What Is the DISP Annual Security Report?
The Annual Security Report (ASR) is the primary mechanism through which DISP members demonstrate ongoing compliance with their membership obligations. It is a structured self-attestation submitted via the DISP Member Portal on the anniversary of your membership certificate — meaning every DISP member has a unique due date based on when their membership was originally granted.
The ASR is not a passive exercise. It requires your organisation to actively review its security posture across all four security domains — governance, personnel, physical, and ICT/cyber security — and attest that it continues to meet DISP requirements. It also requires you to report any significant changes to your organisation, any security incidents that occurred during the reporting period, and your progress against any Maturity Action Plans that are in place.
The ASR is taken seriously by DISP. Organisations that submit superficial or inaccurate ASRs risk triggering an Ongoing Suitability Assessment (OSA) or Deep Dive Audit (DDA), which can be significantly more disruptive than a well-prepared ASR submission. The investment in thorough ASR preparation is almost always worthwhile.
Missing the ASR Deadline Has Serious Consequences
Failure to submit the ASR by the due date is a compliance breach that can result in membership suspension. A suspended membership means you cannot access classified Defence information, sponsor security clearances, or fulfil your obligations under Defence contracts that require DISP membership. DISP provides reminder notifications, but the responsibility for timely submission rests with the member.
The Four ASR Sections
The ASR covers all four DISP security domains. The depth of reporting required in each section scales with your membership level — Entry level members have simpler requirements in the physical security section, for example, while Level 1 and above members must address zone certification compliance.
Security Governance
Attest that your Security Management Plan and Security Incident Response Plan remain current and have been reviewed during the reporting period. Report any significant changes to your organisation's governance structure, key security personnel, or security policies.
- SMP and SIRP reviewed and updated
- Security awareness training completed for all staff
- Key security personnel (CSO, SO) confirmed or updated
- Any significant organisational changes reported
Personnel Security
Confirm that your employment screening processes remain aligned with AS 4811:2022. Report any personnel security incidents, changes to security clearance holdings, or significant changes to your workforce that affect your personnel security posture.
- Employment screening processes confirmed compliant with AS 4811:2022
- Security clearance holdings current and accurate
- Any personnel security incidents reported
- Insider threat management processes confirmed active
Physical Security
For Level 1 and above members, attest that your certified secure zones remain compliant with ASIO zone certification requirements. Report any physical security incidents, changes to your facilities, or changes to access control arrangements.
- Secure zone certification current (Level 1+)
- Access control systems operational and audited
- Physical security incidents reported
- Any facility changes notified to DISP
ICT and Cyber Security
Complete the Cyber Security Questionnaire (CSQ) Part B, self-attesting your Essential Eight Maturity Level 2 compliance across all eight strategies. Report any cyber security incidents, significant changes to your ICT environment, and progress against your Maturity Action Plan if one is in place.
- CSQ Part B completed (107 ML2-aligned questions)
- E8 ML2 compliance self-attested across all eight strategies
- Cyber security incidents reported
- MAP progress reported (if applicable)
The Cyber Security Section: Essential Eight ML2 Self-Attestation
The cyber security section of the ASR is the most technically demanding component. It requires you to complete the Cyber Security Questionnaire (CSQ) Part B — 107 ML2-aligned control questions covering all eight Essential Eight mitigation strategies — and self-attest your compliance with Essential Eight Maturity Level 2 across your ICT corporate systems.
For the 2026 ASR cycle, all DISP members must be able to self-attest full E8 ML2 compliance across all eight strategies. The transition period that allowed members to report against the legacy Top 4 strategies ended on 15 November 2025. Members who cannot yet attest full ML2 compliance must report their current maturity level honestly and provide an updated Maturity Action Plan with realistic timelines for achieving full compliance.
The CSQ is a self-assessment, but DISP may verify your responses through an Ongoing Suitability Assessment or Deep Dive Audit. Responses that cannot be supported by evidence — configuration baselines, patch management records, MFA deployment logs, backup test results — will create problems during any subsequent assessment. The quality of your evidence is as important as the accuracy of your responses.
Preparing for Your ASR: A Six-Month Timeline
Effective ASR preparation is not a last-minute exercise. Organisations that start preparing three to six months before their due date consistently produce better ASRs and encounter fewer problems. The following timeline provides a practical framework for ASR preparation.
Review Your Current Security Posture
Begin by reviewing your security posture across all four domains. Identify any gaps or changes since your last ASR. If you have a Maturity Action Plan in place, review your progress against it and update your timeline. This is also the time to schedule any internal security reviews or audits that need to be completed before the ASR.
Conduct Your Essential Eight Assessment
Complete a thorough Essential Eight assessment across your ICT corporate systems. Document your maturity level for each of the eight strategies with supporting evidence. If you have made improvements since your last ASR, ensure those improvements are documented and the evidence is ready to support your CSQ responses. Identify any remaining gaps and update your Maturity Action Plan.
Update Your Governance Documentation
Review and update your Security Management Plan and Security Incident Response Plan. Ensure they reflect any changes to your organisation, facilities, or security arrangements that occurred during the reporting period. Confirm that all security awareness training has been completed for the year and that records are up to date.
Compile Evidence and Supporting Documentation
Gather the evidence that supports your ASR responses. For the cyber security section, this includes patch management records, MFA deployment logs, application control configurations, backup test results, and privileged access reviews. For personnel security, this includes screening records and clearance status confirmations. Having this evidence ready before you start the ASR submission makes the process significantly faster.
Complete the ASR Draft
Complete a draft of the ASR, including the CSQ Part B. Review each response carefully to ensure it accurately reflects your current security posture and is supported by the evidence you have compiled. Have the draft reviewed by your CSO and, if applicable, your DISP consultant before finalising.
Submit via the DISP Member Portal
Submit your completed ASR via the DISP Member Portal on or before your due date. Ensure the submission is made by an authorised representative of your organisation — typically the CSO or SO. Keep a copy of the submitted ASR and any confirmation received from DISP for your records.
What Triggers an OSA or DDA After Your ASR?
Submitting your ASR does not guarantee that DISP will simply accept it and move on. DISP uses the ASR to identify members that may warrant further scrutiny through an Ongoing Suitability Assessment (OSA) or Deep Dive Audit (DDA). Understanding what triggers these assessments helps you prepare accordingly.
Significant cyber security gaps
Reporting an E8 maturity level significantly below ML2, or reporting a large number of gaps in your CSQ responses, is likely to trigger an OSA to verify your Maturity Action Plan and assess your remediation progress.
Reported security incidents
Reporting a significant security incident — particularly a cyber security incident or a physical security breach — will typically trigger follow-up from DISP to understand the incident, its impact, and the remediation steps taken.
Significant organisational changes
Reporting major changes to your organisation — such as a change of ownership, a significant change in your workforce, or a change in your facilities — may trigger an OSA to assess the impact of those changes on your security posture.
Inconsistencies in your ASR
ASR responses that appear inconsistent with previous reports, or that contain internal inconsistencies, may prompt DISP to request clarification or conduct an OSA to verify the accuracy of your self-attestation.
Frequently Asked Questions
Make Your ASR Preparation Effortless
DISPulse is Australia's first GRC platform built specifically for DISP compliance. It tracks your Essential Eight maturity across all eight strategies, maintains your evidence library, and generates ASR-ready evidence packs at the click of a button — so you are always ready for your annual submission.