More DCC Level 0 engagements go sideways because of scope than because of control failures. Get scope right at the start and the rest of the assessment follows a predictable path. Get scope wrong and you generate clarification cycles, assessor findings, and - in the worst cases - a requirement to re-scope and re-submit.
This guide is the practical scoping playbook for L0. It covers what "scope" actually means in DCC terms, how it is documented, how it has to align with your Cyber Essentials scope, the five errors that come up repeatedly, and how to run a defensible scoping conversation with your Certification Body.
If you are earlier in the process, read the DCC L0 process walkthrough first - scoping sits at Step 2 of 8.
Scope is the boundary inside which your cybersecurity controls will be assessed. Everything inside the scope must meet the DCC L0 requirements. Everything outside the scope is excluded from the assessment - which means it is also excluded from the certificate's coverage.
A DCC L0 scope statement answers five questions:
The assessor documents the agreed scope in the IASME portal, and the resulting certificate is issued against that scope. Expanding scope later requires re-assessment.
Every DCC L0 supplier must hold a current Cyber Essentials certificate. The DCC L0 scope must be equal to or contained within the Cyber Essentials scope. In practice, this means one of three patterns:
Assessors check this alignment explicitly. Misalignment is the single most common reason L0 submissions get bounced back for scope re-work.
If remote workers access MOD information, they are in scope. BYOD on personal laptops is permissible under DCC with the correct controls (endpoint management, disk encryption, MFA), but it has to be declared and the devices have to be assessed. Excluding remote workers is a near-automatic finding.
Cloud services that process MOD data are in scope. Microsoft 365, Google Workspace, Salesforce, project-management SaaS, any cloud storage, any cloud-based collaboration tool - all in scope if MOD information flows through them. The assessor will ask you to name them.
Users move. The MOD-facing project team this quarter may include staff working from home, staff in a client office, and staff on a shared WeWork desk. Site-based scoping ("we cover the Bristol office") only works if you can demonstrate MOD information never leaves that office. Almost never true.
If a subcontractor has access to your in-scope systems or processes MOD information on your behalf, their access is in scope. That does not mean the subcontractor has to be DCC-certified (though the MOD is increasingly pushing that for tier-one subcontractors) - but their access controls, vetting, and offboarding become part of your submission.
Some suppliers include the whole business in scope under the mistaken belief that it makes them look more serious. This costs time, generates more findings, and does not improve the commercial value of the certificate. Scope exactly what your MOD work requires - no more.
Three patterns come up repeatedly at L0:
A good scope statement is:
At Fig we produce a one-page scope document as part of the engagement opening. It becomes the reference document for every subsequent assessor conversation, which eliminates almost all scope-related clarification cycles.
DCC L0 pricing is tier-based by employee count - scope does not directly affect price at L0. At L1, scope does affect price because a larger, more complex scope takes more assessor time. For L0, scope correctness matters for timeline and assessment quality, not cost.
The Fig scoping process:
This upfront investment (two or three working days) removes the risk of scope-related findings during the assessor phase. It is the single most important mechanism for keeping the engagement on the 14-to-21-day track.
Key questions from MOD suppliers researching this topic.
Include the legal entities, sites, users, systems, and third parties that support the relevant MOD contract. That covers employees accessing MOD-related systems, cloud services processing MOD information, and subcontractors with access to in-scope systems.
Usually not. If remote workers access MOD-related systems or process MOD information, they are in scope regardless of where they physically work. Excluding active delivery users is a common scoping error that can invalidate assurance confidence.
Yes. DCC scope must be equal to or contained within your CE scope. Scope mismatches between CE and DCC are the most common reason submissions get bounced back for re-scoping.
Over-scoping increases effort, evidence volume, and remediation burden without improving assurance value for the specific contract. Scope exactly what your MOD work requires - no more, no less.
Review scope at the start (during scoping), after initial discovery, and before submission so changes in users, assets, or service boundaries do not create late-stage clarification cycles or re-submission requirements.
DCC Level 0 inherits the five Cyber Essentials technical controls and layers defence-specific governance on top. This guide breaks down each control, the specific evidence an IASME-licensed assessor expects, common configuration mistakes, and how the controls map to the CSM v4 requirements behind L0.
The honest answer to "how long does DCC take" depends more on the supplier's starting posture than on the Certification Body's turnaround. L0 can complete in under three weeks for a prepared organisation. L1 is a six to twelve week engagement. This guide walks through both, with the specific factors that lengthen or shorten each phase.
DCC Level 0 is passed or failed on the quality of the evidence you submit. This guide is a control-by-control breakdown of the specific evidence types an IASME-licensed assessor looks for, how to assemble an evidence pack that avoids clarification cycles, the reality of evidence retention, and the difference between operational evidence and evidence fabricated for audit.