HOW TO GET
DISP MEMBERSHIP

The gap assessment must be structured and evidence-based — not a self-assessment checklist completed in a meeting room. Assessors need to see actual artefacts: existing policies, system configurations, physical security plans, and personnel screening records. The output should be a prioritised remediation register that identifies each gap, its severity, the control required, the responsible owner, and the target completion date.

For ICT security, the gap assessment should include a formal Essential Eight Maturity Model assessment against all eight strategies at ML2. This is best conducted using the ASD's published assessment methodology and should be performed by a qualified assessor — ideally one with IRAP (Information Security Registered Assessors Program) experience.

Governance gaps are typically identified through document review: does the organisation have a Security Management Plan? Is it current? Does it accurately reflect actual operations? Many organisations have legacy SMPs from previous compliance exercises that no longer reflect their actual security posture.

The Security Officer must be an Australian citizen (or permanent resident in some circumstances) and must not hold conflicting roles that would compromise their ability to discharge security obligations. In small organisations, the SO is often a senior manager or director. In larger entities, it is typically a dedicated security professional.

DISO assessors will interview the SO during the assessment process. The SO must be able to demonstrate competency in: the PSPF and DSPF requirements applicable to the organisation, the organisation's incident reporting obligations to DSOC, the organisation's personnel security screening procedures, and the ICT security controls implemented to achieve Essential Eight ML2.

A Deputy Security Officer (DSO) should also be nominated to ensure continuity of security governance when the SO is unavailable. Both the SO and DSO must complete DISP security awareness training before application submission.

A compliant SMP must address all four security domains at the level of detail appropriate for your target membership level. For Level 1 (PROTECTED), the SMP must document: the governance structure and security officer appointments, the security risk assessment and treatment register, personnel security screening procedures and foreign contact reporting, physical security measures for PROTECTED material, ICT security controls and Essential Eight ML2 implementation status, and incident reporting procedures to DSOC.

The SMP must be tailored to your organisation's actual operations — not a generic template. DISO assessors are experienced at identifying SMPs that have been produced by consultants without genuine engagement with the organisation's security environment. The plan must reflect real risks, real controls, and real procedures.

The SMP must be reviewed and approved by senior management before submission. It should include version control, a review schedule (typically annual), and a change management process. DISO may request the SMP revision history during assessment.

Cross-reference your SMP against the DSPF requirements document for your target membership level. Every mandatory requirement must be addressed — gaps in coverage are the most common reason for application return.

The Essential Eight is the Australian Signals Directorate's (ASD) prioritised set of eight cyber mitigation strategies. At ML2, organisations must implement all eight strategies with a defined level of maturity across their entire ICT environment. The eight strategies are: application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication (MFA), and regular backups.

ML2 implementation is not a checkbox exercise. Each strategy has specific technical requirements that must be evidenced. For example, MFA at ML2 requires phishing-resistant MFA (not just SMS-based MFA) on all internet-facing services and for all privileged users. Patching at ML2 requires operating system patches applied within 48 hours for critical vulnerabilities and within one month for non-critical vulnerabilities.

The ICT environment assessment must be conducted against the ASD's Essential Eight Maturity Model assessment methodology. The assessment report must be current (typically within 12 months of application submission) and must be conducted by a qualified assessor. Self-assessments are not accepted at Level 2 and above.

Organisations that operate their own ICT infrastructure face the most significant uplift burden. Those using a DISP-aligned managed environment can significantly reduce this effort.

Physical security requirements scale with membership level. For Entry-level DISP, basic access control and visitor management procedures are typically sufficient. For Level 1 (PROTECTED), organisations must demonstrate secure storage capability for PROTECTED material — this typically means a GSA-approved security container or equivalent. For Level 2 and above, a Secure Compartmented Information Facility (SCIF) or equivalent Defence-approved secure area is required.

Physical security documentation must include: a facility security plan, access control procedures, visitor management procedures, CCTV and intruder detection system specifications, and a physical security inspection schedule. The facility must be assessed as appropriate for the classification level of information it will hold.

Personnel security requires documented pre-employment screening procedures aligned to AGSVA standards. This includes identity verification, criminal history checks, employment history verification, and character references. For Level 1 and above, organisations must also have documented foreign contact and foreign travel reporting procedures — this is one of the most commonly missing elements in first-time applications.

An insider threat awareness programme is required at Level 1 and above. This must include initial training for all personnel with access to classified information and annual refresher training. Training records must be maintained and available for DISO review.

Before submitting, conduct a final pre-submission review against the DISO application checklist. Verify that all mandatory documents are included, all evidence is current (within 12 months), and the SMP accurately reflects your implemented controls. Have your Security Officer review the complete package — they will be accountable for its accuracy.

The application package must include: the completed DISP membership application form, the Security Management Plan, evidence packages for each security domain, Essential Eight ML2 assessment report, physical security assessment documentation, personnel security screening records and procedures, Security Officer and Deputy Security Officer details, and FOCI (Foreign Ownership, Control, or Influence) declaration.

FOCI declarations are required for all applicants. If your organisation has foreign shareholders, directors, or significant foreign business relationships, you must disclose these and may be required to provide a FOCI mitigation plan. DISO assessors take FOCI seriously — undisclosed foreign connections are grounds for application rejection and potential referral.

After submission, DISO will acknowledge receipt and assign an assessor. Do not contact DISO to check on application status within the first four weeks — the assessment process takes time and premature contact does not accelerate it.

For Entry-level and Level 1 applications, the assessment is typically a desktop review of the application package followed by a Security Officer interview conducted by phone or video conference. For Level 2 and Level 3 applications, a site visit is standard — DISO assessors will physically inspect your facilities and conduct in-depth interviews with the SO and senior management.

During the Security Officer interview, assessors will probe the SO's understanding of: the organisation's security obligations under the PSPF and DSPF, the incident reporting procedures and DSOC contact protocols, the personnel security screening procedures and foreign contact reporting, the ICT security controls and Essential Eight ML2 implementation, and the physical security measures in place.

If the assessor identifies gaps during the assessment, they will typically issue a Request for Additional Information (RFAI) rather than rejecting the application outright. Respond to RFAIs promptly and completely — partial responses extend the assessment timeline. If the gaps are substantive, the assessor may recommend the application be withdrawn and resubmitted after remediation.

Upon successful assessment, DISP membership is granted at the approved level. The membership certificate and letter of authorisation are issued through the DSP. Membership is ongoing — it does not expire, but it is subject to periodic reassessment and can be suspended or revoked if obligations are not maintained.