The IASME Consortium
Contact Us
Call: 03300 882 752

Frequently Asked Questions

Defence Cyber Certification logo
/ Frequently Asked Questions

Which contracts require the Defence Cyber Certification?

This will be decided by the MOD. However, any organisation can apply for certification, whether they are a current defence contractor or not.

What do the different levels mean?

Level 0 – 3 controls

Level 0 is normally assigned where there is a very low level of assessed cyber risk to a supplier delivering an output. It requires supplier organisations to demonstrate basic cyber security practices and forms the foundation level for all future assessments higher than level 0.

Level 1 – 101 controls

Level 1 is normally assigned where there is a low to moderate level of assessed cyber risk to a Supplier delivering an output. It requires supplier organisations to demonstrate a comprehensive cyber security programme with good practices.

Level 2 – 139 controls

Level 2 is normally assigned where there is a high level of assessed cyber risk to a supplier delivering a contracted output. It requires supplier organisations to demonstrate advanced cyber security oversight and planning which drives robust organisational and cyber practices.

Level 3 – 144 controls

Level 3 is normally assigned where there is a substantial level of assessed cyber risk from a supplier delivering a contracted output. It requires supplier organisations to demonstrate expert cyber security capabilities that fully take advantage of the ‘defence in depth’ methodology to appropriately protect the organisation against new and evolving threats.

How do I know which level I need?

This will be decided by the MOD for each contract. An applicant can apply for certification at any level even if they currently have no MOD contract.

What is the certification process?

1. During this early phase, the applicant contacts IASME regarding their assessment and certification and we will send you further information. In the future, the applicant will be able to visit the IASME website for a list of Certification Bodies and guidance for each level.
2. IASME sends the applicant further information and a list of relevant Certification Bodies.
3. The applicant contacts one of the Certification Bodies.
4. The Certification Body further explains the process for assessment at the level requested by the client and can give an indication of cost.
5. If the applicant wants to go ahead, they will sign an agreement with the Certification Body and progress with the assessment.
6. The assessor will be able to advise on any gaps but not actually fix issues for the applicant.
7. Once the applicant has passed the assessment they will receive a certificate and digital badge.

What is the cost?

This is to be agreed with the assessing CB and depends upon multiple factors such as: business size, assessment readiness, scheme Level and support required from the CB.

When do I need to get certification?

This will be decided by the MOD, however, you can apply for certification before being required to.

Do I need to renew it? How often?

The certification lasts three years but an annual attestation will be needed to maintain that certificate along with annual recertification to Cyber Essentials or Cyber Essentials Plus.

How do I get help with certification?

Certification Bodies will be able to help you on a consultancy basis. The Certification Body you use for the assessment will only be able to advise and not implement solutions for you. A list of relevant Certification Bodies will be available shortly, meanwhile contact IASME.

Are there any policy templates I can look at?

There are no templates available for this scheme at the moment. however, the IASME Cyber Assurance scheme has some templates which could be used to get started. These can be found here.

How do I find a Certification Body?

Applicants may approach a CB they already have a relationship with as long as that CB is accredited to the appropriate level. During the early stage of the scheme, the applicant must contact IASME for a list of CBs, but in the future this will be available on the website.

How long does certification take?

There is no defined timescale for how long it may take, this depends on:
– the preparedness of the applicant
– whether the applicant need to remediate any gaps before applying
– the availability of the CB to carry out the assessment

How long does the certificate last?

The certification lasts three years but an annual attestation will be needed to maintain that certificate along with annual recertification to Cyber Essentilas or Cyber Essentials Plus.

Where can I find scheme documentation?

Documentation will be available on IASME’s website. Please contact IASME for this before then.

What guidance is available and where can I find it?

Documentation will be available on IASME’s website. One of the relevant Certification Bodies will be able to advise on the way forward for any organisation.

Can my assessing CB help me prepare?

Yes, to a limited extent. The assessing CB is able to provide limited support but can only act in an advisory role, for example, they are not allowed to make changes to the organisation or create documents. If you require more support than this, it is recommended you seek assistance from a separate Certification Body to the one conducting your assessment.

What happens if I fail?

A failure will result in no certificate being issued. The applicant will receive a report showing the areas that require remediation and is able to attempt certification again. We do not share details of organisations that have failed.

What needs to be in scope?

The scope of the certification concerns the cyber resilience of the critical business operations of your organisation. All parts of your business that are essential for you to operate must be in scope. Please see the separate Scoping Guidance document for more information.

Do I need Cyber Essentials?

Yes, all levels require Cyber Essentials. Levels 2 and 3 require Cyber Essentials Plus. Please check the Scoping Guidance document for details on what must be within the Cyber Essentials scope.

If I fail the assessment can I still win the MOD contract?

This is something only the MOD can determine.

I have not fully implemented a solution for a control, will this be taken into account?

If the control is not yet met then it will be marked as a fail.

How will the MOD know the scope of my certification?

The scope will be shown on the certificate.

Should I certify my whole organisation?

Yes, if possible.

What sample sizes are required?

Sample sizes will follow GovAssure processes however the Assessor may request to see additional samples.

Are any of the levels self-assessed?

No.

Do I need to complete lower levels before applying for Level 3?

No. Each assessment stands alone and does not rely upon the completion of previous levels.

What is the benefit of getting this certification?

This certificate will cover all of your contracts to the certified level, streamlining the process by requiring only one assessment to cover multiple contracts, rather than conducting separate assessments for each contract.

Are there any prerequisites?

Other than CE/CE+, there are not.

I have other certifications, do I need this one?

Applicants may still tender for MOD contracts via the normal MOD process, DCC is not mandatory at this stage.

Can I only certify parts of my organisation that will deal with sensitive data?

No. This scheme revolves around organisational security and resilience, not just data handling.