DISP vs ISO 27001:
Which Framework
Does Your Defence
Business Need?
Australian defence contractors frequently ask whether DISP membership or ISO 27001 certification is the right investment. The answer depends on your contracts, your markets, and your maturity — but for most defence suppliers, the answer is DISP first.
Understanding Each Framework
Defence Industry Security Program
DISP is a membership-based program administered by the Australian Department of Defence's Defence Industry Security Office (DISO). It is the mandatory gateway for any entity seeking to access classified Defence information, facilities, or systems. DISP is underpinned by the Defence Security Principles Framework (DSPF), Principle 16.
DISP covers four security domains: Governance, Personnel Security, Physical Security, and Information and Cyber Security. The cyber security component requires compliance with the ACSC's Essential Eight at Maturity Level 2, assessed by an IRAP assessor.
DISP membership is issued at four levels — Baseline, NV1, NV2, and PV — each corresponding to the classification level of information the member can access. Most defence supply chain work requires Baseline membership.
ISO/IEC 27001:2022 Information Security Management
ISO 27001 is an internationally recognised standard for information security management systems (ISMS), published by the International Organization for Standardization. Certification is issued by accredited third-party certification bodies and is valid for three years, with annual surveillance audits.
ISO 27001 takes a risk-based approach, requiring organisations to identify information security risks and implement controls from Annex A (ISO 27002) to address them. The standard covers 93 controls across four themes: Organisational, People, Physical, and Technological.
ISO 27001 is widely recognised in commercial, financial services, healthcare, and international markets. It is not required by DISO and does not substitute for DISP, but it signals a mature security posture to enterprise clients and international partners.
Head-to-Head Comparison
Key differences across the dimensions that matter most to Australian defence contractors.
| Dimension | DISP | ISO 27001 |
|---|---|---|
| Administered by | Australian Dept of Defence (DISO) | Accredited certification bodies (e.g. BSI, SAI Global) |
| Mandatory for Defence? | Yes — required for classified access | No — voluntary certification |
| Cyber framework | Essential Eight at ML2 (ACSC) | Annex A controls (ISO 27002) |
| Assessment body | IRAP assessor (ACSC-certified) | ISO 27001 lead auditor (accredited CB) |
| Clearance requirement | Personnel clearances (AGSVA) | None |
| Physical security | DSPF-compliant facilities required | Physical controls in Annex A (risk-based) |
| Renewal cycle | Annual Security Report (ASR) | 3-year certification, annual surveillance |
| Cost range (SME) | $30,000–$100,000 to achieve | $20,000–$60,000 to achieve |
| International recognition | Australia only | Globally recognised |
| Government recognition | Required by DISO | Not recognised by DISO as DISP substitute |
| Scope | Four DSPF security domains | Information assets (risk-based scope) |
| Audit frequency | DISO Deep Dive Audits (random) | Annual surveillance + 3-year recertification |
Where the Frameworks Overlap
Significant control overlap exists between DISP's Essential Eight and ISO 27001's Annex A — meaning work done for one framework reduces effort for the other.
Note: ISO 27001 Annex A references are from ISO/IEC 27001:2022. High overlap means the control evidence gathered for DISP can be directly reused for ISO 27001 certification with minimal additional work.
Which Do You Need?
The right answer depends on your current contracts, target markets, and security maturity.
If your business exclusively targets Australian Defence contracts, DISP is the only mandatory requirement. ISO 27001 adds cost and complexity without a corresponding Defence contract benefit.
If you serve both Defence and international or large enterprise clients, pursue DISP first to unlock Defence contracts, then use the ISMS you build for DISP as the foundation for ISO 27001 certification. The overlap is significant — you will not be starting from scratch.
If you have no current Defence contracts and are targeting international or commercial markets, ISO 27001 is the appropriate framework. DISP is not relevant without a Defence contract requirement.
Cost Comparison for SMEs
Indicative cost ranges for Australian SMEs (10–200 employees) achieving each framework from a low security maturity baseline.
Cost ranges are indicative for Australian SMEs. Actual costs vary significantly based on organisation size, existing security maturity, ICT complexity, and the scope of physical security upgrades required. Source: Serious Defence client engagements, 2024–2026.
Frequently Asked Questions
Do I need DISP or ISO 27001 to work with the Australian Department of Defence?
DISP membership is the mandatory requirement for entities accessing classified Defence information, facilities, or systems. ISO 27001 is not required by DISO and does not substitute for DISP. However, ISO 27001 certification can accelerate your DISP application by demonstrating a mature information security management system.
Can ISO 27001 replace the Essential Eight requirement for DISP?
No. DISO requires an IRAP assessment against the Essential Eight at Maturity Level 2 as a mandatory component of DISP membership. ISO 27001 uses a different control set (Annex A / ISO 27002) and does not satisfy the Essential Eight requirement. You must complete both if you hold ISO 27001 and are applying for DISP.
Which framework is harder to achieve — DISP or ISO 27001?
They are different in nature. DISP is a government-administered membership program with specific clearance, physical security, and Essential Eight requirements. ISO 27001 is an internationally recognised certification with a broader, risk-based scope. DISP is generally more prescriptive and operationally demanding for SMEs; ISO 27001 is more process-intensive and documentation-heavy.
Does having ISO 27001 reduce the cost of DISP membership?
Indirectly, yes. If your ISO 27001 ISMS is mature, your documentation, risk register, and control evidence will be largely ready for the DISP Security Plan. This reduces the consulting and preparation cost. However, you will still need a separate IRAP assessment for the Essential Eight, which is the primary cost driver for DISP.
Should I get ISO 27001 before or after DISP?
For most defence SMEs, DISP should come first — it is the mandatory gateway to Defence contracts. ISO 27001 is valuable for international credibility and larger enterprise clients. If you are targeting both Defence and commercial/international markets, pursue DISP first, then use the ISMS you build for DISP as the foundation for ISO 27001 certification.
Full guide to achieving and maintaining DISP compliance in Australia.
The Essential Eight Maturity Level 2 requirements for DISP membership.
How CMMC 2.0 aligns with the Essential Eight for AUKUS suppliers.
Not sure which framework
your business needs?
Serious Defence provides independent framework assessments for Australian defence contractors. We'll map your current contracts, target markets, and security maturity to give you a clear recommendation — DISP, ISO 27001, or both.
Book a Framework Assessment