ASR v2.1: what changed in DCC scoring

If you assess DCC, ASR v2.1 changes how you score, and not by a little. The short version: clearing 80% of an objective no longer passes it. Every in-scope control has to be at least Partially Met, so one Not Met control fails the whole objective even when the percentage looks healthy. Cyber Essentials is a hard anchor that fails the entire assessment on its own. And there's a new Control Override for the cases the question set doesn't capture. Here's what matters, and what it changes in the tool.

What changed, in one paragraph

An objective now passes only when two things are true at once: it scores at least the required percentage of points (80% at Levels 1 and 2, 100% at Levels 0 and 3), and none of its in-scope controls are Not Met. The threshold itself hasn't moved. The second condition is the new part, and it's the one that bites. A Not Met control fails its objective on its own, however high the percentage climbs.

Why 80% was never the whole story

The 80% pass mark was a handy shorthand. It also let an applicant paper over a weak control by scoring well elsewhere, and IASME has closed that gap.

Controls are scored on three points:

• Met (2 points): all of the control's questions meet the baseline.
• Partially Met (1 point): some do, some don't.
• Not Met (0 points): none do.

At Level 1 or 2 you now need 80% of the points and no control on zero. Picture an objective with ten controls, so 20 points on offer. Sixteen clears 80%. But get there with seven controls Met, two Partially Met and one Not Met (14 + 2 + 0 = 16) and the objective still fails, because one control is on zero. Nudge that last control up to Partially Met and the same objective passes. Levels 0 and 3 are stricter again: every control has to be fully Met.

The practical effect is simple. You can't leave a control unaddressed and lean on a strong overall score to carry it.

Cyber Essentials is the anchor

Cyber Essentials is the pre-objective, and the MOD treats it as non-negotiable. Under v2.1 it's scored as its own objective, and if it fails, the whole assessment fails regardless of everything else. On the ASR it reads as "Failed on objective(s): CE". Cyber Essentials Plus joins it at Levels 2 and 3.

Get it wrong and nothing else counts. One sees the same failure over and over: a CE certificate that doesn't actually cover the DCC scope, and an assessment that's over before it really started. So confirm CE first.

The Control Override

Real assessments throw up cases where an applicant plainly meets the intent of a control, just not through the exact questions in front of you. v2.1 gives you a proper tool for that, instead of a quiet score nudge.

A Control Override lets you mark a control as Met when the applicant genuinely meets it outside the captured questions. It needs written reasoning, and using it sends the assessment to IASME for a quality review. It's deliberately visible: you record why, and IASME sees it. It sits next to the existing +1 and -1 adjustments, and only the Certification Body can apply it. A supplier can't self-award a Met.

Met, Partially Met, Not Met, and N/A

Alongside the three scoring states, a control that genuinely doesn't apply to the applicant's scope can be marked N/A, with justification. An N/A control drops out of the objective's total rather than counting as a zero, so it doesn't drag the percentage down or trip the no-Not-Met rule. Like the override, N/A is reviewed by IASME, so the justification has to be real.

Precedence, if you're holding it all in your head: an override forces a control to Met; otherwise the score is the control's points after any +1 or -1; an N/A control sits outside the scored set entirely.

What this changes in Snubnose

Snubnose follows v2.1 end to end, in both the scoring engine and the ASR export:

• Verdicts match an IASME quality review. We used to pass an objective on percentage alone, so a healthy score could hide a Not Met control. That's fixed. An objective shows as passing only when it clears the threshold and has no Not Met control.
• Cyber Essentials is enforced as an anchor, and a CE failure is labelled as one.
• The Control Override is built in: assessor-only, reasoning required, and it re-opens a confirmed control if you apply or change it, so a verdict never changes quietly. Override anything on an assessment and a notice tells you it's going to IASME for quality review.
• The downloadable ASR matches the official v2.1 workbook cell for cell: the CE objective rows, the N/A Controls column, the dual-condition result strings, the per-level control outcomes, and the new override and reasoning columns.

If you assess on Snubnose, there's nothing to install. Re-score in the tool and the v2.1 rules are already applied.

A note for suppliers

If you're working towards DCC, three things matter most under v2.1:

• You can't average out a weak control. Every control in scope has to be at least Partially Met. One Not Met control fails its objective, and that can sink the whole assessment, even with a strong overall score.
• Cyber Essentials is the foundation. Hold current CE that covers your DCC scope. Without it, nothing else counts, and at Levels 2 and 3 you'll need Cyber Essentials Plus too.
• Mark genuinely irrelevant controls N/A, with a clear justification. Don't leave them Not Met. An honest, well-argued N/A drops out of scoring; a control left blank is a zero that fails the objective.

The payoff for all this is predictability. The bar is explicit, there's nothing hidden, and the score you see while you prepare is the score your assessor and IASME will see.

Assessing DCC and want a platform whose scoring agrees with your quality reviewer? Snubnose is built with the Certification Bodies who use it. See the Assessor Alliance. If you're a supplier starting out, begin your DCC Level 0 certification.