Can I reapply for DISP membership after a rejection?

Yes. A DISP application rejection is not permanent. You can reapply once you have addressed the deficiencies identified in the rejection notice. DISP will typically provide feedback on the reasons for rejection, which should guide your remediation work before reapplying.

How long does it take to fix a rejected DISP application?

The time required to address a DISP rejection depends on the nature of the deficiencies. Documentation gaps can often be remediated within weeks. Cyber security uplift to achieve Essential Eight ML2 typically takes 3 to 6 months. Physical security zone certification can take 6 to 12 months. Personnel security clearance delays are outside your control and can add months to the timeline.

What is the most common reason for DISP application rejection?

Based on our assessment experience, the most common reasons for DISP application failure are incomplete or inadequate governance documentation, insufficient evidence of Essential Eight ML2 compliance, and failure to demonstrate a genuine business need for the membership level applied for.

Why DISP Applications Are Rejected — and How to Avoid It

A Note on Rejection Statistics

You may have seen claims about DISP application rejection rates. While the Department of Defence does not publish official rejection statistics, our experience across more than 50 DISP engagements — and the consistent patterns we observe in applications that struggle — tells us that a significant proportion of first-attempt applications require substantial additional work before membership is granted. The good news: every failure pattern we have seen is preventable with the right preparation.

Why DISP Applications Fail

The DISP application process is more demanding than many organisations expect. It requires comprehensive documentation across four security domains, technical evidence of cyber security maturity, and a credible demonstration of genuine business need. Organisations that approach the application as a form-filling exercise — rather than as a substantive security assessment — consistently encounter problems.

The most important thing to understand is that DISP assessors are experienced security professionals. They can quickly identify generic documentation that has not been tailored to the organisation, inconsistencies between different parts of the application, and cyber security questionnaire responses that do not reflect a genuine understanding of the controls described. Attempting to present a more favourable picture than reality supports is counterproductive — it leads to additional assessment rounds, delays, and ultimately a worse outcome than honest disclosure would have produced.

The following sections describe the eight most common reasons DISP applications are rejected or significantly delayed, along with practical guidance on how to avoid each one.

Inadequate or Incomplete Governance Documentation

Very Common

The Security Management Plan (SMP) and Security Incident Response Plan (SIRP) are foundational documents for any DISP application. Applications frequently fail because these documents are either missing, incomplete, or clearly generic templates that have not been tailored to the organisation's specific context, operations, and risk environment.

How to avoid this:

Develop your SMP and SIRP from scratch, tailored to your organisation. They must address your specific facilities, personnel, information handling practices, and incident response capabilities. Generic templates downloaded from the internet will not pass DISP scrutiny. Have the documents reviewed by a DISP-experienced consultant before submission.

Cyber Security Posture Below Essential Eight ML2

Very Common

Since the 30 September 2024 uplift requirement, all DISP applicants must demonstrate Essential Eight Maturity Level 2 across their ICT corporate systems. Many organisations submit applications assuming their existing IT security practices will satisfy this requirement, only to discover significant gaps during the Cyber Security Questionnaire assessment.

How to avoid this:

Conduct a formal Essential Eight gap assessment before submitting your application. Identify specific gaps across all eight strategies and develop a Maturity Action Plan with realistic timelines. You do not need to achieve full ML2 before applying — DISP can issue a MAP and place you in an uplift program — but you must demonstrate a credible, documented path to compliance.

Insufficient Business Need Justification

Common

DISP membership requires a genuine business need. Applications that cannot demonstrate a current or upcoming Defence contract, a letter of endorsement from a Defence Contract Manager, or a sponsoring entity letter are typically rejected. Vague statements about 'wanting to work with Defence in the future' are not sufficient.

How to avoid this:

Secure a concrete business need justification before applying. If you have a current contract, obtain a Notice of Engagement from your Contract Manager. If you are about to engage in a contract, request a letter of endorsement. If you are a subcontractor, ask the prime contractor to provide a sponsoring entity letter.

Nominated Personnel Unable to Obtain Security Clearances

Common

DISP requires that a Director or senior executive can obtain an Australian Personnel Security Clearance commensurate with the membership level applied for. Applications fail when the nominated individual has a history that makes clearance unlikely, or when the organisation has not initiated the clearance process early enough to meet application timelines.

How to avoid this:

Identify your nominated CSO and SO early and assess their suitability for security clearance before submitting your application. Initiate the clearance application process as early as possible — clearance processing times can add months to your DISP timeline. If there are any concerns about a nominee's suitability, address them proactively.

Physical Security Deficiencies (Level 1 and Above)

Common for Level 1+

For Level 1 and above applications, DISP requires certified secure zones for handling classified information. Applications fail when organisations have not obtained ASIO zone certification, when their facilities do not meet the physical security requirements for the classification level applied for, or when their physical security documentation is incomplete.

How to avoid this:

Engage with ASIO's Protective Security team early in the process to understand zone certification requirements for your facility. Zone certification can take 6 to 12 months and is a common bottleneck in Level 1 and above applications. Do not submit your DISP application until you have a clear pathway to zone certification.

Applying for the Wrong Membership Level

Moderate

Applications sometimes fail because the organisation has applied for a higher membership level than their contracts require, without being able to justify the need for that level. Conversely, some organisations apply for a lower level than their contracts specify, creating a compliance gap that DISP will identify during assessment.

How to avoid this:

Review your contract documentation carefully and confirm the required DISP membership level with your Defence Contract Manager before applying. If you are applying speculatively (without a current contract), be conservative and apply for the level most likely to be required by your target contracts.

Inconsistent or Contradictory Documentation

Moderate

Applications that contain internal inconsistencies — for example, a Security Management Plan that describes controls that are contradicted by the Cyber Security Questionnaire responses, or personnel documentation that does not align with the organisation chart — raise credibility concerns and typically result in additional assessment rounds or rejection.

How to avoid this:

Review all application documents together before submission to ensure consistency. Cross-reference your SMP, CSQ responses, personnel documentation, and physical security documentation to confirm they present a coherent and accurate picture of your organisation's security posture.

Failure to Disclose Material Information

Serious

DISP applications require full disclosure of material information about the organisation, its ownership, its financial position, and any security incidents or adverse findings. Failure to disclose material information — whether intentional or inadvertent — is treated very seriously and can result in rejection and potential exclusion from future applications.

How to avoid this:

Be transparent and comprehensive in your application. If you are unsure whether something needs to be disclosed, err on the side of disclosure. DISP assessors are experienced at identifying omissions, and the consequences of non-disclosure are far more serious than the consequences of disclosing a minor adverse finding.

What Happens After a Rejection

A DISP application rejection is not the end of the road. DISP will typically provide feedback identifying the specific deficiencies that led to the rejection. This feedback is valuable — it gives you a clear roadmap for remediation and reapplication.

The time required to address a rejection depends entirely on the nature of the deficiencies. Documentation gaps can often be remediated within weeks. Cyber security uplift to achieve Essential Eight ML2 typically takes three to six months, depending on your starting point and the resources you can commit to the uplift. Physical security zone certification can take six to twelve months. Personnel security clearance delays are largely outside your control and can add months to the timeline.

Organisations that receive a rejection should treat it as a structured improvement opportunity rather than a setback. The most effective approach is to engage a DISP-experienced consultant to review the rejection feedback, develop a detailed remediation plan, and provide oversight during the remediation process to ensure the reapplication addresses all identified deficiencies comprehensively.

The Pre-Application Checklist

Before submitting a DISP application, work through the following checklist to identify any gaps that need to be addressed:

ABN registered and entity financially solvent

Director/senior executive eligible for security clearance

Genuine business need documented (contract, endorsement letter, or sponsoring entity)

Correct membership level identified for each domain

Security Management Plan tailored to your organisation

Security Incident Response Plan complete and tested

Personnel screening process aligned with AS 4811:2022

Essential Eight gap assessment completed

Maturity Action Plan developed for any E8 gaps

CSQ Part B completed with honest, evidence-backed responses

Physical security documentation complete (Level 1+)

ASIO zone certification pathway confirmed (Level 1+)

All application documents reviewed for consistency

No material information omitted from the application

Frequently Asked Questions

DISPath

Get Your Application Right the First Time

DISPath is Serious Defence's structured DISP application workflow. Our team has guided more than 50 organisations through the DISP process, and we know exactly what assessors look for. We review your documentation, identify gaps before submission, and provide expert oversight throughout the application process.