System Status: Operational/// DISP DEFENCE TECH NETWORK ///DISP COMPLIANCE PLATFORM
SD
SeriousDefence
INTEL BRIEF

DISP vs ISO 27001: What Australian Defence Contractors Need to Know

Many contractors assume ISO 27001 certification prepares them for DISP. It doesn't — and the gap is larger than most expect. Here's exactly where the two frameworks diverge and what you need to do about it.

If you've spent any time preparing for Defence work in Australia, you've almost certainly encountered two acronyms that seem to overlap but operate in fundamentally different ways: DISP and ISO 27001. Many contractors assume that holding an ISO 27001 certification means they're ready for DISP. That assumption is one of the most common — and most costly — mistakes in the Australian defence supply chain.



This article explains exactly what each framework covers, where they intersect, and — critically — where ISO 27001 falls short of what DISP requires. If you're preparing a DISP application or advising a client who is, understanding this distinction will save you significant time and prevent avoidable rejection.



What Is ISO 27001?



ISO/IEC 27001 is an internationally recognised standard for Information Security Management Systems (ISMS). Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it provides a systematic framework for managing sensitive company information so it remains secure. The current version is ISO/IEC 27001:2022, which updated the 2013 edition with a revised Annex A control set.



At its core, ISO 27001 is a management system standard. It requires organisations to:




  • Define the scope of their information security management system

  • Conduct a formal risk assessment and select appropriate controls from Annex A

  • Document a Statement of Applicability (SoA) justifying control selections

  • Implement, monitor, and continuously improve those controls

  • Undergo annual surveillance audits and a full recertification every three years by an accredited certification body



ISO 27001 is technology-agnostic and sector-agnostic. A hospital, a bank, a software company, and a manufacturing firm can all hold ISO 27001 certification. The standard does not prescribe specific technical controls — it requires organisations to identify their own risks and select controls proportionate to those risks.



In Australia, ISO 27001 is referenced by the Protective Security Policy Framework (PSPF) as a recognised information security framework, and it is increasingly required or preferred by government procurement processes. The DISP program itself acknowledges ISO 27001 as a relevant framework for the Information and Cyber Security domain.



What Is DISP?



The Defence Industry Security Program (DISP) is the Australian Government's mandatory security framework for non-government organisations that work with, or seek to work with, the Australian Department of Defence. It is administered by the Defence Industry Security Office (DISO) within the Department of Defence.



DISP is not a certification standard. It is an ongoing security relationship between your organisation and Defence. Membership is required before you can access classified contracts, handle Defence Sensitive information, work in secure Defence facilities, or participate in AUKUS supply chains at any meaningful level.



Where ISO 27001 focuses exclusively on information security management, DISP assesses organisations across four interconnected security domains:




  • Governance and Security Risk Management — leadership accountability, security culture, and the Security Risk Management Plan (SRMP)

  • Personnel Security — who has access to Defence information, systems, and facilities; security clearances; onboarding and offboarding processes

  • Physical Security — facility protection, access control, secure storage of classified material, and visitor management

  • Information and Cyber Security — information classification and handling, ICT security, and alignment with the Australian Government's cyber security expectations



DISP membership is tiered across four levels — Entry, Level 1, Level 2, and Level 3 — with each level reflecting increasing access to sensitive Defence information and facilities, and correspondingly more rigorous security requirements.



The Critical Differences



1. Scope: Information Security vs. Whole-of-Organisation Security



This is the most fundamental difference, and the one most frequently misunderstood.



ISO 27001 is scoped to your Information Security Management System. It covers how your organisation identifies, assesses, and manages risks to the confidentiality, integrity, and availability of information. Even when implemented comprehensively, it addresses only one of DISP's four domains.



DISP is a whole-of-organisation security assessment. It evaluates your personnel security posture (who you employ, what clearances they hold, how you manage insider risk), your physical security environment (how your facilities are protected), and your governance structures (how security accountability flows from the board to the individual), in addition to your information and cyber security controls.



An organisation can hold a valid ISO 27001 certificate and still fail a DISP assessment — not because their information security is inadequate, but because they have no process for managing personnel security clearances, no physical security plan for their facility, and no Security Risk Management Plan that addresses Defence-specific threats.



2. Personnel Security: DISP's Unique Requirement



ISO 27001 Annex A includes controls related to human resources security — screening before employment, terms and conditions of employment, and responsibilities after termination. These are important baseline controls, but they are generic and do not address the specific requirements of the Australian Government's personnel security framework.



DISP's Personnel Security domain requires organisations to:




  • Identify all key, relevant, and ancillary personnel who will access Defence information or facilities

  • Obtain and maintain appropriate Australian Government security clearances (Baseline, NV1, NV2, or PV) for personnel who require them

  • Implement processes for onboarding and offboarding that protect Defence information during role transitions

  • Maintain a Security Officer who is accountable to Defence for the organisation's security posture

  • Conduct ongoing security awareness training tailored to Defence obligations



None of these requirements exist in ISO 27001. The Australian Government's security clearance system — administered by the Australian Government Security Vetting Agency (AGSVA) — is entirely outside the scope of any ISO standard. If your organisation has never engaged with AGSVA and has no personnel holding current Australian Government clearances, you cannot satisfy DISP's Personnel Security requirements regardless of your ISO 27001 status.



3. Physical Security: Context-Specific Requirements



ISO 27001 Annex A includes physical and environmental security controls — secure areas, equipment protection, and clear desk policies. These are useful baseline controls, but they are designed for generic commercial environments.



DISP's Physical Security domain is calibrated to the specific risk profile of Defence work. Depending on your membership level and the nature of your Defence activities, you may be required to:




  • Implement Facility Security Clearances (FSC) for premises where classified material is handled or stored

  • Establish Secure Working Areas (SWA) or Highly Protected Areas (HPA) that meet Defence's physical security specifications

  • Maintain classified material storage that meets the requirements of the Defence Security Principles Framework (DSPF)

  • Implement visitor management processes aligned with Defence's access control requirements



These are not requirements that can be satisfied by pointing to an ISO 27001 certificate. They require specific physical infrastructure, documented procedures, and in many cases, formal assessment by Defence security personnel.



4. Governance: The Security Risk Management Plan



ISO 27001 requires a documented risk assessment and a Statement of Applicability. These are valuable governance artefacts, but they are designed for commercial risk management — not for the specific governance obligations that DISP imposes.



DISP requires every member organisation to maintain a Security Risk Management Plan (SRMP) that is specific to their Defence activities. The SRMP must:




  • Identify all assets, information, and personnel relevant to the organisation's Defence work

  • Assess threats and risks in the context of Defence's threat environment — including foreign intelligence threats, insider threats, and supply chain risks

  • Document controls across all four DISP domains

  • Be reviewed and updated regularly, and submitted to DISO as part of the membership application and annual review process



An ISO 27001 risk treatment plan is not an SRMP. The two documents serve different purposes, address different threat landscapes, and are reviewed by different bodies. That said, a well-constructed ISO 27001 risk assessment provides an excellent foundation for building an SRMP — the discipline of systematic risk identification and control selection transfers directly.



5. Oversight and Accountability: Commercial vs. Government



ISO 27001 certification is conducted by accredited commercial certification bodies (such as BSI, SAI Global, or Bureau Veritas). The certification process involves a Stage 1 documentation review and a Stage 2 on-site audit, followed by annual surveillance audits. The relationship is between your organisation and a commercial auditor.



DISP membership involves an ongoing relationship with the Australian Government. DISO assessors conduct the initial membership assessment, and your organisation is subject to ongoing compliance obligations, annual self-assessments, and periodic DISO-conducted reviews. Serious security incidents must be reported to DISO. Changes to your organisation's structure, ownership, or key personnel may require notification to DISO.



This distinction matters because it changes the nature of accountability. ISO 27001 non-conformities are resolved with your certification body. DISP non-compliance can result in membership suspension, contract termination, and in serious cases, referral to law enforcement or the Australian Security Intelligence Organisation (ASIO).



Where ISO 27001 Helps With DISP



Despite the significant differences, ISO 27001 certification is genuinely valuable as a foundation for DISP compliance — particularly for the Information and Cyber Security domain. Organisations that hold ISO 27001 certification typically have:




  • A documented ISMS with defined scope, risk assessment methodology, and control framework

  • A Statement of Applicability that provides auditable evidence of systematic control selection

  • Documented policies for incident response, access control, supplier security, and security awareness training

  • A culture of security governance that DISP assessors respond well to



These artefacts can be adapted — with deliberate effort — to meet DISP's information and cyber security requirements. Your ISO 27001 SoA and risk treatment plan are not wasted; they are a starting point. But they need to be supplemented with Defence-specific content: classification handling procedures aligned with the Australian Government Security Classification System, ICT controls aligned with the Information Security Manual (ISM), and cyber security maturity aligned with the Essential Eight at the level required for your DISP membership tier.



From November 2025, DISP members at Level 1 and above are required to demonstrate Essential Eight Maturity Level 2 (ML2) across all eight mitigation strategies. This is a specific technical requirement that sits alongside — not within — ISO 27001. Organisations that have implemented ISO 27001 but have not assessed their Essential Eight maturity may find they have significant gaps in patch management, application control, or multi-factor authentication that need to be addressed before a DISP application will succeed.



The Practical Implication: What You Need to Do



If your organisation holds ISO 27001 and is preparing for DISP, the honest answer is that you are well-positioned but not ready. The work ahead of you falls into three categories:



Gap-fill the three domains ISO 27001 doesn't cover. You need a Personnel Security framework (including AGSVA engagement for relevant personnel), a Physical Security plan appropriate to your facilities and Defence activities, and a Governance framework that includes a DISP-compliant SRMP. None of these can be derived from your ISO 27001 documentation without significant additional work.



Adapt your information security documentation to Defence requirements. Your ISO 27001 policies and procedures need to be reviewed against Defence's specific expectations — information classification, handling of Defence Sensitive information, ICT security aligned with the ISM, and Essential Eight ML2 compliance. This is not a wholesale rewrite, but it is not a trivial exercise either.



Engage with DISO early. DISP is not a documentation exercise that you submit and wait for approval. DISO assessors expect to engage with your organisation's Security Officer throughout the process. Starting that relationship early — before your application is formally submitted — significantly improves your chances of a successful outcome.



The Bottom Line



ISO 27001 and DISP are not competitors, and they are not equivalent. ISO 27001 is a world-class information security management framework that provides genuine value to any organisation handling sensitive information. DISP is the Australian Government's security gateway for defence industry participation — a whole-of-organisation assessment that covers personnel, physical, and governance security in addition to information and cyber security.



Holding ISO 27001 demonstrates security maturity and provides a solid foundation for DISP compliance. It does not substitute for DISP membership, and it does not satisfy DISP's requirements in three of the four security domains.



If your organisation is preparing for DISP and you want to understand exactly where your ISO 27001 certification helps and where the gaps are, contact Serious Defence for a structured gap analysis. We work with organisations at every stage of the DISP journey — from initial readiness assessment through to successful membership and ongoing compliance.



Sources: Australian Department of Defence — Defence Industry Security Program; Defence Security Principles Framework (DSPF); Australian Government Information Security Manual (ISM); ISO/IEC 27001:2022; AGSVA Personnel Security; ASD Essential Eight Maturity Model.

NEED COMPLIANCE SUPPORT?

Our team of DISP experts can help you navigate the evolving regulatory landscape and build a submission that stands up to scrutiny.