If your organisation needs to complete a supplier assurance questionnaire (SAQ) to bid on contracts, has been told that Defence Cyber Certification is a contractual requirement, or had a prime contractor ask you to demonstrate MOD supply chain cyber security compliance, we can help.
Defence Cyber Certification (DCC) provides an organisation level assurance that can be presented to support the procurement process. It’s designed to align with DEFSTAN 05-138 i4 and is available in four levels. RB Consultancy Ltd is an accredited DCC Certification Body and Remo Belisari is a qualified DCC Assessor for Levels 0 and 1.
DCC is a comprehensive security framework for defence suppliers. It provides a structured and consistent approach to understanding and assessing DEFSTAN 05-138 Issue 4 compliance. The certification involves a point in time assessment based on a number of required security controls. The four levels align with a cyber risk profile. An organisation’s required level can relate to the sensitivity of the information it handles and the nature of its contracts. The higher the level, the higher number of security controls are required.
Cyber Essentials is the foundation for all levels. Cyber Essentials Plus is required for Levels 2 and 3. Every organisation pursuing DCC certification must first hold a valid Cyber Essentials certificate. DCC builds on that baseline with defence-specific controls and requirements. As an accredited certification body for both Cyber Essentials and DCC, RB Consultancy Ltd can manage both programmes in a coordinated way, which can be much more efficient than treating them as separate exercises through different certification bodies.
Working with the same certification body brings greater efficiencies. You’re more easily able to align on scope. There’s familiarity of the environment through each assessment. You’ll get consistency from a technical and assessment perspective. You’ll also save time on your procurement processes, with communication and management time being streamlined too.
Three categories of organisation see the strongest benefit from holding a DCC certificate.
If you supply to the MOD or sub-contract for a prime, DCC reduces the overhead of responding to Supplier Assurance Questionnaires. It also demonstrates that your security controls are in place, based on audit and not just self-attestation.
DCC certification is increasingly being asked for. Arriving at tender with DCC already in place could position you ahead of competitors and provide positive signals to procurement teams and the MOD.
Primes with obligations to manage the cyber security of their sub-contractors can determine the certification level appropriate for each. If you are a prime with supply chain DCC requirements, we can support you and your suppliers.
We are accredited for DCC Level 0 and Level 1 and an accredited Cyber Essentials body. Both can run as one coordinated programme.
Five things that make working with RB Consultancy on DCC straightforward, from scoping through to certification.
As an IASME Certification Body for DCC Level 0 and 1, we provide assessment services and have the skills and experience to advise on implementation. Arrange a discovery call to determine which role you would like us to take.
We are backed by IASME to assess and certify organisations to Level 0 and 1 of the DCC scheme.
Our lead Assessor holds CISSP, Chartered Cyber Security Professional status and is an ISO 27001 lead implementer. These are key differentiators for clients looking for genuine competence, ethics and professional judgement.
We review your Assessment Submission Record, evidence and scoping statement to give you a starting position via theoretical scoping, then proceed to practical scoring with clarification rounds in between.
As an accredited DCC Certification Body and qualified DCC Assessor, we carry out the assessment and issue the certification directly. You are working with one organisation start to finish.
All reviews are independently verified on Google.
Remo guided us clearly at every step, making what initially seemed complex very easy to understand. Their friendly and approachable manner made the whole experience stress-free. Highly recommend.
It felt less like working with a consultant and more like having a trusted partner invested in our success. We passed both assessments smoothly and with confidence.
A subject matter expert who efficiently identified issues and provided the right level of support to achieve certification well within timescales.
The process was very smooth sailing and the advice was invaluable. Highly recommend, and I would happily work with RB Consultancy Ltd again.
They made what initially seemed complex very easy to understand. Highly recommend their services to anyone looking for expert and reliable Cyber Essentials support.
Excellent service. Very professional, very thorough — exactly what we needed to get over the line on our Cyber Essentials Plus assessment.
Remo guided us clearly at every step, making what initially seemed complex very easy to understand. Their friendly and approachable manner made the whole experience stress-free. Highly recommend.
It felt less like working with a consultant and more like having a trusted partner invested in our success. We passed both assessments smoothly and with confidence.
A subject matter expert who efficiently identified issues and provided the right level of support to achieve certification well within timescales.
The process was very smooth sailing and the advice was invaluable. Highly recommend, and I would happily work with RB Consultancy Ltd again.
They made what initially seemed complex very easy to understand. Highly recommend their services to anyone looking for expert and reliable Cyber Essentials support.
Excellent service. Very professional, very thorough — exactly what we needed to get over the line on our Cyber Essentials Plus assessment.
The process was very smooth sailing and the advice was invaluable. Highly recommend, and I would happily work with RB Consultancy Ltd again.
They made what initially seemed complex very easy to understand. Highly recommend their services to anyone looking for expert and reliable Cyber Essentials support.
Excellent service. Very professional, very thorough — exactly what we needed to get over the line on our Cyber Essentials Plus assessment.
Remo guided us clearly at every step, making what initially seemed complex very easy to understand. Their friendly and approachable manner made the whole experience stress-free. Highly recommend.
It felt less like working with a consultant and more like having a trusted partner invested in our success. We passed both assessments smoothly and with confidence.
A subject matter expert who efficiently identified issues and provided the right level of support to achieve certification well within timescales.
The process was very smooth sailing and the advice was invaluable. Highly recommend, and I would happily work with RB Consultancy Ltd again.
They made what initially seemed complex very easy to understand. Highly recommend their services to anyone looking for expert and reliable Cyber Essentials support.
Excellent service. Very professional, very thorough — exactly what we needed to get over the line on our Cyber Essentials Plus assessment.
Remo guided us clearly at every step, making what initially seemed complex very easy to understand. Their friendly and approachable manner made the whole experience stress-free. Highly recommend.
It felt less like working with a consultant and more like having a trusted partner invested in our success. We passed both assessments smoothly and with confidence.
A subject matter expert who efficiently identified issues and provided the right level of support to achieve certification well within timescales.
If you cannot find the answer you are looking for, ask us and we will walk you through it.
Yes. DCC implementation can be carried out as well as Assessment, but not both for the same organisation. Let’s have a conversation about what’s best for your organisation and how best we can help.
The scope should be whole organisation and must include all processes, systems and business parts that are required for the business to function and deliver in a secure and resilient manner.
The standard is intentionally broad, ensuring that a supplier organisation, irrespective of any controls required for a specific contracted output, has the appropriate minimum levels of controls in place for the level of risk to which that supplier organisation is expected more generally.
‘Functions’ are high level groupings of business activities that are essential for ongoing operations and any specific activities related to delivering contracted outputs. This is important for DCC as it helps determine what to focus on for the controls.
‘Data’ encompasses any information generated, stored or handled by the supplier in support of its functions.
Cyber Essentials is the government-backed baseline scheme covering five technical controls — it relates to the protection of common forms of internet based threats. DCC builds on that baseline with additional controls, governance requirements and assessment criteria specific to the risk environment of the defence supply chain. Cyber Essentials is a prerequisite for DCC levels 0 and 1. Cyber Essentials Plus is a prerequisite for DCC levels 2 and 3.
Timeline for certification can vary considerably by organisation. Key factors include the level of DCC required, how close an organisation is to meeting the required security controls, the evidence that it has to support it and whether implementation support is required. Let’s have a quick call and we can help you determine the likely timeline for Level 0 and/or Level 1. We also work to flag any issues early, to reduce impact and maximise efficiencies.
Level 0’s normally assigned for very low level of cyber risk to a supplier delivering an output — it requires organisations to demonstrate basic cyber security practices. An applicant must comply with three controls. The first relates to Cyber Essentials. The second relates to UK GDPR. The third relates to resilient networks and systems.
Level 1 is normally assigned for low level cyber risk to a supplier delivering an output — it requires supplier organisations to demonstrate a comprehensive cyber security programme with good practices. There are 101 controls covering areas such as governance, leadership, risk, awareness and training, access management, physical and data security, system resilience, monitoring detection and threat intelligent, incident response and business continuity.
Book a free 30-minute call. We will help you understand the certification levels and guide you through the process for Levels 0 and 1.
Pioneer House, Pioneer Business Park,
North Road, Ellesmere Port, Cheshire,
CH65 1AD
NCSC Assured Service Provider
IASME Certification Body
Chartered (ChCSP) · CISSP · ISSAP