What Is DISP and Why Does It Matter?
The Defence Industry Security Program (DISP) is the Australian Government's framework for managing security obligations across the defence industry supply chain. Administered by the Department of Defence under the Defence Security Principles Framework (DSPF) Principle 16, Control 16.1, DISP provides a structured pathway for Australian entities to demonstrate that they can responsibly handle defence information and assets.
DISP membership is not simply a compliance checkbox. It is a signal to Defence and to prime contractors that your organisation has the governance, personnel, physical, and cyber security controls in place to participate safely in the defence supply chain. For many contracts — particularly those involving access to classified information or the ability to sponsor security clearances — DISP membership is a contractual requirement.
Beyond contractual requirements, DISP membership opens doors. Members gain access to Defence security services, security training and materials, and the ability to sponsor personnel security clearances. For organisations seeking to grow their defence business, DISP membership is increasingly a baseline expectation rather than a differentiator.
Eligibility Requirements
Before beginning your DISP application, your organisation must meet the following eligibility criteria as defined in the DSPF:
- Registered as a legal business entity in Australia with an Australian Business Number (ABN)
- Financially solvent — unable to apply if subject to insolvency proceedings
- A Director or senior executive who is able to obtain an Australian Personnel Security Clearance (commensurate with the membership level applied for)
- A Director or senior executive who is able to obtain an Australian Digital ID
- Able to demonstrate a genuine business need for DISP membership
- Subject to the Foreign Investment Review Board (FIRB) requirements where applicable
- Compliance with the Privacy Act 1988 and Freedom of Information Act 1982
The Four Security Domains
DISP membership is assessed across four security domains. Your membership level in each domain is determined by the classification of information you need to access and the nature of your Defence work. The governance domain level always equals the highest level applied for in any other domain.
Security Governance
All levelsSecurity governance is the foundation of every DISP application. You must demonstrate that your organisation has appropriate accountability structures, security policies, incident response procedures, and security education programs in place. The governance domain level always equals the highest level applied for in any other domain.
Personnel Security
All levelsPersonnel security ensures that employees and contractors with access to Defence information are appropriately screened and security-aware. All DISP members must meet the Australian Standard for Workforce Screening (AS 4811:2022). Higher membership levels require personnel to hold Australian Government security clearances.
Physical Security
Level 1 and abovePhysical security protects people, property, and assets from threats that could result in damage or loss. Requirements scale with membership level — Entry level has minimal physical security requirements, while Level 1 and above require certified secure zones for handling PROTECTED and above information. Zone certification is assessed by ASIO.
ICT and Cyber Security
All levelsAll DISP members must demonstrate compliance with the ASD Essential Eight at Maturity Level 2 across ICT corporate systems used to correspond with Defence. This applies from Entry level upward. The Cyber Security Questionnaire (CSQ) Part B contains 107 ML2-aligned control questions that must be completed as part of the application.
Membership Levels and Classification Access
DISP offers four membership levels, each aligned with Australian Government security classifications. The level you apply for determines the classification of information you are accredited to handle and the security controls you must demonstrate.
| Level | Classification Access | Key Requirement | Typical Timeline |
|---|---|---|---|
| Entry | OFFICIAL and OFFICIAL: Sensitive | E8 ML2, governance documentation, personnel screening | 3–6 months |
| Level 1 | PROTECTED | All Entry requirements + security clearances + physical zone certification | 6–12 months |
| Level 2 | SECRET | All Level 1 requirements + higher-grade clearances + enhanced physical security | 12+ months |
| Level 3 | TOP SECRET | All Level 2 requirements + highest-grade clearances + comprehensive assurance | 12–18+ months |
The Application Process: Step by Step
Confirm Eligibility
Before applying, confirm that your organisation meets the basic eligibility criteria: registered Australian entity with an ABN, financially solvent, and with a Director or senior executive able to obtain an Australian Personnel Security Clearance and Australian Digital ID. You must also be able to demonstrate a genuine business need for DISP membership — typically evidenced by a current or upcoming Defence contract, a letter of endorsement from a Defence Contract Manager, or a sponsoring entity letter.
Determine Your Membership Level
Identify the membership level you require for each of the four security domains. Your level is typically determined by the classification of information you need to access: Entry for OFFICIAL/OFFICIAL:Sensitive, Level 1 for PROTECTED, Level 2 for SECRET, and Level 3 for TOP SECRET. The governance domain level must always equal the highest level applied for in any other domain. If you are unsure, your Defence Contract Manager can advise on the level specified in your contract.
Conduct a Security Gap Assessment
Before submitting your application, conduct an honest assessment of your current security posture against DISP requirements across all four domains. Identify gaps in your governance documentation, personnel screening processes, physical security controls, and ICT/cyber security posture. This assessment will inform your Maturity Action Plan and help you prioritise remediation work. Many organisations engage a DISP consultant at this stage to ensure the assessment is comprehensive and aligned with current DISP standards.
Prepare Required Documentation
Gather and prepare the documentation required to support your application. This includes your Security Management Plan, Security Incident Response Plan, evidence of personnel screening processes, physical security documentation (for Level 1 and above), and your completed Cyber Security Questionnaire. The quality and completeness of your documentation is one of the most significant factors in application success — incomplete or inconsistent documentation is a leading cause of application delays and rejections.
Register on the Defence Supplier Portal
Submit your DISP membership application through the Defence Supplier Portal (DSP). You will need to create an account, complete the online application form, and upload your supporting documentation. The portal is also used for ongoing membership management, including submitting Annual Security Reports and updating organisational details.
Entry Level Assessment (ELA)
Once your application is submitted, DISP will conduct an Entry Level Assessment (ELA). This involves a documentation review, a phone interview with your nominated Chief Security Officer or Security Officer, and completion of the Cyber Security Questionnaire. The ELA establishes your baseline security maturity profile and identifies any gaps that need to be addressed before membership can be granted.
Receive Your Maturity Action Plan
If gaps are identified during the ELA, DISP will issue a Maturity Action Plan (MAP) documenting the remediation steps required and the timeframe within which they must be completed. You do not need to achieve full compliance before receiving your MAP — the MAP is the mechanism through which DISP guides you to full compliance. Organisations with a credible MAP and demonstrated commitment to remediation can receive conditional membership while completing their uplift.
Membership Granted and Ongoing Obligations
Once DISP is satisfied that your organisation meets the requirements, your membership certificate is issued. From that point, you have ongoing obligations including submitting an Annual Security Report on the anniversary of your certificate, notifying DISP of significant changes to your organisation or security posture, and maintaining compliance with all DISP requirements across the four security domains.
Common Application Mistakes to Avoid
Based on our experience supporting organisations through the DISP application process, the following are the most common mistakes that cause delays, additional assessment rounds, or outright rejection.
Incomplete governance documentation
Submitting a Security Management Plan that does not address all required elements, or providing generic policy templates without tailoring them to your organisation's specific context.
Underestimating the cyber security requirements
Assuming that existing IT security practices will satisfy E8 ML2 without conducting a formal gap assessment. Many organisations discover significant gaps only after submitting their application.
Nominating the wrong membership level
Applying for a higher level than your contracts require, or failing to apply for the level specified in your contract. Both create unnecessary complexity and cost.
Inadequate business need justification
Failing to provide sufficient evidence of a genuine business need for DISP membership. Without a contract, letter of endorsement, or sponsoring entity letter, applications are typically rejected.
Delayed security clearance applications
Not initiating security clearance applications for key personnel early enough. Clearance processing times can add months to your overall DISP timeline.
No Maturity Action Plan for cyber gaps
Submitting a CSQ that reveals significant E8 gaps without a credible remediation plan. DISP expects to see a realistic MAP with achievable timelines.
Ongoing Membership Obligations
Receiving your DISP membership certificate is not the end of the process — it is the beginning of an ongoing compliance obligation. DISP members must maintain their security posture and demonstrate continued compliance through a structured cycle of reporting and assessment.
The most important ongoing obligation is the Annual Security Report (ASR), submitted via the DISP Member Portal on the anniversary of your membership certificate. The ASR is a self-attestation of compliance across all four security domains, including the Cyber Security Questionnaire for the ICT and cyber security domain. Members must also notify DISP of significant changes to their organisation, security posture, or personnel within specified timeframes.
DISP conducts periodic Ongoing Suitability Assessments (OSAs) and, where warranted, Deep Dive Audits (DDAs) to verify that members continue to meet their obligations. Failure to maintain compliance can result in membership suspension or cancellation, which would prevent you from accessing classified information or sponsoring security clearances.
Frequently Asked Questions
Navigate Your DISP Application with Confidence
DISPath is Serious Defence's structured DISP application workflow engine. It guides your organisation through every step of the application process — from gap assessment to documentation preparation to submission — with expert oversight at every stage.