[DISP COMPLIANCE AUSTRALIA]

DISP
COMPLIANCE
AUSTRALIA

What DISP compliance means, what the four security domains require, and how to achieve and maintain compliance as an Australian defence supplier.

Book Free Compliance Assessment Download Requirements Checklist →

Security domains assessed

67%

First-attempt rejection rate

Annual

DISO reporting obligation

[DEFINITION]

WHAT IS DISP COMPLIANCE?

Governed by the Defence Security Principles Framework (DSPF), Principle 16, Control 16.1.

DISP compliance means an organisation meets all security requirements of the Defence Industry Security Program (DISP) at its membership level — and continues to meet those requirements on an ongoing basis. It is not a one-time certification. It is a continuous compliance status that must be actively maintained through annual reporting, security management, and proactive notification of material changes to DISO.

DISP compliance is structured around four security domains: personnel security, physical security, information and cyber security, and industrial security. Each domain has specific requirements that scale with the membership level — from Baseline (access to PROTECTED information) through to Positive Vetting (access to the most sensitive national security information).

The consequences of non-compliance are severe. DISO can suspend or cancel DISP membership at any time, immediately disqualifying the organisation from holding Defence contracts that require DISP membership. A cancelled membership can result in contract termination, loss of revenue, and reputational damage that is difficult to recover from in the defence supply chain.

Continuous Compliance Obligations

Annual Security Report (ASR)

Submit the ASR to DISO each year documenting your security posture, incidents, personnel changes, and compliance across all four domains.

Essential Eight ML2 Maintenance

Maintain Essential Eight Maturity Level 2 compliance across all in-scope ICT systems. DISO may verify this through Deep Dive Audits at any time.

Material Change Notifications

Notify DISO within required timeframes of ownership changes, key personnel changes, new facilities, or significant changes to ICT or Defence work scope.

Clearance Renewals

Track and renew AGSVA clearances for the Security Officer, Facility Security Officer, and all cleared personnel before they expire.

Security Incident Reporting

Report security incidents to DISO within the required 72-hour window. Failure to report is itself a compliance breach.

[SECURITY DOMAINS]

THE FOUR DISP SECURITY DOMAINS

Domains assessed for DISP compliance

[01]

Personnel Security

Managing security clearances for the Security Officer (SO), Facility Security Officer (FSO), and all personnel with access to classified information. Includes insider threat management, security awareness training, and pre-employment screening. Clearance levels must match the classification of information accessed — Baseline for PROTECTED, NV1 for SECRET, NV2 for TOP SECRET.

[02]

Physical Security

Protecting facilities, secure areas, and physical access to classified information and assets. Requirements include access control systems, CCTV, secure storage for classified documents and media, and physical security inspections. At NV1 and above, a Secure Working Area (SWA) configured to DSPF standards is required.

[03]

Information & Cyber Security

Implementing Essential Eight Maturity Level 2 across all in-scope ICT systems, meeting ISM control requirements, maintaining an IRAP-assessed ICT environment, and complying with incident reporting obligations. Since October 2024, ML2 is the mandatory minimum for all DISP Baseline members. ICT systems handling SECRET information require additional controls.

[04]

Industrial Security

Managing subcontractor compliance, contract security obligations, and Defence-specific industrial security requirements. Includes ensuring subcontractors with access to classified information hold appropriate DISP membership, managing Defence contract security requirements, and complying with export control obligations under ITAR and the Defence Export Controls framework.

Full guide: Essential Eight ML2 for DISP

[CONSEQUENCES]

CONSEQUENCES OF DISP NON-COMPLIANCE

$500k+

Estimated cost of membership cancellation for mid-size defence supplier

Compliance Notice

DISO issues a formal compliance notice requiring the organisation to remediate identified gaps within a specified timeframe. Failure to remediate leads to suspension.

Membership Suspension

DISO suspends DISP membership, preventing the organisation from performing classified Defence work. Contracts may be suspended pending remediation.

Membership Cancellation

DISO cancels DISP membership. The organisation is immediately disqualified from holding Defence contracts requiring DISP. Re-application is required and is not guaranteed.

[FAQs]

DISP COMPLIANCE — FREQUENTLY ASKED QUESTIONS

5 key questions about DISP compliance in Australia.

What does DISP compliance mean?

DISP compliance means an organisation meets all security requirements of the Defence Industry Security Program (DISP) at its membership level. This covers four security domains: personnel security, physical security, information and cyber security, and industrial security. Compliance is not a one-time achievement — it is a continuous obligation that must be actively maintained through annual reporting, ongoing security management, and proactive notification of material changes to DISO.

What are the four DISP security domains?

The four DISP security domains are: (1) Personnel Security — managing clearances, insider threat, and security awareness for all relevant staff; (2) Physical Security — protecting facilities, secure areas, and physical access to classified information; (3) Information and Cyber Security — implementing Essential Eight ML2 controls, ISM requirements, and incident reporting obligations; and (4) Industrial Security — managing subcontractor compliance, contract obligations, and Defence-specific industrial security requirements.

What happens if you fail DISP compliance?

Failure to maintain DISP compliance can result in DISO issuing a compliance notice, suspending membership, or cancelling membership entirely. Cancellation immediately disqualifies the organisation from holding Defence contracts that require DISP membership, resulting in potential contract termination and loss of revenue. DISO may also conduct unannounced Deep Dive Audits to verify compliance at any time.

How often do you need to report to DISO?

DISP members must submit an Annual Security Report (ASR) to DISO every year. The ASR documents the organisation's security posture across all four domains, any security incidents that occurred during the year, changes to key personnel or facilities, and the organisation's compliance with all DISP obligations. In addition, members must notify DISO of material changes (ownership, key personnel, facilities, ICT) within required timeframes throughout the year.

What is a DISP Deep Dive Audit?

A DISP Deep Dive Audit is an unannounced or scheduled assessment conducted by DISO to verify that a DISP member is actually compliant with its stated security posture. Audits can cover any or all of the four security domains. DISO typically triggers a Deep Dive Audit following a security incident, an ASR that raises concerns, or as part of a random compliance verification program. Organisations that fail a Deep Dive Audit may receive a compliance notice or have their membership suspended.

[RELATED GUIDES]

How to Get DISP Membership

Step-by-step guide to the DISP application process — from eligibility to approval.

Read guide

DISP Requirements Checklist

The complete checklist of DISP Baseline requirements — physical, personnel, and ICT security.

Read guide

Why DISP Applications Are Rejected

The 5 most common reasons DISP applications fail and how to avoid them.

Read guide

[NEXT STEP]