The short version
Level 0 is for suppliers with a low cyber risk profile. It covers basic cyber hygiene across three controls and is suited to organisations whose work doesn’t involve sensitive MOD data or systems access.
Level 1 is for most standard defence contracts. It covers 101 controls across the organisation and includes governance, risk management, personnel security, supplier management, and incident response alongside the technical controls. The MOD assigns it to suppliers where a cyber incident could meaningfully affect defence capability or data.
You don’t get to choose. Your Cyber Risk Profile, assigned by MOD delivery teams based on the nature of your contract, determines which level applies. That said, most organisations can work out their likely level before any formal conversation with the MOD.
What the controls actually cover
| Area | Level 0 | Level 1 |
|---|---|---|
| Total controls | 3 | 101 |
| Cyber Essentials required | Yes | Yes |
| Governance & risk management | Basic | Comprehensive |
| Access control | Covered via CE | Detailed policy required |
| Incident response | Not required | Documented process required |
| Personnel security | Not required | Required |
| Supplier management | Not required | Required |
| Certificate validity | 3 years | 3 years |
| Idela CB authorised | Yes | Yes |
Who typically needs Level 0
Level 0 applies to suppliers at the periphery of the defence supply chain. Think: a facilities management company maintaining a MOD site, a catering supplier, or a logistics provider with no access to MOD networks or classified information. Low cyber risk because the nature of the work doesn’t create a meaningful attack surface.
If your only connection to defence work is physical presence at a MOD facility or supply of goods without any systems access, Level 0 is probably where you sit.
Who typically needs Level 1
Level 1 is the standard for most professional services, IT, engineering, and consultancy work in the defence sector. If you’re developing software, managing projects, providing technical support, accessing MOD systems or networks, or handling any defence-related data, you’ll almost certainly need Level 1.
Prime contractor supply chains tend to mandate Level 1 broadly rather than going through a detailed risk assessment for every supplier. If BAE or Babcock has asked you for DCC and hasn’t specified the level, assume Level 1 until you hear otherwise.
It’s easier to confirm you only need Level 0 than to start a Level 0 engagement and discover partway through that Level 1 was required. We confirm your level on the free readiness call before anything else starts.
What each assessment involves
Level 0 assessment
Relatively straightforward for a CE-certified organisation. We review your current CE certificate, confirm scope hasn’t changed significantly, and assess against the three DCC Level 0 controls. For most prepared organisations this takes two to four weeks. Fast-track available if CE was certified recently.
Level 1 assessment
Evidence-based, structured in phases. You’ll complete an Assessment Submission Record covering all 101 controls, supported by documentation across every domain: policies, access reviews, patch management records, firewall configurations, incident response procedures, training records, supplier agreements.
We do a readiness review before formal assessment opens. Gaps identified there can be addressed without any assessment time being consumed. Then theoretical scoring covers the documentary evidence; practical scoring involves remote verification of technical controls. Exit points after each phase mean you’re not locked in if something unexpected comes up.
Typically six to ten weeks for a well-prepared small organisation.
What it costs
Both levels include Cyber Essentials as the baseline. Idela’s pricing:
- CE + DCC Level 0 bundle: from £995 (micro), £1,295 (small), £1,695 (medium)
- CE + DCC Level 1: from £3,500 (micro), £5,500 (small), £8,500 (medium)
Already hold CE? Level 0 only from £650 (micro). Level 1 only from £3,200 (micro). All prices include the IASME assessment fee; no hidden costs on top.
Next step
If you’re still not sure which level applies, the free DCC Readiness Assessment takes about five minutes and covers the key questions. Or book a readiness call and we’ll confirm it directly.