DCSC Information System Delivery Capability Certification

The cornerstone of security and trust in the digital era

1. Evaluation dimensions and level classification

DCSC certification is based on the theoretical foundation of "process management" and "result orientation", and has constructed a maturity model covering five core areas: strategic planning, project management, technical implementation, quality assurance, and continuous improvement.

Constructing an evaluation framework for the six core dimensions of certification system from strategy to execution:

Organizations certified by DCSC will achieve significant improvements in the following areas:
• Market competitiveness: Certification results can be used as bidding qualifications, especially in industries such as government, finance, and energy that require strict IT service capabilities.
• Delivery efficiency optimization: According to statistics, the average project delay rate of Level 3 certified enterprises has been reduced by 35%, and the response speed to demand changes has been improved by 50%.
• Risk management: Establish an end-to-end risk identification mechanism to reduce cost overruns caused by demand deviations or technical defects.
• Customer trust: Through standardized delivery processes and transparent communication mechanisms, enhance the predictability of customer deliverables.
• Organizational Capability Accumulation: Promote the explicitization of tacit knowledge and reduce reliance on key individuals.

2. It is recommended that the following types of enterprises apply first:
• System integrators with an annual delivery project scale exceeding 50 million yuan
• Service providers participating in government digital transformation projects
• IT companies planning to expand into strongly regulated industries such as finance and energy

1. Organizational qualification requirements
• Enterprises must be independent legal entities registered in accordance with the law, with qualifications for information system development, integration, or operation and maintenance services (such as ISO 20000, CMMI, etc., which are not necessary but can serve as auxiliary proof).
• The scope of business applying for certification must be consistent with the main business stated on the business license (such as software development, IT services, etc.).

2. Project experience requirements
• Provide three or more typical information system delivery cases completed within the past two years (covering the entire process of requirement analysis, development and implementation, acceptance and delivery).
• The case should reflect the organization's practice in core competency areas such as strategic planning, project management, and technical implementation.

3. System operation requirements
• Establish a process system that matches the DCSC model (such as the Project Management Specification and Quality Assurance Manual) and operate it for at least 6 months.
• Have data records of key processes (such as quantitative indicators such as requirement change rate, delivery cycle deviation rate, etc.).

4. Personnel capability requirements
• The core team (such as project managers and technical leaders) should have relevant work experience in the field (recommended to be at least 3 years)

（I） List of required materials
According to the requirements of DCSC certification evaluation, application materials are divided into three categories: basic qualifications, process evidence, and project cases, as follows:
1. Basic qualifications
• Copy of the business license of the enterprise (stamped with official seal).
• Organizational chart and job description (with clear identification of IT delivery departments and positions).
• Relevant industry qualification certificates (such as high-tech enterprise certificates, ITSS certifications, etc., not mandatory but recommended to provide).

2. Process evidence category
• Institutional documents:
Information System Delivery Management System Documents (including process descriptions for strategic planning, project management, quality assurance, etc.).
Continuous Improvement Management Procedure (such as PDCA records and review report templates).
• Process records:
Project plan and progress monitoring table for the past year (such as Gantt chart, burn out chart).
Requirement change control records (including reasons for changes, approval process, and impact analysis).
Test report and defect tracking table (reflecting closed-loop management).
• Data indicators:
Statistical table of core indicators such as delivery cycle and cost deviation rate.
Customer satisfaction survey report (covering at least 80% of delivery projects).

3. Project case studies
• Case Summary: Each case requires a "Project Overview", including project background, objectives, scale (such as contract amount, team size), technical architecture, and deliverables.
• Full process documentation:
Requirement Specification Specification (SRS) and Acceptance Report.
Technical solution design document (including architecture diagram and security design instructions).
Project summary report (including lessons learned and improvement measures).
• Customer certification:
Customer acceptance confirmation letter or satisfaction evaluation form (stamped with customer seal).

4. Other supplementary materials
• DCSC self-assessment report (fill in the ability domain score and improvement plan according to the certification level requirements).
• Internal training records and assessment certificates (such as training attendance sheets and exam papers).
• Certification Application Form (template provided by the certification body).


（II.） Key precautions
• Authenticity of materials: All documents must be actual execution records. Fictitious or signed documents may result in authentication failure.
• Time frame: The project case and process records should cover 6-24 months prior to the application to ensure data continuity.
• Format specification: Documents should be uniformly numbered and version controlled to avoid conflicts or omissions (such as linking test reports and defect records for traceability).
• Level adaptability:
Applying for Level 1-2 can focus on the completeness of the basic processes.
Applying for Level 3 or above requires providing quantitative management data (such as defect density, demand stability index).

Enterprises need to go through a strict five stage certification process