DEFENCE
CYBER
COMPLIANCE
Essential Eight ML2, ISM controls, IRAP assessment, 72-hour incident reporting — the complete cyber compliance picture for Australian defence suppliers.
DEFENCE CYBER COMPLIANCE OBLIGATIONS
Cyber compliance for defence suppliers is governed by the DSPF, the ISM, and the Essential Eight — all verified through IRAP assessment.
Essential Eight ML2
Mandatory for all DISP Baseline members since October 2024. All 8 controls must be consistently implemented across all in-scope systems with no exceptions. Verified by ACSC-accredited IRAP assessor.
Full guideISM Controls
Relevant Information Security Manual controls must be implemented for ICT systems processing classified Defence information. The specific controls required depend on the classification level and the nature of the information processed.
IRAP Assessment
An independent assessment by an ACSC-accredited IRAP assessor is required for all DISP applications. The assessment verifies E8 ML2 compliance and relevant ISM controls. A current IRAP report must be submitted with the DISP application.
72-Hour Incident Reporting
Significant security incidents must be reported to DISO within 72 hours of becoming aware. Failure to report is itself a compliance breach. Incidents include ransomware, unauthorised access to classified systems, and data breaches.
Annual Security Report
The ICT security section of the Annual Security Report (ASR) must document the current E8 compliance status, any incidents during the year, and any material changes to in-scope ICT systems.
Continuous Monitoring
DISO may conduct Deep Dive Audits at any time to verify ICT security compliance. Organisations must maintain evidence of ongoing E8 ML2 compliance — not just at the time of IRAP assessment.
HOW DISPULSE AUTOMATES DEFENCE CYBER COMPLIANCE
Most DISP members currently manage their cyber compliance through a combination of spreadsheets, shared drives, and periodic manual assessments. This approach is fragile — it creates compliance gaps between assessments, makes ASR preparation a major annual project, and provides no early warning when controls drift out of compliance.
DISPulse replaces this with a purpose-built DISP GRC platform that provides real-time visibility into your E8 compliance posture, automated evidence collection, and 1-click ASR generation — eliminating the manual overhead of ongoing cyber compliance management.
Live compliance status for all 8 controls across all in-scope systems. Instant visibility when a control drifts out of compliance.
Continuous collection of compliance evidence — configuration snapshots, audit logs, scan results — ready for IRAP assessment and ASR submission.
Annual Security Report generated directly from live compliance data. No more manual spreadsheet compilation before the DISO deadline.
Structured incident response workflows that ensure the 72-hour DISO reporting obligation is met and all evidence is captured.
DEFENCE CYBER COMPLIANCE — FAQs
5 key questions about cyber compliance for Australian defence suppliers.
What cyber security standards apply to Australian defence suppliers?
Australian defence suppliers must comply with: (1) Essential Eight Maturity Level 2 — mandatory for all DISP Baseline members since October 2024; (2) the Information Security Manual (ISM) — the Australian Government's cyber security framework, which underpins DISP ICT requirements; (3) DSPF Principle 16 — the Defence Security Principles Framework control that governs information and cyber security for DISP members; and (4) DISO incident reporting obligations — including the 72-hour window for reporting significant security incidents.
What is the ISM and does it apply to DISP members?
The Information Security Manual (ISM) is the Australian Government's cyber security framework, published and maintained by the Australian Signals Directorate (ASD). It provides controls for protecting government information and systems. DISP members are required to implement relevant ISM controls for their ICT systems, particularly those that process, store, or transmit classified Defence information. The ISM controls required for DISP are assessed as part of the IRAP assessment process.
What is the 72-hour incident reporting rule for DISP?
DISP members are required to report significant security incidents to DISO within 72 hours of becoming aware of the incident. A 'significant' incident includes any cyber security incident that affects systems handling classified Defence information, any unauthorised access to classified information, any ransomware or destructive malware affecting in-scope systems, and any incident that may have compromised the security of Defence contracts or information. Failure to report within the required timeframe is itself a compliance breach and can trigger a DISO compliance review.
How does DISPulse automate defence cyber compliance?
DISPulse is a purpose-built DISP GRC platform that automates the most time-consuming aspects of defence cyber compliance: continuous Essential Eight control monitoring with real-time compliance dashboards; automated evidence collection for IRAP assessments and Annual Security Reports; 1-click ASR generation that pulls live compliance data directly into the DISO-required format; and incident management workflows that ensure the 72-hour reporting obligation is met. DISPulse eliminates the manual spreadsheet-based compliance tracking that most DISP members currently rely on.
What is the difference between IRAP and DISP?
IRAP (Information Security Registered Assessors Program) is the assessment methodology — it is the process by which an ACSC-accredited assessor independently verifies that your ICT systems meet the required security standards. DISP (Defence Industry Security Program) is the membership program — it is the overall framework that Australian defence suppliers must join to access classified Defence information. IRAP assessment is a required component of the DISP application process, but IRAP itself is not a membership program. Think of IRAP as the test, and DISP as the qualification.
AUTOMATE YOUR
DEFENCE CYBER
COMPLIANCE.
DISPulse gives you real-time E8 compliance visibility, automated evidence collection, and 1-click ASR generation. Stop managing compliance in spreadsheets.