DISP / ISM / IRAP Free Readiness Checklist

Governance & DISP

DISP categories, key roles, and alignment to the PSPF and Defence expectations.

0/0 answered

Have you confirmed which DISP membership categories and levels you are targeting (governance, information/cyber, personnel, physical)?

Do you have a nominated Security Officer or similar role that reports Defence-related risks and issues to the executive/board?

Have you reviewed your policies and procedures against the Protective Security Policy Framework (PSPF) and recorded any gaps and actions?

People & Physical Security

Staff vetting, clearances, training, and facility security controls.

0/0 answered

Are staff who handle sensitive or Defence-related information appropriately screened and, where required, security cleared for their roles?

Do you have a clear process to onboard, move and offboard staff and contractors, including access changes and clearance management?

Do staff receive regular security awareness training that covers Defence, DISP and handling of classified/official information?

Have your offices and facilities been assessed for physical security (zones, visitor controls, alarms, secure storage) in line with DISP expectations?

Cyber & ISM Controls

Core ISM controls for hardening, patching, monitoring and incident response.

0/0 answered

Have you confirmed the expected classification/handling level of Defence or government information your system will store or process (e.g. OFFICIAL, OFFICIAL: Sensitive, PROTECTED)?

Have you selected an ISM control baseline that fits your system’s classification and business context, and documented any justified deviations?

Do you have standards for hardening, patching, malware protection and configuration baselines, and are they applied consistently across the environment?

Are security logs centrally collected, monitored and retained in line with ISM and your incident response expectations?

Do you run regular vulnerability scanning and (where appropriate) penetration testing, with a process to prioritise and fix high-risk issues?

Do you have an incident response process that covers Defence/government notifications, evidence retention and lessons learned?

Risk Management & System Docs

How you describe the system, manage risk and keep security docs up to date.

0/0 answered

Is there a clear, current description of the system (purpose, users, data types) and diagrams that show key components, data flows and dependencies?

Do you maintain a System Security Plan (SSP) that explains how key controls are implemented, who is responsible and any shared responsibilities with suppliers or cloud providers?

Do you have a Security Risk Management Plan (SRMP) for the system that identifies threats, assesses risks and records agreed treatments?

Are backup, business continuity and disaster recovery arrangements tested regularly and appropriate for the classification and uptime needs of the system?

Have you identified who will authorise the system to operate (ATO) and how you will keep them informed of risks, changes and IRAP outcomes?

IRAP Planning & Evidence

IRAP scope, assessment approach, evidence packs and remediation tracking.

0/0 answered

Have you agreed a proposed IRAP scope (systems, environments, locations, time period and classification) and assessment type (gap, full, re-assessment)?

If you have had a previous IRAP or similar assessment, do you know the current status of recommendations and any open findings?

Is there a central evidence register or workspace (e.g. SharePoint, Confluence) where policies, screenshots and records can be shared with an IRAP assessor?

Do you maintain a Plan of Actions and Milestones (POA&M) or similar register to track security findings through to closure with clear owners and due dates?

Contracts, Suppliers & Hosting

Security clauses, key suppliers and where your data and systems are hosted.

0/0 answered

Is it clear where your systems and data are hosted (on-premises, cloud, country/region), and does this meet Defence/sovereign hosting expectations?

Do your contracts and subcontracts include appropriate security, confidentiality, incident notification and DISP / Defence-specific obligations?

Have you identified key suppliers (including cloud and managed service providers) and confirmed how their security responsibilities and IRAP/ISM alignment will be managed?

DISP / ISM / IRAP readiness checklist (free)

What this covers

How scoring works

Free PDF output

Governance & DISP

People & Physical Security

Cyber & ISM Controls

Risk Management & System Docs

IRAP Planning & Evidence

Contracts, Suppliers & Hosting

Before you download