DISP Security
Management Plan:
What DISO
Actually Requires
The Security Plan is the most critical document in your DISP application. It is the primary evidence DISO uses to assess whether your organisation genuinely understands and manages its security obligations. A poorly written Security Plan is the single most common reason DISP applications are returned.
What Is a DISP Security Management Plan?
A DISP Security Management Plan — referred to by DISO as the Security Plan (SP) — is a mandatory document submitted as part of the DISP membership application. It is the primary evidence document through which DISO assesses whether an applicant has identified its security risks and implemented appropriate controls.
The Security Plan must demonstrate compliance across all four DSPF security domains: Governance, Personnel Security, Physical Security, and Information and Cyber Security. It is not a policy document — it is an operational description of how your organisation actually manages security, supported by evidence of implemented controls.
DISO does not publish a mandatory template. However, the DISP Membership Application Guide and the Defence Security Principles Framework (DSPF) specify the content requirements. The Security Plan must be tailored to your organisation — generic templates that are not adapted to your specific operations, sites, and ICT systems will be returned.
The Security Plan is a living document. Once DISP membership is granted, the Security Plan must be maintained and updated to reflect changes in your organisation's operations, personnel, facilities, or ICT systems. DISO may request an updated Security Plan at any time, and the Annual Security Report (ASR) process requires you to confirm that the Security Plan remains current.
For organisations applying for NV1, NV2, or PV membership, the Security Plan requirements are significantly more demanding than for Baseline. Higher membership levels require more detailed physical security specifications, more stringent personnel security procedures, and a broader scope of ICT systems covered by the Essential Eight assessment.
The Security Plan is assessed by a DISO analyst. It is not an automated check. A well-written plan that demonstrates genuine security understanding will progress faster than a voluminous document that does not address the assessor's specific concerns.
What the Security Plan Must Cover
The Security Plan must address all four DSPF security domains. Each domain has specific DISO requirements.
- Organisation structure and security responsibilities
- CSO (Chief Security Officer) appointment and clearance level
- SO (Security Officer) appointment and clearance level
- Security risk management framework and methodology
- Security incident reporting procedures
- Security awareness training program
- Security policy framework and document hierarchy
- Subcontractor and supply chain security management
- DISO notification obligations and escalation procedures
- Roles requiring AGSVA security clearances and clearance levels
- Pre-employment screening procedures
- Ongoing personnel security obligations (ongoing suitability)
- Foreign national access procedures
- Visitor management for cleared facilities
- Clearance management and renewal tracking
- Insider threat awareness and reporting
- Personnel security incident procedures
- Site description and facility classification (ZONE 1–4)
- Perimeter and access control measures
- CCTV and intruder detection systems
- Secure storage for classified material (ASIO-approved containers)
- Clean desk and clear screen policy
- Visitor escort procedures within secure areas
- Key and access card management
- Emergency and evacuation procedures for classified material
- ICT system inventory and classification
- Essential Eight implementation status at ML2
- IRAP assessment scope and findings summary
- Network architecture and segmentation
- Data handling and classification procedures
- Removable media controls
- Cloud service usage and data sovereignty
- Cyber incident response procedures
- Annual Security Report (ASR) process
Why Security Plans Get Returned
ICT Scope Too Narrow or Too Vague
The Security Plan must specifically identify all systems used to process, store, or transmit Defence information and demonstrate that the Essential Eight assessment covers all in-scope systems. Plans that describe ICT systems generically ('we use standard office software') without specifying system types, operating systems, and cloud services are routinely returned.
Essential Eight Evidence Not Included
Stating that your organisation 'complies with the Essential Eight' without attaching or referencing the IRAP assessment report is insufficient. DISO requires evidence of the assessment, including the assessor's findings, the maturity level achieved for each control, and any remediation actions completed since the assessment.
Physical Security Below DSPF Standard
For Baseline DISP, facilities used to store or process PROTECTED information must meet DSPF Zone 2 or Zone 3 requirements. Plans that describe a standard commercial office without specifying access control measures, intruder detection, and secure storage for classified material will be returned. DISO may require a physical security inspection.
CSO and SO Not Named with Clearance Levels
The Governance section must name the appointed CSO and SO, confirm their AGSVA clearance levels, and describe their security responsibilities. Plans that refer to 'the security officer' without naming the individual or confirming their clearance status are returned immediately.
Generic Template Not Tailored to the Organisation
DISO assessors can identify generic templates that have not been adapted to the applicant's specific operations. Plans that contain placeholder text, describe facilities or systems that do not match the application, or use boilerplate language without organisational specifics are returned with a request for a complete resubmission.
Missing Subcontractor Security Provisions
If your organisation engages subcontractors who will access Defence information or facilities, the Security Plan must describe how you manage their security obligations — including whether they hold DISP membership themselves, how you verify their clearances, and how you manage access to classified material.
How to Write a DISP Security Plan
A structured approach to developing a Security Plan that passes DISO assessment on the first submission.
Scope Your Organisation
Before writing a single word, map your organisation's structure, sites, ICT systems, and personnel. Identify which sites will be used for Defence work, which systems will process Defence information, and which roles will require clearances. This scoping exercise is the foundation of every section of the Security Plan.
Commission Your IRAP Assessment
Engage an ACSC-certified IRAP assessor to assess your Essential Eight posture at ML2 across all in-scope ICT systems. The IRAP assessment report is a mandatory attachment to the Security Plan. Ensure the assessment is no older than 12 months at the time of submission and that all identified gaps have been remediated.
Map Controls to DSPF Requirements
For each of the four security domains, map your existing controls to the relevant DSPF Principle 16 controls for your target membership level. Identify gaps and implement the required controls before writing the Security Plan — the plan should describe what you have done, not what you plan to do.
Draft Each Domain Section
Write each domain section with specificity. Name individuals, describe facilities with dimensions and access control specifications, list ICT systems with operating system versions, and reference your IRAP assessment findings. Avoid generic language — every statement should be verifiable by a DISO assessor.
Internal Review and Evidence Compilation
Review the completed Security Plan against the DISP Membership Application Guide checklist. Compile all supporting evidence — IRAP assessment report, facility floor plans, access control system documentation, clearance certificates for CSO and SO, and training records. Ensure all evidence is current and accurately referenced in the plan.
Submit and Respond to DISO Queries
Submit the Security Plan through the DISP Member Portal. DISO will assign an analyst who may request clarifications or additional evidence. Respond promptly and specifically — vague responses to DISO queries are a common cause of extended assessment timelines. Most first-attempt applications require at least one round of clarifications.
Frequently Asked Questions
What is a DISP Security Management Plan?
A DISP Security Management Plan (also called a Security Plan or SP) is a mandatory document submitted as part of the DISP membership application. It demonstrates to DISO that the applicant has identified its security risks and implemented controls across all four DSPF security domains: Governance, Personnel Security, Physical Security, and Information and Cyber Security.
Is there an official DISP Security Plan template?
DISO does not publish a mandatory template for the Security Plan. However, DISO provides guidance on the required content through the DISP Membership Application Guide and the Defence Security Principles Framework (DSPF). The Security Plan must address all four security domains and demonstrate how the applicant meets the relevant DSPF controls for their membership level.
How long does a DISP Security Plan need to be?
There is no prescribed length. A well-structured Security Plan for a Baseline DISP application typically runs 30–80 pages, depending on the complexity of the organisation's operations, the number of sites, and the scope of ICT systems. Quality and completeness matter far more than length — DISO reviewers are looking for evidence of genuine security understanding, not volume.
What are the most common Security Plan rejection reasons?
The most common reasons DISO returns or rejects a Security Plan are: (1) Insufficient detail on ICT system scope and Essential Eight controls; (2) Physical security descriptions that do not meet DSPF requirements for the membership level; (3) Missing or incomplete personnel security procedures; (4) Governance section that does not name the CSO and SO with their clearance levels; (5) Failure to address all four DSPF security domains.
Can I use a generic ISO 27001 security policy as my DISP Security Plan?
No. An ISO 27001 Information Security Policy is not equivalent to a DISP Security Plan. The DISP Security Plan must specifically address the DSPF control requirements, the Essential Eight at ML2, AGSVA clearance procedures, and physical security standards for PROTECTED-level facilities. Generic ISO 27001 documentation will not satisfy DISO's assessment criteria.
The complete checklist of DISP membership requirements for Baseline and higher levels.
Step-by-step guide to the DISP application process from start to approval.
How a specialist DISP consultant can accelerate your application and reduce rejection risk.
Need a Security Plan
that passes DISO?
Serious Defence writes DISP Security Plans that are tailored to your organisation, aligned to DSPF requirements, and designed to pass DISO assessment on the first submission. We have a 100% first-attempt approval rate for Security Plans we write.
Start Your Security Plan