Defence Cyber Certification (DCC)

Defence cyber expertise shaped by real military experience

The UK’s defence capability depends on a secure and resilient supply chain. Defence Cyber Certification helps organisations demonstrate they meet the cyber security requirements expected across defence contracts and programmes. Toro works with defence suppliers to meet DCC requirements quickly and confidently, with a clear focus on passing certification and supporting defence bids.

Free consultation

Defence Cyber Certification (DCC)

Protect Your Business. Build Trust. Unlock Growth.

What is Defence Cyber Certification?

Defence Cyber Certification is a cyber security framework for organisations working with the UK defence sector.

Developed by the Ministry of Defence (MoD) and IASME, it sets a consistent standard for cyber security across the defence supply chain.

It replaces the previous Supplier Assurance Questionnaire (SAQ), allowing organisations to achieve a single certification instead of completing assessments for each contract.

The framework assesses how cyber security is governed, implemented and maintained across the organisation, including governance, technical controls, people and supply chain risk.

Certification lasts three years, with annual confirmation that controls remain in place.

Achieving certification demonstrates that your organisation can meet the expectations of defence customers and prime contractors.

Why choose Toro’s Defence Cyber Certification (DCC)

Defence cyber expertise shaped by real military experience

Toro was founded by professionals who have served in the armed forces and worked across the defence sector.

We understand how security works in defence environments and how cyber security requirements affect suppliers in practice.

That experience underpins how we support organisations through Defence Cyber Certification.

Clear guidance through complex standards

Clear guidance through complex standards

We translate Defence Standard 05-138 into clear, practical actions your organisation can implement.

Structured readiness assessments

We assess your current cyber security posture and identify gaps against DCC requirements in a clear, prioritised way.

Microsoft 365 Security Benchmarking

Support preparing evidence

DCC requires clear documentation and evidence. We help organisations organise policies, procedures and supporting materials so they meet assessment expectations.

Success

Practical support through certification

We work directly with your teams to implement controls, close gaps and prepare evidence, rather than leaving you with recommendations to interpret.

Focused on speed and outcome

Focused on speed and outcome

Our approach is designed to reduce time to certification, focusing effort on what matters most for your required DCC level.

Managed Security & Consultancy

People focussed

At Toro, people are at the core of everything we do – our team, our clients, and the partners we collaborate with.

We prioritise building trusted relationships, delivering consistently high standards, and providing tailored support that reflects the unique needs of every client.

Our Services
Our Solutions

Free consultation

Managed Security & Consultancy

Why cyber security in the defence supply chain matters more than ever

The threat landscape facing the defence sector has changed significantly.

Attacks are more targeted, more persistent and increasingly focused on people as well as systems. Adversaries now use tailored phishing, impersonation and social engineering to gain access to sensitive systems and information.

Defence suppliers are a key part of the wider defence ecosystem, which makes them an attractive target.

Strengthening cyber security across the supply chain is critical. DCC provides a structured way to demonstrate that your organisation is secure, resilient and ready to support defence operations.

Defence Cyber Certification (DCC)
Cyber Security Review

Working with defence cyber security standards

Defence Cyber Certification is based on Defence Standard 05-138, which defines the cyber security requirements for organisations supporting the UK defence sector.

Toro helps organisations interpret and apply these requirements in practice, aligning existing policies, processes and technical controls with the standard.

Our team has experience working in defence environments and understands how cyber security expectations translate into operational and contractual requirements.

Defence Cyber Certification support for the defence supply chain

We help organisations prepare for and achieve certification, including

  • DCC readiness and gap assessments
  • Defence Standard 05-138 preparation
  • Cyber Essentials and Cyber Essentials Plus alignment
  • Documentation and evidence preparation
  • End-to-end support through the certification process

Why Defence Cyber Certification matters

Bid for defence work

Many defence contracts require suppliers to demonstrate defined cyber security standards. DCC provides a recognised way to show your organisation meets those expectations.

Build trust with defence partners

Defence organisations and prime contractors need confidence that their suppliers can protect sensitive systems, information and operations. Certification helps demonstrate that capability.

Improve cyber security across your organisation

Preparing for DCC often leads to stronger governance, clearer policies and better security controls, improving resilience across the organisation.

Managed Security & Consultancy

Your route to Defence Cyber Certification

Preparing for DCC may seem complex at first, but most organisations move through a small number of clear steps.

  1. Identify the required level
    Based on the Cyber Risk Profile (CRP) attached to the contract.
  2. Assess your current controls
    Review existing policies, processes and technical controls against Defence Standard 05-138.
  3. Address gaps
    Implement missing controls and strengthen documentation where required.
  4. Prepare evidence
    Demonstrate how controls operate through policies, procedures and supporting evidence.
  5. Complete the certification assessment
    An accredited body reviews the evidence and confirms compliance.
Cyber Penetration Testing

The four levels of DCC

Defence Cyber Certification is structured into four levels, reflecting the cyber risk associated with the work being carried out.

Each level requires organisations to demonstrate compliance with a number of controls defined in Defence Standard 05-138.

Level 0

Entry level certification for lower-risk work – 3 controls | 6 questions
Requirement: Cyber Essentials

Level 1

Introduces wider organisational cyber security requirements covering governance, policies and risk management – 101 controls | 236 questions
Requirement: Cyber Essentials

Level 2

A higher level of assurance with more detailed security and operational controls – 139 controls | 328 questions
Requirement: Cyber Essentials Plus

Level 3

The most comprehensive level of DCC certification, designed for organisations supporting higher-risk defence programmes – 144 controls | 337 questions
Requirement: Cyber Essentials Plus

Each defence contract is assigned a Cyber Risk Profile (CRP) that determines the level of DCC certification required.

Suppliers must demonstrate they meet that level to support the contract.

How the certification process works

Achieving DCC certification involves an assessment against the controls defined in Defence Standard 05-138.

Organisations must demonstrate how controls are implemented and provide supporting evidence.

The process typically includes:

  • Identify the required level
  • Review control requirements
  • Prepare documentation and evidence
  • Complete certification assessment
  • Maintain certification (three years with annual confirmation)

Defence Cyber Certification (DCC) FAQs

Defence Cyber Certification is a cyber security certification framework developed by the Ministry of Defence and IASME to improve cyber security across the defence supply chain.

Yes. Cyber Essentials is required for Levels 0 and 1, while Cyber Essentials Plus is required for Levels 2 and 3.

Certification lasts three years, with a yearly confirmation that the required controls are still in place.

IASME is the Ministry of Defence’s official delivery partner and works with a network of accredited certification bodies.

The required level is determined by the Cyber Risk Profile (CRP) assigned to the defence contract you are supporting.

The timeline depends on how prepared your organisation is. Some organisations already have many of the required controls in place, while others may need to implement additional policies, processes or technical measures before assessment.

Yes. The framework is designed to apply across organisations of different sizes in the defence supply chain.

Many organisations already have policies and controls in place. The process often involves reviewing what you have, identifying gaps and aligning documentation with Defence Standard 05-138.

No. Cyber Essentials and Cyber Essentials Plus are baseline requirements within the DCC framework, but DCC goes further by assessing cyber security governance, organisational controls and supply chain risk.

Organisations are expected to provide documentation and supporting evidence showing how the required controls are met. This may include policies, procedures, technical records and operational evidence.

Managed Security & Consultancy

Start preparing for Defence Cyber Certification

If your organisation supports the defence sector, preparing early for DCC can reduce risk, improve bid readiness and avoid delays in procurement.

Our team will help you understand the requirements, identify gaps and move confidently towards certification.

Book a DCC consultation

What our clients say

“Toro’s findings provided a firm security foundation upon which Alpro will continue to review and improve. We would highly recommend their services to others.”
alpro
Metin Fevzi
Plant Director - Alpro
“Toro’s team conducted a comprehensive physical security and systems review of the vast site and helped ensure a secure and effective staged transition to the Riverlinx Consortium.”
TfL
Mark Ulatowski
Project Manager - Transport for London

Cyber Security insights

Expert Insights on Cyber Security, Risk and Resilience

Cyber Essential Update

Cyber Essential Update

Cyber Essentials is updating from April 2026 with new MFA requirements, stricter patching rules and clearer scope guidance. Learn what’s changing and how to prepare for certification.

Read More »

Our Partners

Brands & companies we work with

UK Finance
Alpro
TfL
European Tour
Farrer & Co
d3t
Keywords Studios
Cifas
Aspers Casino

Managed Security & Consultancy

People focussed

At Toro, people are at the core of everything we do – our team, our clients, and the partners we collaborate with.

We prioritise building trusted relationships, delivering consistently high standards, and providing tailored support that reflects the unique needs of every client.

Our Services
Our Solutions

Free consultation

Accreditations

ISO 27001
Cyber Essentials Certified
Cyber Essentials Certified Plus
LPCB SLC-004
LPCB SLC-004-001
Crown Commercial Service Supplier
GDPR Certified
The Security Institute - Corporate Partner
IASME CYBER ASSURANCE
Crest Member
JOSCAR Registered
G-Cloud Supplier
Cyber Security Services 3
Integrated Security Fund
jamf PRO
United Nations Global Compact
Apple Technical Partner