How it works

From application to continuous assurance

Certification runs through six stages. The first four take an applicant from registration to a decision, backed by the accredited audit. The last two — Assurance and Renewal — are what keep the certificate meaningful for its full term.

Between the audit cycles

A formal audit is a point-in-time snapshot. It is thorough and it is the basis for the certificate — but between one audit and the next, systems change, people change, and configurations drift. Historically that left a visibility gap of up to a year.

The platform's continuous-assurance layer closes that gap. It watches for drift, scores risk in real time, and feeds what it sees back to DESC and the accredited authorities. It is a layer that supports the BSI and CREST process between cycles — it never replaces the audit or the decision.

Validity & renewal

CSP Standard
3 yrs+ annual surveillance

A three-year term with a surveillance check-in each year, kept live by continuous assurance in between.

SOC Standard
3 yrs+ annual surveillance

Same three-year, annually-surveilled model, tuned to the operational signals of a SOC.

Dubai Cyber Force
2 yrsaccreditation term

A two-year accreditation term, with continuous assurance tracking competency and conduct throughout.

Renewal is risk-based. A provider whose assurance history stayed clean follows a lighter renewal path; one whose risk climbed during the term gets more scrutiny. The loop closes back to Renewal — assurance feeds directly into how the next term is granted.

Where AI assists — and where it doesn't
DESC keeps authority. At every stage the AI recommends, flags, summarizes or drafts — it never decides. And every signal it produces shows its reasoning, so a reviewer can always see why. The working versions of these assists appear in the applicant and DESC portals.

See it for a real application

Register to start your own, or verify a certificate that's already been issued.