 658.

Frequently Asked Questions

Q. How much does DCC cost for SMEs?

A: The cost of certification depends on the size of your organisation and the level of DCC you are pursuing. For a small business (10–49 employees), a Level 0 certification typically starts at £525 plus VAT. Costs for higher levels involve more extensive auditing, while not officially confirmed by IASME, some industry estimates for a Level 1 assessment for an SME reach approximately £15,000 to £20,000 but again, this will come down to scale. As DCC is a commercial scheme owned by IASME, it is advisable to seek specific quotes from accredited Certification Bodies.

Q. Does ISO 27001 count towards DCC?

A: While ISO 27001 is a globally recognised standard that shares many similarities with the DCC, it does not replace the need for DCC certification. The DCC is specifically designed to align with DefStan 05-138 issue 4, which is the mandatory standard for MOD contracts. However, if your organisation is already ISO 27001 compliant, you should find that your ISO 27001 controls will meet most, if not all, of the DCC requirements. This does depend however upon the similarity and extent of the scope applied to both frameworks.

Q. Is DCC mandatory for MOD contracts?

A: DCC is not currently mandatory, but the position has shifted significantly. In May 2026, the MOD’s Director of Cyber Defence and Risk asked all industry partners to achieve Level 0 DCC by 31 December 2026. If you supply into the MOD supply chain in any capacity, that expectation applies to you. As a DCC Level 0 Certification Body, Pera Prometheus can help you achieve this without unnecessary delay.

Author’s Note: Seek advice before making a heavy financial commitment. I will happily have a brief conversation with you to ensure you know what your investment will achieve — Gareth Shaw, MD Pera Prometheus.

Q. Can I define the scope of my DCC assessment?

A: Yes, the DCC offers some flexibility regarding scope. Unlike the standard CSM v4 requirements that typically apply across an entire organisation, the DCC allows a business to define a specific scope for its assessment. This is particularly useful for SMEs that may only handle sensitive defence data on a specific, isolated segment of their network, allowing them to focus resources where the risk actually resides. Be aware however that achieving DCC on an unrealistic scope will not equate to an equally positive outcome when defining the scope for CSM v4.

Stay Safe, Stay Secure