At DCC Level 1 and above, assessments include interviews with named roles - incident response lead, IT/technical lead, and a senior director for governance attestation. These interviews are where unprepared suppliers come unstuck. The policies are correct, the evidence pack is complete, but the named role cannot answer basic questions about what they would actually do in their capacity. This guide walks through the specific questions assessors typically ask, what a strong answer looks like, and how to prepare.
The purpose of the interviews is to test whether the documented system is real. A policy saying "the Incident Response Lead notifies the MOD via the prime within 24 hours" is easy to write. The assessor wants to know:
The strongest answers come from people who genuinely do the role, not from people who have been briefed on it the week before. Assessors can detect rehearsed answers quickly.
The IR Lead interview typically runs 30-60 minutes and covers:
"Describe what would happen if you discovered a suspected ransomware incident at 2am on a Saturday."
A strong answer walks through: immediate containment actions (isolate affected systems, disable compromised accounts), escalation route (who is called first, how is the CEO or director informed), notification obligations (MOD contact via prime, ICO if personal data involved, insurer, legal counsel), evidence preservation (do not wipe, do not reboot in case memory forensics are needed), communications (internal stakeholder briefing, external holding statement if customers affected), recovery (validated backup restore, rebuild from trusted images, not restore from possibly-compromised production). The answer should name real people, not role titles.
"What is the notification threshold for the MOD? How do you notify them?"
The answer should reference a specific route (typically via the prime contractor's security liaison, or in some cases direct to a nominated MOD contact), a specific timeline (typically within 24 hours of discovery for material incidents), and a specific format (typically a written notification with incident summary, scope of MOD data affected, and remediation steps taken).
"Describe the most recent tabletop exercise or drill you ran."
The assessor wants to hear a specific example - what the scenario was, who participated, what the outcome was, what lessons were captured, and what changed as a result. "We run tabletops regularly" without a specific example is a red flag.
"What log sources would you use to investigate an incident affecting MOD-facing services?"
A strong answer names specific log sources - cloud provider audit logs (CloudTrail, Azure Activity Log), identity platform logs (Entra ID sign-in logs, conditional access logs), endpoint telemetry (EDR console), firewall logs, application logs. The answer should include log retention periods and how the logs are accessed during an incident.
"How would you know that an incident had occurred?"
The assessor is testing detection capability. Strong answers reference EDR alerting, SIEM or log monitoring, failed-login alerting, cloud provider threat detection (GuardDuty, Defender for Cloud), user-reported incidents via a defined channel, third-party notification (supplier breach, ICO, law enforcement).
Typically runs 60-90 minutes and covers the five technical controls and surrounding operational detail.
Firewalls / network security:
Strong answers show the actual current configuration (screen share or documented export), reference a defined review cadence (typically quarterly for L1, twice-yearly minimum), justify any open rules, and show MFA on the admin interface.
Secure configuration / patch management:
Strong answers show a current dashboard (Intune, Jamf, Windows Update for Business, etc.), evidence a 14-day critical SLA, produce a build standard document, and can point to a recent critical patch landing inside the SLA.
User access control / identity:
Strong answers show conditional access policies enforcing MFA (not just enabling it), a recent access review (quarterly is typical), separation of admin and user accounts, and a leaver log with timestamps matching HR records.
Malware protection:
Strong answers show the current EDR console with endpoint enrolment rates near 100%, explain any gaps (rare edge devices, development machines under separate controls), and reference a recent flagged event with its handling evidence.
Logging, monitoring, backup, cryptography:
Usually 15-30 minutes. Shorter than the other interviews but no less important - the assessor is testing whether security has executive attention.
"What is your organisation's approach to cybersecurity as a whole?"
The director should articulate the Information Security Policy's approach in their own words, not read from a document. The answer should connect to business priorities (protecting customer data, protecting MOD information, commercial reputation).
"How does security feature in your board discussions?"
The assessor is looking for evidence that cybersecurity is regularly discussed at a senior level - monthly or quarterly security updates to the executive, annual formal review of the security posture, security investment decisions made at board level.
"Who reports to you on cybersecurity? How often?"
Named individuals, defined cadence. "My IT director reports to me monthly, with quarterly security-specific reviews" is a strong answer. "We have regular conversations" is not.
"What was the most significant cybersecurity investment your organisation made in the last year?"
A strong answer references a specific investment - a new EDR platform, a managed SOC, an ISMS overhaul, a dedicated security hire - and connects it to a risk that was being addressed. This demonstrates security is actively managed, not inherited.
"What is your biggest cybersecurity risk today?"
Strong directors have a view. It is usually supply chain, insider risk, or a specific technology debt issue. Weak directors give generic answers ("ransomware") or deflect to the IT lead.
"Have you had any incidents in the last 12 months? What happened?"
The assessor is testing disclosure discipline. If there were incidents, the director should disclose them and explain what happened and what changed. Silence or deflection is a red flag.
Assessors usually spread supply chain questions across the interviews rather than having a dedicated supply chain session.
A concrete preparation approach that consistently works:
Do not script answers. Assessors detect memorised answers and probe deeper. Real knowledge is the goal, not rehearsed text.
Walk each named role through a realistic scenario. For the IR Lead, walk through an actual incident scenario end-to-end. For the IT Lead, walk through a real day in the life of the job. For the director, prepare a brief on the organisation's security posture with specific examples.
Have the evidence physically to hand. The AV console, the firewall ruleset, the patch dashboard, the access review spreadsheet, the supplier register. Assessors ask to see evidence during interviews; fumbling for it is disruptive.
Do a mock interview. With a consultant, an experienced colleague, or the IR Lead asking their own questions to the IT Lead. Mocks surface the specific phrasings and gaps that would otherwise come out during the real interview.
Be honest about what you do not know. If the assessor asks something you cannot answer, say so and commit to following up. Improvising or guessing is almost always worse than a considered "I will need to get back to you on that" with a 24-hour commitment.
At Fig, the L1 dedicated consultant runs mock interviews with each named role as part of the engagement. This is typically 60-90 minutes per role, usually in the week before formal assessor interviews. The mocks replicate the actual assessor style and surface the specific questions the assessor is likely to ask for the supplier's specific scope.
First-pass rates for L1 engagements that run mock interviews are materially higher than those that do not.
DCC Level 1 is substantially more involved than Level 0 and is where most suppliers underestimate the effort. This guide walks through a practical six-phase preparation approach covering scoping, governance, technical controls, platform gap analysis, mock assessment, and submission.
Cloud-native and SaaS suppliers face specific DCC considerations: in-scope cloud infrastructure, shared responsibility model clarity, IAM evidence, and secure configuration baselines. This guide walks through how to scope and evidence DCC for a SaaS or cloud-native organisation.
The honest answer to "how long does DCC take" depends more on the supplier's starting posture than on the Certification Body's turnaround. L0 can complete in under three weeks for a prepared organisation. L1 is a six to twelve week engagement. This guide walks through both, with the specific factors that lengthen or shorten each phase.