Skip to contentAbout Fig Group
EnhancedLow CRP

DCC Level 1 for small organisations.

DCC Level 1 is a consultant-led assessment against 101 controls drawn from Def Stan 05-138 issue 4. It is the right level for UK MOD contracts where the contracting authority has assigned a Low Cyber Risk Profile (CRP). Engagements are scoped to your variance drivers - site count, cloud footprint, legacy estate, supply-chain depth, staff population and existing maturity - and priced as a range to reflect that.

Scope at this tier

Small L1 engagements with a clean evidence pack and 2 short remediation rounds typically run to around 6 weeks. Variance is most often driven by supplier-response time on the readiness review.

What's included in the package

  • IASME-licensed L1 assessment against Def Stan 05-138 issue 4 (Level 1 control set, 101 controls)
  • Dedicated Fig consultant from scoping through certificate issue
  • Cyber Essentials prerequisite included
  • Fig Technology compliance automation platform for evidence pre-mapping and gap analysis
  • Three remediation rounds included before formal assessment
  • 3-year certificate validity, annual attestation Years 1 and 2

What we expect you to have ready

L1 is consultant-led, with the Fig Technology platform pre-mapping evidence against the L1 control set before formal assessment begins. The lists below are Fig's evidence framework aligned to the L1 controls. Your dedicated consultant will tailor the intake at scoping based on your in-scope estate.

Governance

  • Information security policy framework
  • Documented RACI for cyber security responsibilities
  • Incident response and notification procedures
  • Risk register and risk treatment process

Identity

  • Joiner / mover / leaver evidence with documented timelines
  • Multi-factor authentication enforced across admin and remote access
  • Privileged access review cadence

Device & secure config

  • Patch evidence with stated SLA or cadence
  • Endpoint protection across the in-scope estate
  • Documented baseline configuration for OS, cloud and network
  • Maintained asset inventory aligned to the in-scope estate

Supply chain

  • List of direct suppliers in scope of the MOD contract
  • Fig supplier readiness review (Fig-provided template, completed by your direct suppliers)
  • Documented flow-down of security clauses to suppliers
  • Cyber Essentials evidence from suppliers where contractually required

Need scoping help, readiness work, or post-cert support?

The basic package covers the in-scope assessment. If you need help getting ready for assessment - scoping the in-scope estate, standing up missing governance, running a pre-cert readiness review, or putting a Year 2 retainer in place - Fig offers consultancy outside the basic package. Talk to us about what you need and we will scope it transparently.

Talk to us about scoping support

Reference reading before you commit

Two canonical references Fig points buyers to before they sign: the CRP glossary if you want to confirm the level your contract clause requires, and the DCC scoping guide for the rejection patterns and boundary tests Fig runs at scoping.

Other DCC Level 1 tiers

See full Level 1 overview

Micro

1-9 employees

£9,999 - £14,999

Medium

50-249 employees

£20,000 - £24,999

Large

250+ employees

£25,000 - £49,999