The DCC process requires careful consideration and sufficient staff resource to succeed.
Before requesting a quote, please read this document to identify the type of quote you require. Quotes can be issued in relation to helping prepare the scope and also to perform the assessment
The different phases of the engagement process is described below.
Preparation phase
- Determine the DCC level required. You may have already received a Cyber Risk Profile (CRP) from the Ministry of Defence (MOD) or through supplier flow-down requirements. The CRP level correlates directly with the DCC level.
- If you have not received a CRP, then we recommend you familiarise yourself with all the documents on our DCC Page (and attempt the level that you believe the company can achieve). You can go straight to that level and no not need to certify against lower levels.
Scope phase
- Consider scope and complete the scope attestation.
- For a small, non-complex, scope you may be able to define the scope after reading the Scoping Guide.
- Larger companies, or those with a more complex scope, are recommended to read the Scoping Guide and then book consultancy time with us for guidance.
- It is ultimately your responsibility to:
- Determine the scope of the assessment.
- Present and document the scope in a clear, detailed and comprehensive manner.
- Answer the scheme questions and provide the necessary supporting evidence.
- The scope must be comprised of:
- List of sites and their functions
- Brief list of IT networks and systems
- Brief list of OT network and systems
- Brief description of devices/assets
- Data/document storage, electronic and other format
- Scoping diagram(s) showing systems inside and outside of DCC scope, and CE/CE+ coverage
The Quote phase, we need to know
- The company size
- The scope (defined above)
- Number of Sites
- Complexity (interactions with other group entities, networks and processes)
- Clearance (we are SC Cleared)
- The level of preparedness
Please note that ball-park quotes can be requested, however Certification Bodies are unable to quote accurately without knowing the above information, so we suggest the above scoping work is performed before requesting a full quote.
A quote for helping assemble the above information can be requested from us separately.
Once the quote has been accepted, we will issue a contract and, once signed, we will set up your account on the assessment portal and conduct a readiness check.
- We input your company information into the IASME platform
- We check that you are ready to proceed with the next steps by ensuring that you
- have the most up to date documents
- have reviewed the guidance materials
- understand what is required
Preparing the submission phase
- Once onboarded to the IASME platform, we’ll provide you with the Assessment Submission Record (ASR) to begin submitting responses.
- You must read the Level 1 Applicant Guide to find the available options, sample answers and expected evidence to help complete the ASR.
Complete the Assessment Submission Record (ASR)
- Answer all questions using the available answer options
- Provide clear context to support your answers
- Include evidence for each requirement
- Add hash values for all submitted artefacts
- You host all submission information and grant us access (unless stated otherwise in the contract).
Theoretical Scoring Phase (iterative process)
- This is what you might regard as the gap analysis.
- You inform us that the Assessment Submission Record (ASR) is ready to view.
- We review answers & evidence, providing feedback.
Request for Clarification
- If more information is needed for the theoretical phase, we will request clarifications.
- You then update the answers and evidence accordingly and inform us it is ready for review via a remote session.
- Once all clarifications are addressed, then we have completed the Theoretical scoring.
Practical Scoring Phase
- Remote demonstration or site visit depending on your preference and the complexity of the assessment.
Final Scoring & Documentation
- Final scores are recorded in the ASR, hosted by you.
- The log includes Assessor comments and evidence for any failed questions or controls (e.g. screenshots of misconfigurations).
- We prepare your report using the ASR.
Hashing & Evidence Retention
- We will guide you through preparing a “file hash” of the your answers, evidence, and supporting documentation is created and securely stored on your systems.
- This ensures the information is available for future attestations or recertifications. This must be kept for 3.5 years.
/-3.5042587517567103,%2054.70635734010168,15.5/300X450@2X?access_token=pk.eyJ1Ijoid29tYmF0Y2hyaXMiLCJhIjoiY2pqaGEyd2lzMDQ3ZDN2bWQ4OTBsa2pmayJ9.ksVq6arM13qYhr76pco33w)