Defence Cyber Certification · IASME scheme

The new mandatory
standard for the UK
defence supply chain.

From 2025, the MOD requires all defence suppliers to hold independently certified DCC — not self-assessment. Idela is one of the first IASME-approved CBs authorised to certify at Level 0 and Level 1.

DCC Level 0 CB  ✓ DCC Level 1 CB  ✓ IASME-approved CE included in every DCC engagement
Book a free DCC readiness call Check your DCC level →
What is DCC?

Independent certification for the entire MOD supply chain.

Defence Cyber Certification is the MOD and IASME’s new framework replacing the old self-assessment model. Every organisation supplying to the MOD, DE&S, DIO, DSTL, or a prime contractor will need it.

Unlike self-assessment, DCC requires an independent Certification Body to assess and issue the certificate. Idela is that CB — for Level 0 and Level 1.

DCC certificates are organisation-wide, valid for three years, with annual attestation. Cyber Essentials is the mandatory baseline for all levels.
4
Certification levels
3yr
Certificate validity
£7.5B
MOD SME spend target by 2028
Do you need DCC?
You supply directly to the MOD or DE&S
You supply to BAE, Babcock, QinetiQ, Leonardo, Rolls-Royce
Your contract mentions DCC, DefStan 05-138, or a Cyber Risk Profile
You want to bid for defence work proactively
Take the free DCC readiness check →
The four DCC levels
Where does your contract sit?
0
Level 0 · 3 controls
Basic cyber practices
6 questions · Lowest risk profile
CE required
Idela CB  ✓
1
Level 1 · 101 controls
Comprehensive cyber programme
236 questions · Most standard contracts
CE required · IT, professional services, logistics
Idela CB  ✓
2
Level 2 · 139 controls
Advanced oversight & planning
High cyber risk contracts
CE Plus required
We refer to a CE+ provider & coordinate
3
Level 3 · 144 controls
Highest assurance tier
Classified / highest risk work
CE Plus required
We refer to a CE+ provider & coordinate
Not sure which level applies to you? Your Cyber Risk Profile is assigned by MOD delivery teams based on the nature and risk of your contract. Idela confirms your level on a free 15-minute readiness call before any assessment begins — no obligation.
Transparent pricing

Clear prices. No surprises.

All DCC engagements include Cyber Essentials as the baseline. IASME certification fee included. Prices confirmed after a free initial call to confirm scope.

Most popular CE + DCC Level 0
CE + DCC Level 0 Bundle
Complete entry route for organisations new to the MOD supply chain. Two certificates, one engagement, one assessor.
Micro (0–9)£995
Small (10–49)£1,295
Medium (50–249)£1,695
Large (250+)£2,100
Valid CE certificate (1 year)
DCC Level 0 certificate (3 years)
Readiness check — no surprise failures
IASME assessment fee included
Fast track for CE-certified organisations
All prices +VAT. CE already held? Level 0 only from £650 (micro).
CE + DCC Level 1
CE + DCC Level 1 Full Journey
101 controls. Standard for most defence contracts. Staged delivery with explicit exit points at each phase.
Micro (0–9)£3,500
Small (10–49)£5,500
Medium (50–249)£8,500
Large (250+)POA
CE certificate included as baseline
Scoping & readiness confirmation
Theoretical scoring — evidence review
Practical scoring — remote verification
DCC Level 1 certificate (3 years)
All prices +VAT. Additional scoring rounds available at day rate. Staged — exit points after each phase.
Annual attestation support
Annual review confirming no scope changes, CE is current, and any significant changes are reported to IASME. Keeps your DCC certificate valid between renewals.
£150–£250
per year · size-dependent
How it works

Staged delivery.
No surprise failures.

DCC assessment is evidence-based. Idela identifies gaps before formal assessment begins, and structures Level 1 with explicit exit points so you can pause and review before committing to each phase.

⚠ Important: impartiality boundary
As a Certification Body, Idela cannot provide implementation or remediation services to organisations we are also certifying. Pre-assessment scoping and readiness guidance is permitted. If you need policy writing or technical remediation, we will recommend a partner — then assess you independently once you are ready.
01
Free readiness call
Confirm your Cyber Risk Profile, scope, and which level applies. 15 minutes. No obligation.
Exit point
02
Cyber Essentials certification
CE is the mandatory baseline for all DCC levels. Fast-tracked for CE-certified organisations.
03
DCC scoping & readiness review
We confirm scope, review current controls, and identify gaps before formal assessment opens.
Exit point
04
Theoretical scoring
Desk-based review of your Assessment Submission Record (ASR) and evidence package.
Exit point (L1 only)
05
Practical scoring & certification
Remote or on-site verification of controls. Certificate issued once all requirements are genuinely met.
Common questions
Is DCC mandatory for all MOD suppliers?+
DCC is being phased in across MOD procurement under the new Cyber Security Model (CSMv4). Many contracts already specify it and the requirement is expanding. If you are in or entering the defence supply chain, you will almost certainly need it — the question is which level and when.
We already have Cyber Essentials. Does that help?+
Yes — significantly. CE is the mandatory baseline for all DCC levels, so you have already completed the first step. For Level 0, we can fast-track straight to the DCC assessment. For Level 1, CE is still required but the heavier work is in the 101 controls across the full assessment.
How long does DCC Level 1 take?+
It depends on your current security posture and evidence readiness. A well-prepared small organisation typically completes the full Level 1 journey in 6–10 weeks. We scope this precisely on the initial readiness call before any commitment is made.
Can Idela certify us for DCC Level 2 or 3?+
Not directly — Idela is authorised at Level 0 and Level 1. Level 2 and 3 require CE Plus as a baseline, which Idela does not currently offer. If you need Level 2 or 3, we will refer you to an appropriate CE+ provider and coordinate the process so you are not managing multiple suppliers independently.
What evidence do we need for a DCC assessment?+
DCC is fully evidence-based. You will need to complete an Assessment Submission Record (ASR) demonstrating controls across governance, risk, technical, personnel, and supplier management domains. For Level 1 this includes policy documents, access reviews, patch management records, firewall configurations, incident response procedures, and training evidence. We review your evidence readiness before formal assessment begins.
How is DCC different from Cyber Essentials?+
CE covers five technical controls and is the baseline for general government procurement. DCC goes significantly further — Level 1 covers 101 controls across the whole organisation including governance, risk management, supply chain security, personnel security, and incident response. DCC is specifically designed for the defence supply chain and is assessed organisation-wide, not just technically.

Ready to get
DCC certified?

Book a free 15-minute readiness call. We confirm your Cyber Risk Profile, check your current position, and give you a clear timeline and price. No obligation.

Book a free readiness call Take the free assessment →