Defence Cyber Certification (DCC)
Defence cyber expertise shaped by real military experience
As supply chain cyber risk becomes a national security concern and defence suppliers are under pressure to secure work quickly, DCC provides a clear way to demonstrate assurance. Toro supports organisations through DCC assessment and readiness activity to help them achieve and maintain certification with confidence.
Free consultation
Protect Your Business. Build Trust. Unlock Growth.
What is Defence Cyber Certification?
Defence Cyber Certification (DCC) is the cyber security assurance framework for organisations working within the UK defence sector. Developed by the UK Ministry of Defence (MoD) in partnership with IASME, it establishes a consistent and measurable standard of cyber security across the defence supply chain.
DCC replaces the previous Supplier Assurance Questionnaire (SAQ), enabling organisations to achieve a single recognised certification rather than completing separate assessments for individual contracts.
The framework evaluates how cyber security is governed, implemented and maintained throughout an organisation. This includes governance and risk management, technical controls, people and culture and supply chain security.
Its purpose is to provide the Ministry of Defence and defence prime contractors with confidence that suppliers can protect sensitive defence information and operate securely in high-risk environments.
Achieving DCC certification demonstrates that your organisation meets the cyber security expectations of defence customers and prime contractors, helping to strengthen trust, improve supply chain assurance and support eligibility for defence opportunities.
Why choose Toro’s Defence Cyber Certification (DCC)
Defence cyber expertise shaped by real military experience
Toro was founded by professionals who have served in the armed forces and worked across the defence sector.
We understand how security operates in defence environments and how cyber security requirements affect suppliers in practice, including how assurance decisions are made and how evidence is scrutinised by MOD and defence primes.
That experience underpins how we support organisations through Defence Cyber Certification.
Clear guidance through complex standards
Defence Cyber Certification is based on Defence Standard 05‑138, which is written in defence and cyber‑specific language.We translate the standard into clear, practical actions that organisations can implement, helping teams understand what is required, what evidence is expected, and how requirements apply to their contracts and systems.
Structured readiness assessments
We assess your current cyber security posture against DCC requirements and identify gaps in a clear, prioritised way.This includes confirming scope and organisational boundaries, understanding data sensitivity and contracts in scope, and focusing effort on what matters most for the required DCC level.
Support preparing evidence
DCC requires clear, well‑structured documentation and evidence. Many organisations already have controls in place but struggle to evidence them in a defence assurance context.We support the organisation of policies, procedures and supporting materials and help clarify control ownership so evidence can be presented in a way that meets assessment expectations.
Practical support through certification
We work directly with your teams to close gaps, implement controls where needed, and prepare evidence for assessment.Support is hands‑on and collaborative, rather than delivering recommendations for teams to interpret on their own.
Focused on speed and outcome
DCC preparation is often driven by a live bid, framework renewal, or direction from a defence prime, with limited time available.Our approach is designed to reduce time to certification by prioritising activity based on risk and assurance need, while avoiding unnecessary disruption to delivery.
Managed Security & Consultancy
People focussed
At Toro, people are at the core of everything we do – our team, our clients, and the partners we collaborate with.
We prioritise building trusted relationships, delivering consistently high standards, and providing tailored support that reflects the unique needs of every client.
Free consultation
Managed Security & Consultancy
Why cyber security in the defence supply chain matters more than ever
The threat landscape facing the defence sector has changed significantly.
Attacks are now more targeted, more persistent and increasingly focused on people as well as systems. Adversaries use tailored phishing, impersonation and social engineering to gain access to sensitive systems and information.
Defence suppliers are a key part of the wider defence ecosystem and are therefore exposed to the same threat environment as defence organisations themselves. This includes advanced persistent and state‑linked threats, not just opportunistic cyber crime.
Strengthening cyber security across the supply chain is essential. DCC provides a structured way for organisations to demonstrate that they can operate securely, protect sensitive defence information and support defence operations with confidence.
Working with defence cyber security standards
Defence Cyber Certification is based on Defence Standard 05‑138, which defines the cyber security requirements for organisations supporting the UK defence sector.
Meeting the standard is not just about understanding the controls on paper. Assurance outcomes depend on how requirements are interpreted, applied and evidenced in practice.
Toro helps organisations interpret and apply Defence Standard 05‑138 by aligning existing policies, processes and technical controls with what assessors expect to see in a real defence assurance decision.
Our team has experience working in defence environments and understands how cyber security requirements translate into operational delivery and contractual obligations.
Defence Cyber Certification support for the defence supply chain
We help organisations prepare for and achieve certification, including
- DCC readiness and gap assessments
- Defence Standard 05-138 preparation
- Cyber Essentials and Cyber Essentials Plus certification and alignment
- Documentation and evidence preparation
- End-to-end support through the certification process
Why Defence Cyber Certification matters
Access to defence work
Many defence contracts require suppliers to demonstrate defined cyber security standards. DCC provides a recognised way to show your organisation meets those expectations.
Confidence for defence partners
Defence organisations and prime contractors need confidence that their suppliers can protect sensitive systems, information and operations. Certification helps demonstrate that capability.
Improve internal security
Preparing for DCC often leads to stronger governance, clearer policies and better security controls, improving resilience across the organisation.
Managed Security & Consultancy
Your route to Defence Cyber Certification
Preparing for DCC may seem complex at first, but most organisations move through a small number of clear steps.
- Identify the required level
Based on the Cyber Risk Profile (CRP) attached to the contract. - Assess your current controls
Review existing policies, processes and technical controls against Defence Standard 05-138. - Address gaps
Implement missing controls and strengthen documentation where required. - Prepare evidence
Demonstrate how controls operate through policies, procedures and supporting evidence. - Complete the certification assessment
An accredited body reviews the evidence and confirms compliance.
The four levels of DCC
Defence Cyber Certification is structured into four levels, reflecting the cyber risk associated with the work being carried out.
Each level requires organisations to demonstrate compliance with a number of controls defined in Defence Standard 05-138.
Level 0
Entry level certification for lower-risk work – 3 controls | 6 questions
Requirement: Cyber Essentials
Level 1
Introduces wider organisational cyber security requirements covering governance, policies and risk management – 101 controls | 236 questions
Requirement: Cyber Essentials
Level 2
A higher level of assurance with more detailed security and operational controls – 139 controls | 328 questions
Requirement: Cyber Essentials Plus
Level 3
The most comprehensive level of DCC certification, designed for organisations supporting higher-risk defence programmes – 144 controls | 337 questions
Requirement: Cyber Essentials Plus
Each defence contract is assigned a Cyber Risk Profile (CRP) that determines the level of DCC certification required.
Suppliers must demonstrate they meet that level to support the contract.
How Toro can help you
Toro supports organisations at every stage of the Defence Cyber Certification (DCC) process, whether you need gap analysis and remediation support, or a full assessment and certification service. We help define your DCC scope, understand evidence requirements and align your approach with existing certifications such as Cyber Essentials.
For organisations preparing for certification, we provide readiness reviews, guidance on the Applicant Submission Record (ASR) and support with evidence collection and remediation. Where you are ready to certify, our assessors carry out the formal review process, validate controls and guide you through to certification and final reporting.
Defence Cyber Certification (DCC) FAQs
Defence Cyber Certification is a cyber security certification framework developed by the Ministry of Defence and IASME to improve cyber security across the defence supply chain.
Yes. Cyber Essentials is required for Levels 0 and 1, while Cyber Essentials Plus is required for Levels 2 and 3.
Certification lasts three years, with a yearly confirmation that the required controls are still in place.
IASME is the Ministry of Defence’s official delivery partner and works with a network of accredited certification bodies.
The required level is determined by the Cyber Risk Profile (CRP) assigned to the defence contract you are supporting.
The timeline depends on how prepared your organisation is. Some organisations already have many of the required controls in place, while others may need to implement additional policies, processes or technical measures before assessment.
Yes. The framework is designed to apply across organisations of different sizes in the defence supply chain.
Many organisations already have policies and controls in place. The process often involves reviewing what you have, identifying gaps and aligning documentation with Defence Standard 05-138.
No. Cyber Essentials and Cyber Essentials Plus are baseline requirements within the DCC framework, but DCC goes further by assessing cyber security governance, organisational controls and supply chain risk.
Organisations are expected to provide documentation and supporting evidence showing how the required controls are met. This may include policies, procedures, technical records and operational evidence.
Managed Security & Consultancy
Start preparing for Defence Cyber Certification
If your organisation supports the defence sector, preparing early for DCC can reduce risk, improve bid readiness and avoid delays in procurement.
Our team will help you understand the requirements, identify gaps and move confidently towards certification.
What our clients say
Cyber Security insights
Expert Insights on Cyber Security, Risk and Resilience
Mythos – What it means and what to do about it
Anthropic’s Mythos highlights a shift in cybersecurity: AI can now find and exploit vulnerabilities at scale. Explore what this means for risk, remediation, and securing AI systems.
You’re already using AI – the question is whether you control it
Most organisations are already using AI but few truly control it. Explore the real risks, gaps in policy and practical steps to manage AI use across your business.
Defence Cyber Certification explained: what defence suppliers need to know
Defence Cyber Certification (DCC) explained for defence suppliers. Learn what the certification involves, why it was introduced and how organisations can prepare for Defence Standard 05-138 requirements.
Our Partners
Brands & companies we work with
Managed Security & Consultancy
People focussed
At Toro, people are at the core of everything we do – our team, our clients, and the partners we collaborate with.
We prioritise building trusted relationships, delivering consistently high standards, and providing tailored support that reflects the unique needs of every client.
