Skip to contentAbout Fig Group
BasicVery Low CRP

DCC Level 0 for micro organisations.

DCC Level 0 is a documentation-led assessment of three controls drawn from Def Stan 05-138 issue 4. It is the right level for UK MOD contracts where the contracting authority has assigned a Very Low Cyber Risk Profile (CRP). Cyber Essentials is a prerequisite - Fig issues this within the engagement at no additional cost when you do not already hold a current certificate.

Scope at this tier

Most micro suppliers run a single-site, single-cloud footprint with a small direct supplier list. Evidence prep for an organisation already holding Cyber Essentials is typically a focused week of work.

What's included in the package

  • IASME-licensed L0 assessment against Def Stan 05-138 issue 4 (Level 0 control set)
  • Cyber Essentials prerequisite - Fig issues this in 6 working hours for compliant submissions
  • Documentation review of governance, identity, device and supply-chain evidence (no on-site visit)
  • 3-year certificate validity from issue date
  • Annual attestation support at end of Year 1 and Year 2 (included in the published price)
  • Structured intake template plus Fig consultant access during evidence preparation

What we expect you to have ready

L0 is a documentation review - the assessor reads what you provide, there is no on-site or remote technical inspection. The lists below are Fig's evidence framework aligned to the L0 control set. Fig sends a structured intake template at scoping so this can be assembled in days, not weeks.

Governance

  • Information security policy (one document or a small policy framework)
  • Roles and responsibilities for cyber security (named individuals or job titles)
  • Incident response plan or procedure (even a one-pager covering detect, contain, notify)
  • Acceptable use / staff awareness materials

Identity

  • Joiner / mover / leaver process documentation
  • Privileged access principles (who has admin, how it is reviewed)
  • Authentication evidence (multi-factor enforcement on admin and remote access)

Device

  • Patch management cadence (scheduled or as-released)
  • Endpoint malware protection in place (Cyber Essentials evidence usually covers this)
  • Device inventory - a maintained list is acceptable, a real-time tool is not required

Supply chain

  • List of direct suppliers in scope of the MOD contract
  • Standard supplier security clauses or DPA template (signed copies if available)
  • Cyber Essentials evidence from suppliers where contractually required

Need scoping help, readiness work, or post-cert support?

The basic package covers the in-scope assessment. If you need help getting ready for assessment - scoping the in-scope estate, standing up missing governance, running a pre-cert readiness review, or putting a Year 2 retainer in place - Fig offers consultancy outside the basic package. Talk to us about what you need and we will scope it transparently.

Talk to us about scoping support

Reference reading before you commit

Two canonical references Fig points buyers to before they sign: the CRP glossary if you want to confirm the level your contract clause requires, and the DCC scoping guide for the rejection patterns and boundary tests Fig runs at scoping.

Other DCC Level 0 tiers

See full Level 0 overview

Small

10-49 employees

£1,499.99

Medium

50-249 employees

£2,499.99

Large

250+ employees

£4,999.99