DISP
REQUIREMENTS
CHECKLIST
The complete control register for DISP membership across all four security domains. Use this checklist to assess your readiness before submitting to DISO.
How to Use This Checklist
This checklist maps the control requirements for DISP membership across all four security domains and the application submission process. Each control is tagged with the minimum membership level at which it applies. Use this register to conduct a structured self-assessment of your current security posture before engaging with DISO.
This checklist reflects the DISP requirements as at April 2026, including the November 2025 Essential Eight Maturity Level 2 (ML2) uplift. Entities that held DISP membership under the previous ML1 baseline must review the ICT security domain carefully — the ML2 requirements represent a significant uplift for most organisations.
A gap against any control tagged for your target membership level is a potential rejection point. Prioritise gaps by severity: missing governance documentation and ICT security gaps are the most common rejection reasons. Physical security gaps at Level 2 and above require the longest lead time to remediate.
Governance & Security Management
| ID | Control Requirement | Level | Status |
|---|---|---|---|
| G1 | Security Officer (SO) appointed — Australian citizen, no conflicting roles | ALL | |
| G2 | Deputy Security Officer (DSO) nominated for continuity | L1+ | |
| G3 | Security Management Plan (SMP) developed and approved by senior management | ALL | |
| G4 | SMP aligned to Defence Security Principles Framework (DSPF) | ALL | |
| G5 | Security risk assessment conducted and treatment register maintained | ALL | |
| G6 | Security awareness training programme established and records maintained | ALL | |
| G7 | Incident reporting procedures documented — DSOC contact protocols defined | ALL | |
| G8 | Annual security review and self-assessment schedule established | ALL | |
| G9 | Change management process for SMP updates documented | L1+ | |
| G10 | FOCI (Foreign Ownership, Control, or Influence) declaration prepared | ALL | |
| G11 | FOCI mitigation plan developed (if foreign connections exist) | L2+ |
DISPath provides SMP templates, governance frameworks, and DSPF-aligned documentation workflows for all membership levels.
Personnel Security
| ID | Control Requirement | Level | Status |
|---|---|---|---|
| P1 | Pre-employment screening procedures documented and aligned to AGSVA standards | ALL | |
| P2 | Identity verification process established (100-point check equivalent) | ALL | |
| P3 | Criminal history check procedures documented | ALL | |
| P4 | Employment history verification procedures established | ALL | |
| P5 | Foreign contact reporting procedure documented and communicated to all personnel | L1+ | |
| P6 | Foreign travel reporting procedure documented and communicated | L1+ | |
| P7 | Insider threat awareness programme established | L1+ | |
| P8 | Security clearance records management system in place | L1+ | |
| P9 | Procedures for handling clearance suspensions and revocations documented | L1+ | |
| P10 | Ongoing suitability assessment procedures for cleared personnel | L2+ | |
| P11 | Annual security awareness training for all personnel with classified access | L1+ | |
| P12 | Training completion records maintained and available for DISO review | ALL |
DISPulse tracks personnel security compliance, training records, foreign contact reporting, and clearance status in real time.
Physical Security
| ID | Control Requirement | Level | Status |
|---|---|---|---|
| PH1 | Facility security assessment conducted and documented | ALL | |
| PH2 | Security zone classification established (public, restricted, controlled) | ALL | |
| PH3 | Access control system implemented for restricted and controlled areas | ALL | |
| PH4 | Visitor management and escort procedures documented | ALL | |
| PH5 | CCTV coverage of controlled areas — specifications documented | L1+ | |
| PH6 | Intruder detection system installed — alarm response procedures documented | L1+ | |
| PH7 | Secure storage for PROTECTED material — GSA-approved container or equivalent | L1+ | |
| PH8 | Physical security inspection schedule established | ALL | |
| PH9 | Key and access card management procedures documented | L1+ | |
| PH10 | SCIF or equivalent secure area constructed to Defence standards | L2+ | |
| PH11 | SCIF construction documentation and Defence approval obtained | L2+ | |
| PH12 | Emanations security (TEMPEST) assessment completed | L3 |
DISPath includes physical security assessment templates and facility security planning workflows aligned to DSPF zone classification requirements.
ICT Security — Essential Eight ML2
| ID | Control Requirement | Level | Status |
|---|---|---|---|
| ICT1 | Application control implemented — only approved applications can execute | ALL | |
| ICT2 | Application patching — internet-facing within 48hrs, others within 2 weeks | ALL | |
| ICT3 | Microsoft Office macro settings configured — macros blocked or signed only | ALL | |
| ICT4 | User application hardening — web browser, PDF reader, office suite hardened | ALL | |
| ICT5 | Administrative privileges restricted — no internet browsing from admin accounts | ALL | |
| ICT6 | OS patching — critical vulnerabilities within 48hrs, others within 1 month | ALL | |
| ICT7 | Phishing-resistant MFA on all internet-facing services | ALL | |
| ICT8 | MFA for all privileged users and all users of cloud services | ALL | |
| ICT9 | Regular backups — daily backups, tested restoration, offline/immutable copy | ALL | |
| ICT10 | Essential Eight ML2 assessment report — current (within 12 months) | ALL | |
| ICT11 | Assessment conducted by qualified assessor (IRAP preferred for L2+) | L2+ | |
| ICT12 | Network segmentation implemented — PROTECTED workloads isolated | L1+ | |
| ICT13 | Audit logging enabled and log retention policy documented | L1+ | |
| ICT14 | Incident response plan documented — DSOC notification procedures included | ALL | |
| ICT15 | Vulnerability management programme established and documented | L1+ |
DISPeer provides a sovereign, Australian-hosted cloud environment pre-configured to align with DISP ICT security requirements — eliminating the Essential Eight ML2 build burden.
Application Package — Submission Readiness
| ID | Control Requirement | Level | Status |
|---|---|---|---|
| APP1 | DISP membership application form completed via Defence Supplier Portal (DSP) | ALL | |
| APP2 | Security Management Plan — current, approved, version-controlled | ALL | |
| APP3 | Essential Eight ML2 assessment report attached | ALL | |
| APP4 | Physical security assessment documentation attached | ALL | |
| APP5 | Personnel security screening procedures and training records attached | ALL | |
| APP6 | Security Officer and Deputy Security Officer details confirmed | ALL | |
| APP7 | FOCI declaration completed — foreign connections disclosed | ALL | |
| APP8 | All evidence current — no artefacts older than 12 months | ALL | |
| APP9 | Pre-submission review completed against DISO application checklist | ALL | |
| APP10 | Security Officer briefed and prepared for DISO assessment interview | ALL |
DISPath's pre-submission review workflow validates your complete application package against the DISO checklist before you submit — preventing avoidable rejections.
From Checklist to Accreditation
Completing this checklist gives you a point-in-time view of your DISP readiness. But a checklist alone does not get you accredited — you need documented evidence for every control, a current Security Management Plan, and a Security Officer who can defend your posture in a DISO assessment interview.
The most effective path from checklist to accreditation is a structured readiness programme that converts your gap register into a prioritised remediation plan with defined milestones, responsible owners, and measurable outcomes. This is what DISPath is built to do.
Assess
Run a structured gap assessment against this checklist. Identify which controls are implemented, partially implemented, or missing. Generate a prioritised remediation register.
Learn More →Remediate
Implement missing controls. DISPeer handles ICT security. DISPulse tracks compliance posture across all four domains. DISPath guides governance and documentation.
Learn More →Certify
Assemble your application package, complete the pre-submission review, and submit through the Defence Supplier Portal with confidence. DISPath guides you through every step.
Learn More →DISP Compliance Australia
Full guide to DISP requirements, security domains, and membership levels.
Read Guide →How to Get DISP Membership
Step-by-step operational guide from gap assessment to DISO accreditation.
Read Guide →DISP Consulting vs Software
Compare traditional consulting with technology-enabled compliance approaches.
Read Guide →Why Applications Fail
Analysis of the most common DISO rejection reasons and how to avoid them.
Read Guide →