DISP Membership Requirements: What Australian Defence Contractors Actually Need
5/15/2026 · Compliance365
The Defence Industry Security Program (DISP) is the Australian Government's framework for assessing whether defence industry organisations have the security maturity to handle defence contracts, particularly those involving classified or sensitive information.
DISP membership is increasingly expected — and in many cases required — for Australian companies wanting to participate in Defence procurement. This post explains what the assessment actually looks at, what the membership levels mean in practice, and what organisations typically need to do to get there.
What DISP actually assesses
DISP membership is assessed across four security domains, each with its own maturity expectations:
1. Governance and personnel security This covers your overall security governance structure — whether you have a designated Security Officer, whether that person has completed required DISP training, whether your personnel security procedures (pre-employment screening, ongoing obligations, classified information handling) meet the standard. The Security Officer role is not optional at any DISP level.
2. Physical security Assessment of your physical security arrangements — visitor management, secure storage for classified material, clean desk policy, and the physical security of any areas where classified work is performed. At higher DISP levels, this includes requirements for Tempest-compliant secure rooms if you’re handling PROTECTED or above material on-site.
3. ICT security This is where most of the technical uplift effort concentrates. DISP ICT security requirements are aligned with the Australian Government’s Information Security Manual (ISM) and its Essential Eight baseline. The specific requirements scale with the classification level of information you need to handle. At the base level, the expectation is generally Essential Eight ML2. For PROTECTED-level handling, requirements extend significantly.
4. Industrial security How you protect classified assets, subcontract obligations, offshore restrictions, and supply chain security. Relevant if you’re subcontracting or if you have offshore development or processing.
The DISP membership levels
DISP has three membership levels, which primarily differ in the classification of information you’re assessed as capable of handling:
Entry Level The baseline for most commercial defence suppliers who don’t handle classified material directly. Covers governance, physical, and ICT security arrangements for handling up to OFFICIAL: Sensitive information. Most organisations entering the defence supply chain start here.
Baseline Required for organisations that need to access or handle PROTECTED information — classified government material. More rigorous assessment across all four domains, including ICT security arrangements that support PROTECTED handling. A Security Construction and Equipment Committee (SCEC)-endorsed secure room may be required for physical document storage.
NV1 / NV2 The highest DISP membership tiers, relevant for organisations whose staff need to access Secret or Top Secret information. These involve formal security clearance requirements for personnel, not just organisational assessment. Most commercial defence contractors operate at Entry Level or Baseline.
What the assessment process looks like
The DISP assessment is conducted by Defence Security and Vetting (DSVA), part of the Australian Department of Defence. The process involves:
- Self-assessment submission — You complete the DISP member application, including self-assessment documentation covering all four security domains.
- Documentary review — DSVA reviews your submitted policies, procedures, and evidence.
- Site visit or virtual assessment — DSVA may conduct a site visit (more common at Baseline and above) or a virtual assessment session to validate your self-assessment claims.
- Membership decision — DSVA issues membership at the appropriate level or identifies remediation requirements.
Timelines vary but the assessment process typically runs 3–6 months from submission to decision. Having well-organised documentation significantly accelerates this — assessors are doing a large number of assessments and respond well to clear, indexed evidence.
The most common DISP application failures
After working through a number of DISP engagements, the recurring patterns that cause delays or rejections:
No designated Security Officer (or the wrong person). DISP requires a Security Officer who meets specific criteria — typically senior enough to have genuine authority over security decisions, and who has completed (or is enrolled in) required DSVA training. An IT manager who’s been handed the title doesn’t satisfy this if they don’t have the seniority or training.
ICT security policies that describe intent, not practice. A policy that says “we conduct quarterly vulnerability scanning” is not the same as evidence that quarterly vulnerability scanning actually happens. Assessors look for evidence of practice, not statements of intent. Policy alone is insufficient.
Essential Eight gaps in the ICT security arrangements. Most DISP Entry Level and Baseline applicants are assessed against an ISM baseline that aligns with Essential Eight ML2. Organisations that don’t have ML2 controls genuinely implemented (not just documented) will be identified during assessment. The most common gaps are inconsistent application control, MFA that has bypass exceptions, and patching that doesn’t meet the required timelines.
Incomplete subcontractor management. If you work with subcontractors on defence contracts, you need documented arrangements for how you manage their DISP-related obligations. This is frequently overlooked in the initial application.
DISP and IRAP: how they relate
IRAP (Information Security Registered Assessors Program) is a separate ACSC programme under which authorised assessors evaluate ICT systems against the ISM. IRAP assessments are typically required when a system processes, stores, or communicates Australian Government information at a classification level — and Defence systems are a significant portion of IRAP assessment work.
DISP membership and IRAP assessment are not the same thing, but they’re often pursued together:
- DISP membership is the organisational-level assessment of your security governance across all four domains
- IRAP assessment is a system-level technical assessment of specific ICT systems against the ISM
For most commercial defence suppliers, DISP membership is the primary requirement. IRAP becomes relevant if you’re operating or hosting systems that process classified information on behalf of Defence.
Practical preparation timeline
For an organisation starting with no formal security programme:
| Phase | Duration | Key activities |
|---|---|---|
| Security governance setup | Weeks 1–3 | Appoint Security Officer, enrol in DSVA training, draft security plan |
| ICT security baseline | Weeks 2–8 | Essential Eight ML2 uplift, ISM control implementation, policy suite |
| Physical security review | Weeks 3–5 | Physical security assessment, visitor management, secure storage |
| Documentation and evidence | Weeks 6–10 | Organise evidence pack, complete self-assessment documentation |
| Application submission | Week 10–12 | Submit to DSVA, respond to queries |
For organisations already at Essential Eight ML2 with documented governance, the timeline compresses significantly — typically 6–8 weeks to get application-ready.
Working toward DISP membership? We help Australian defence industry organisations through DISP application preparation — security governance setup, ISM/Essential Eight alignment, evidence organisation, and application support. Fixed-price, practical, and scoped to what your DISP level actually requires.
A 30-minute call will tell you where your gaps are and what a realistic path to membership looks like.
Found this useful? Get the ISO/Privacy/AI readiness checklists.
Browse resources
