The best Defence Cyber Certification body, decided by what you can verify.
IASME-licensed at Level 0 and Level 1, published tier pricing, consultant + platform bundled into the base fee, Cyber Essentials prerequisite included, honest L2/L3 referrals. Four structural choices that hold up against scrutiny - not marketing claims.
L0 + L1
IASME-licensed accreditation scope
£999.99
L0 starting price (Micro tier, ex VAT)
3 years
Certificate validity, annual attestation
What "best" means
Four criteria that actually matter
"Best DCC body" usually decodes to four buyer-side checks. The right CB scores well on all four because they’re structural choices about how the engagement is delivered and priced.
IASME accreditation
Licensed at the levels they sell
Every legitimate DCC body is licensed by IASME at specific levels. A "best" CB only takes engagements at levels it is accredited for - and refers buyers to specialised bodies when the contract requires higher levels.
Pricing transparency
Published rates, not "POA"
A "best" CB publishes tier pricing openly - no quote-round gating, no hidden consultancy retainer, no scope creep mid-engagement. Buyers can compare against three competitors before a sales call.
Operating model
Consultant-led, not audit-only
A "best" CB runs the engagement as one continuous process - scoping, evidence preparation, remediation, and assessment with the same consultant. Audit-only CBs hand work between teams and fees compound.
Evidence trail
Auditable, defensible work
A "best" CB issues evidence, structured remediation feedback, and platform-tracked progress that survives buyer scrutiny and post-certificate audit. The certificate is just the artefact - the audit trail behind it is the real value.
Why Fig for DCC
How we score against the four criteria
Each of the four criteria, mapped to a structural decision Fig has made about how DCC is delivered.
01 · L0 + L1 accreditation
Fig is IASME-licensed at L0 and L1
Both tiers are delivered directly by Fig - we're not subcontracting one and reselling the other. For Level 2 and Level 3 we refer buyers to specialised CBs (NCC Group, Bridewell, C3IA) rather than overselling our scope.
02 · Bundled fee
Consultant and platform inside the base price
Every L1 engagement includes a dedicated consultant from scoping to certificate plus Fig's technology platform for automated gap analysis. Not sold separately, not added mid-engagement, not retainer-billed.
03 · Published pricing
Tier prices visible before any sales call
L0 is flat-priced from £999.99 + VAT. L1 is range-priced from £9,999.99 + VAT with the variance drivers named openly. Compare against three competitors in five minutes - no quote round.
04 · Cyber Essentials included
CE prerequisite, no separate invoice
Every DCC engagement requires Cyber Essentials (L0/L1) or Cyber Essentials Plus (L2/L3) as a prerequisite. Fig issues the prerequisite within the DCC fee at no additional cost - no parallel purchases, no invoice gymnastics.
Operating model
Audit-only CBs vs Fig DCC
Most CBs run DCC as an audit at the end of someone else’s consultancy. Fig runs it as one connected engagement so the timeline and price are predictable.
Industry typical
Audit-only CBs
- Audit happens at the end; gaps become surprises
- Consultancy sold separately, often by a third party
- Scope changes trigger re-quotes and timeline resets
- Bespoke pricing with quote round before any visibility
- Hand-offs between sales, consultant, and audit teams
With Fig
Fig DCC
- Platform runs gap analysis before formal assessment
- Consultant + platform bundled into the L1 base fee
- Three remediation rounds built into the engagement
- Tier pricing published openly, no quote-round gating
- Same dedicated consultant from scoping to certificate
Pick your tier
Two routes Fig delivers directly
Fig is IASME-licensed at Level 0 and Level 1. The right tier depends on your contract Cyber Risk Profile - we’ll confirm at scoping.
L0 · Very Low CRP
Documentation-led review
Flat-priced from £999.99 + VAT. Documentation review against MOD CSM v4. Cyber Essentials prerequisite included. 2-3 week typical engagement. Direct Stripe checkout.
See DCC Level 0L1 · Low CRP
Consultant + platform engagement
Range-priced from £9,999.99 + VAT. Dedicated consultant, Fig platform, three remediation rounds, formal assessment against DEFSTAN 05-138. 6-10 week typical engagement.
See DCC Level 1Need Level 2 or Level 3? Fig isn’t accredited at those tiers. We refer buyers to specialised CBs (NCC Group, Bridewell, C3IA) rather than subcontracting - ask us for an honest referral.
Buyer's checklist
Five questions to ask any DCC body
Whether you choose Fig or another CB, these five questions surface the structural choices that actually affect outcome and price. Use them in any DCC sales conversation.
Are you IASME-licensed at the level my contract requires?
A licensed CB will reference its IASME directory listing. If they hedge or say "we partner with a body that is" - the engagement is being subcontracted and you should ask who actually issues the certificate.
What does the published price include?
Should explicitly cover: scoping, the assessment itself, remediation rounds, certificate issuance, and any prerequisite (Cyber Essentials for L0/L1, CE Plus for L2/L3). If consultant time, platform access, or scope expansion are billed separately, the headline price isn't comparable to bundled quotes.
Who specifically runs the engagement?
Should be a named IASME-licensed consultant from the start. If the answer is "a team" or "depending on availability", you'll be navigating hand-offs that slow the timeline and risk inconsistency.
How are remediation findings handled?
A capable CB includes structured remediation rounds inside the engagement. Some CBs treat remediation as a separate consultancy retainer - which adds cost and slows the engagement. Three remediation rounds is a reasonable inclusion for L1.
Will you tell me if I need a different level?
A "best" CB will refer you to a specialised body if your contract requires a higher CRP than they're accredited to deliver. Watch for CBs that claim to handle "any DCC level" - they're probably subcontracting and adding margin.
Verifiable evidence
Don’t take our word for it
Every claim on this page is published with a verification source. Fig Group’s IASME accreditation, claim register, and Companies House record are all publicly verifiable without contacting us.
FAQ
Best-DCC questions answered
What does "best" actually mean for a DCC certification body?
For most MOD suppliers it means four things: licensed at the level the contract requires, transparent published pricing, consultant + platform bundled rather than unbundled mid-engagement, and honest about which levels they can't deliver. We score well against all four because they're structural choices, not marketing claims.
How do I know which DCC level I need?
The contract or prime contractor specifies the level based on its Cyber Risk Profile (CRP). Very Low CRP = L0. Low = L1. Moderate = L2. High = L3. Suppliers don't pick their own level - if uncertain, ask the contracting authority before purchase.
Does Fig handle Level 2 and Level 3 engagements?
No. Fig is IASME-licensed at Level 0 and Level 1. For L2 and L3 contracts we refer suppliers to specialised CBs - typically NCC Group, Bridewell, or C3IA - rather than subcontracting and adding margin. We're honest about this rather than overselling our accreditation.
Why bundle the consultant and platform into the base fee?
Two reasons. First, comparison: a published all-in fee compares apples-to-apples against full-scope quotes from other CBs. Second, predictability: buyers don't get surprised by mid-engagement add-ons because there are no separate consultancy or platform invoices to add.
What if my contract changes mid-engagement?
Scope changes trigger a re-quote. We name this honestly upfront because it's the one thing that legitimately moves the price. If you add new sites, services, or device types after the audit window opens, we'll re-scope and re-quote before doing extra work - we don't do scope creep without disclosure.
How long does a Fig DCC engagement take?
L0 typically completes in 2-3 weeks for a prepared organisation. L1 typically completes in 6-10 weeks - the longer variable is remediation, not assessment. Both timelines assume the Cyber Essentials prerequisite is in place (Fig issues it within the engagement at no extra cost if needed).
Where can I see Fig's IASME licence evidence?
On /trust/iasme-licence - the licence ID, IASME directory listing, and verification path are published openly. The directory listing is also linked from the IASME website, so the credential is verifiable independent of any Fig-controlled page.
The best DCC body is the one you can verify.
Pick the tier you need, or talk to an IASME-licensed assessor first to confirm your contract Cyber Risk Profile. Either way, every claim on this page maps to a public source.