What’s the difference between DCC Level 0 and 1?

The Defence Cyber Certification (DCC) scheme runs from Level 0 up to Level 3, but the most significant step is the one between 0 and 1. The jump represents a fundamental shift in what cybersecurity maturity actually requires of your organisation.

Level 0 contains just 3 controls and 6 questions. Level 1 steps this up significantly to 101 controls and 202 questions. 

If you’re not sure where your organisation should sit, or what certificate level you should aim for, here’s everything you need to know.

What each level is asking of you

Level 0 

Level 0 is the baseline. Aimed at the lowest risk suppliers in the defence supply chain, it establishes the minimum expectations for organisations operating in the defence sector. It’s the foundation upon which the subsequent higher levels are built. 

Level 1 

Level 1 is aimed at low-to-moderate risk suppliers, as defined by the Cyber Risk Profile assigned to your contract. It represents a significant step up, introducing requirements across a broad range of domains including: 

• Access control and identity management
• Incident response and reporting 
• Secure configuration across systems 
• Patch and vulnerability management 
• User awareness and training 
• Asset management 
• Risk management processes 
• Physical security considerations 
• Supply chain and third-party management

The level that applies to you is determined by your Cyber Risk Profile, which is determined by your contracting authority. If you are unclear about your profile, you need to make sure to establish this before you begin any assessment preparation.

Scoping is the most critical part to get right

Before you answer any questions around controls, you first need to define your scope – and this is where many organisations make an error or misunderstand the requirements.

Your scope is the full set of functions and systems your organisation needs to remain operational and resilient. Work through your organisation, function by function and ask one question: If this failed tomorrow, could we still operate? 

Consider this: 

• HR probably needs to be in scope. How does your organisation hire people in a time of need, when you may need to rapidly increase your workforce? 
• Finance probably needs to be in scope. How do you ensure your people get paid, so they keep turning up and delivering? 
• The systems that support those functions: Payroll platforms, HR management tools, communication systems, all need to be captured and secured in line with the controls.

For most organisations, all of the above will be in scope, as well as the platforms that support them which need to be secured in line with the controls.

A specific and non-negotiable requirement is that your Cyber Essentials scope must cover every internet-connected system within your DCC scope. 

Getting your scope wrong at the start could mean your actual security posture has gaps you have not addressed. And this can cause bigger issues later down the line.

How to answer the questions (and where others get it wrong)

A common mistake is answering questions by quoting policy. The assessor doesn't want to know what your policy says you, they want to know how you actually do it. Strong answers describe your real processes, your actual controls and your day-to-day practices.

Preparing evidence: Quality over quantity

When collecting evidence, be precise. Point directly to the document, the section, and the page. Assessors who have to search for evidence have to ask more questions…and are likely to find more gaps.

For every system you reference in your answers, you need to provide corresponding evidence from that system e.g., screenshots, configuration exports, logs. If you can’t locate evidence for a control during preparation, treat that as a gap that needs to be closed.

The audit stage 

Once you’ve evidenced your policies and configurations, the next stage is proving they work in practice. The audit requires you to demonstrate that your controls function as described, in the systems themselves. Be prepared to walk your assessor through them, demonstrate how controls are applied and, importantly, verify that the configuration you've described actually exists and operates the way you say it does. 

This is where well-prepared organisations have nothing to fear, and those who have ‘papered over’ gaps get caught out.

If you’re starting your DCC journey now…

The most valuable thing you can do before engaging an assessor is an honest gap assessment. Map your current controls against the Level 1 requirements, identify what needs remediation and build a realistic implementation timeline.

DCC Level 1 certification is achievable for most organisations in the supply chain. But it requires treating the assessment as a reflection of your actual security posture, not a documentation exercise. The suppliers who approach it this way move through it faster, with fewer gaps and a stronger overall security posture.

How we can help

We work with defence suppliers across the supply chain on DCC readiness — from scoping and gap analysis through to audit-ready submission. If you want to understand where your organisation genuinely stands, or need support closing security gaps before your assessment, let’s talk.