Choosing a DCC Assessment Body: A Fair Comparison of Fig Group and the UK's Leading Certification Bodies

Defence Cyber Certification is administered by IASME but delivered through a network of IASME-licensed Certification Bodies. Those bodies are not identical. Their pricing differs. Their engagement models differ. Their sector specialisms differ. And the gap between a good choice and a poor choice - for any specific supplier's situation - matters materially.

This article is a straight comparison. I run Fig Group and we are one of the accredited DCC Certification Bodies, so the comparison is not disinterested. But the defence supplier community is small, the Certification Bodies all know each other, and writing a puff piece that talks down competitors would be both dishonest and commercially counter-productive. So this is written straight: what each major body is good at, what their typical engagement looks like, and where the right answer for a specific supplier might not be Fig.

The bodies in the market

As of April 2026, the main IASME-licensed Certification Bodies delivering DCC in the UK include (alphabetically):

• Bridewell - a key partner in the development of the DCC scheme itself, alongside four other organisations. Strong cyber consultancy heritage.
• C3IA - long-standing defence cyber specialist, with a focus on higher-tier work (L2/L3 and beyond).
• CyberSmart - platform-led Cyber Essentials body that has extended into DCC.
• Evolve North - recently-accredited DCC Certification Body with a regional footprint.
• Fig Group - technology-platform-led IASME body focused on speed, transparency, and consultant-included pricing.
• Fortis DPC - dedicated DCC L0 and L1 Certification Body with MOD and IASME accreditation.
• Indelible Data - boutique body with defence sector specialism.
• NCC Group - major international cybersecurity firm with deep defence sector experience, certified against UK Defence cyber requirements.
• Shift Key Cyber - licensed to offer assessment and certification for Cyber Essentials and DCC on behalf of government bodies.

There are others. This list covers the names a defence supplier comparing DCC Certification Bodies is most likely to encounter in a procurement process.

The comparison criteria that actually matter

In my experience running Fig and previously being on the other side of these engagements as a buyer, the criteria that matter when choosing a DCC Certification Body are:

1. Accredited level coverage. Not every body is accredited to certify at every DCC level. A body accredited for L0 and L1 cannot take you to L2.
2. Engagement model. Audit-only versus consultant-led. This is the single biggest differentiator.
3. Speed. How fast does the body typically turn around assessments? This matters more for L0 than L1, but it matters.
4. Price transparency. Is the fee published? Does it include what you need, or are there add-ons?
5. Sector specialism. Defence supplier experience versus general CE-plus-DCC experience. Some bodies genuinely live in defence; others have adjacent experience.
6. Technology platform. Do they bring any automated gap analysis, or is the assessment entirely manual?
7. Ongoing support. DCC certificates are valid three years with annual attestation. What does the body do between certifications?

Honest assessment of the major options

NCC Group

Strengths: Scale and depth. NCC Group is one of the largest independent cybersecurity firms operating in UK defence. Their assessor capacity is substantial. They bring significant adjacent expertise (penetration testing, threat intelligence, incident response) that a smaller body cannot match.

Considerations: NCC is an enterprise-sized firm. Their engagement model, pricing, and timelines reflect that. For a large defence prime or a high-complexity L2/L3 engagement, NCC is a strong choice. For a small defence subcontractor looking for L0 or L1, the engagement may feel heavier than the supplier's needs.

Where NCC is the right answer: L2 and L3 engagements, complex multi-site organisations, suppliers with genuine enterprise-scale security operations that need matched assessor capability.

Bridewell

Strengths: Bridewell was one of the core partner organisations that helped develop the DCC scheme. That institutional familiarity with the scheme itself is genuine and matters. Strong consultancy alongside the certification offering.

Considerations: Like NCC, Bridewell is a larger consultancy with a broader offering. The DCC certification engagement is one of several services they deliver. Pricing reflects a full consultancy model.

Where Bridewell is the right answer: Suppliers who need a consultancy relationship that extends beyond DCC - cybersecurity strategy, SOC services, ongoing advisory - and want the certification included within a broader engagement.

Fortis DPC

Strengths: Dedicated focus on DCC L0 and L1. Clear accreditation positioning. Known for defence sector specialism.

Considerations: Accredited at L0 and L1, so suppliers needing L2 or L3 coverage would need to work with a body accredited at those higher levels.

Where Fortis DPC is the right answer: L0 and L1 engagements where the supplier wants a body that is specifically defence-focused rather than general-purpose cybersecurity.

Shift Key Cyber

Strengths: Licensed for Cyber Essentials and DCC, with government body relationships. Capable mid-sized body.

Considerations: Less broadly known than NCC or Bridewell; smaller team means capacity is more constrained during peak periods.

Where Shift Key is the right answer: Mid-scale defence suppliers who want a body with government scheme depth but a more personal engagement than a large consultancy.

Evolve North

Strengths: Recently accredited; active regional footprint (particularly northern England). Capable at L0 and L1.

Considerations: Newer to DCC than several of the other bodies listed. Lower volume of completed engagements as a reference point.

Where Evolve North is the right answer: Suppliers in the north of England who value regional relationship and do not need the largest possible body.

CyberSmart

Strengths: Platform-led Cyber Essentials heritage with clear pricing. Efficient for high-volume CE-adjacent work.

Considerations: Stronger positioning for the CE side of the requirement than the deeper DCC L1 work. Engagement model is lighter-touch than a full consultant-led L1.

Where CyberSmart is the right answer: Suppliers needing CE + L0 who value a streamlined, platform-led experience and are comfortable self-directing the supplementary DCC preparation.

C3IA

Strengths: Long-standing defence specialism. Deep expertise at the higher tiers of the scheme. Credible at L2/L3.

Considerations: Smaller team; accordingly bespoke engagement pricing and timelines.

Where C3IA is the right answer: Defence specialists needing L2 or L3 with a body that genuinely lives in the sector.

Indelible Data

Strengths: Boutique expertise, defence and regulated sector focus.

Considerations: Smaller scale. Appropriate for specific engagements rather than high-volume delivery.

Fig Group

Strengths:

• Technology platform that runs automated gap analysis across in-scope systems and surfaces issues before formal assessment. This is a meaningful differentiator; the platform catches misconfigurations, unpatched systems, exposed credentials, excessive privileges, and similar issues that would otherwise become findings at audit stage.
• Consultant included in L1 pricing, not sold as an add-on.
• Transparent, published pricing - L0 fixed flat pricing by tier, L1 published ranges with the variance drivers named explicitly.
• Fast turnaround. Fig was built as a speed-focused IASME body for Cyber Essentials; the same operational discipline carries into DCC, particularly at L0 and L1.

Considerations:

• Fig is an IASME-licensed DCC Certification Body. For engagements outside our current delivery focus, a body with accreditation at the relevant level (NCC, Bridewell, C3IA) may be the correct choice.
• Fig is a mid-sized body. For a supplier that wants the largest possible engagement team for brand reasons, NCC is a better fit.
• The technology platform is a genuine differentiator but requires the supplier to grant read access to in-scope systems. Some suppliers prefer a fully document-based engagement; for those, a traditional body is a better match.

Where Fig is the right answer:

• L0 and L1 engagements where speed matters (tender deadlines, contract onboarding, framework submission deadlines).
• L1 engagements where the supplier values the gap-identification benefit of platform-led assessment over a purely document-driven audit.
• Suppliers who prefer transparent, published pricing over bespoke quotes that vary by sales conversation.
• Mid-sized defence suppliers who want consultant-led engagement without the overhead of a full enterprise consultancy relationship.

Where Fig is NOT the right answer:

• L2 and L3 requirements - go to an L2/L3-accredited body.
• Suppliers that specifically need a particular body's brand stamp on their certificate for their own marketing or supplier relationship reasons. We cannot give you NCC's brand; we can only give you a valid DCC certificate.
• Suppliers that want the assessment engagement to include broader consultancy services (strategy, SOC, ongoing advisory). That is Bridewell's territory more than ours.

The honest decision framework

The question is not which body is best. It is which body is best for your specific situation. Three questions to ask yourself:

1. What level do I need? Match the body's accreditation to your required level.
2. How much consultancy do I want bundled in? Audit-only means lower cost but more preparation burden. Consultant-led means higher cost but materially lower risk of first-pass failure.
3. Does sector specialism matter to my stakeholders? If your MOD buyer has a preferred body list, use that. If not, choose on capability.

If you are an L0 or L1 supplier and value speed and transparency, Fig is designed for you. If you want technology platform gap-identification as part of the engagement, that is included on Fig's L1 engagements. If you need L2 or L3, need a large enterprise-scale body, or need the certification bundled into a broader consultancy relationship, another body is the better choice.

None of the bodies listed above is a poor choice in the right context. The poor choice is picking on price alone without considering engagement model, or picking on brand alone without considering accreditation level. That is the framing that actually matters.

Talk to Fig Group about DCC → | See our DCC pricing →